$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

        $$ Introduction to Hacking into LANs.. $$

        $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$





              An official THUG production..

      Written by Laughing Gas for Solsbury Hill BBS.



 (Please keep the filename as THUGLAN1.TXT where possible)





::: Foreward :::



I don't have a lot of experience at hacking alot of different

type of LANs, or any secret information that couldn't be found by

any one else with a little hard work, but in an effort to spare

you that hard work, I wrote this file.. 



I was going to make this only one file, and include everything in

it, but since it's already about 13k and that's without any

specific discussion of the novell system, I'm going to break it

up into a series.  Keep a look out for the next file, it'll have

more information on the actual hacking of a novell system, and

possibly other files focusing on other systems.



Subjects discussed (contents basically):



Foreward

About LANs: the basics

The basics of a Novell Network, and Logging In

Once you're in DOS

System Files

Brute force hacking in



onward...



::: About LANs: the basics :::



For people who know nothing at all about computers or

telecommunications, or networks, this file probably won't be very

useful, but I will attempt to provide information in a way that

the least experienced computer user can understand it.  To that

ends, here's a brief section on what exact is a LAN, and how it

works, and so-on.



LAN stands for Local Area Network.  A network, in computer terms

is any system which allows a person on one computer to share

resources with one or more other computers.  There are two main

types, the LAN and the WAN (Wide Area Network).  A WAN is

conforms to the definition of a network the same way a LAN does,

it allows a person on one computer to use the resources of one or

more other computers.  So what's the difference? A LAN is a small

network, usually contained in a single building, and if not, then

in a single complex.  A WAN is almost never contained in a single

building or complex, and usually extends over several states, or

across the entire nation, or internationally.  An example of a

WAN is the Internet, one of the biggest and most hacked WANs

ever.  The Internet is connected all over the world to thousands

upon thousands of computers at universities, military sites,

commerical sites, and more.



Another type of network is a PSN, which is similar to a WAN in

that they always extend out of a complex.  PSN stands for Packet

Switching Network.  What a PSN does is bundle a packet of data

from the local terminal, assemble it at the local PAD (packet

assembler/disaseembler), send it through a series of in-between

PADS and when it reachs a destination, it is disassembled by that

PAD, and fed to that computer.  This allows a PSN which has PADs

which are in a chain where PAD A is local to PAD B and PAD B is

local to PAD C but PAD A is not local to PAD C to send a packet

from A to B to C and not pay the expenses of sending directly

from A to C.  A PSN almost always uses phone lines for at least

part of it's connections.





A WAN or LAN operates on a different principal, it sends

information directly from the local terminal to it's destination.

In the case of a WAN, the information may pass through phone

lines, but it might not, depending on what exactly you are doing. 

On the Internet, if you are connected to a university, you can

log into a computer at that university and you will be on a

direct connection, but you can call another university or

military site from there, and your data will travel over the

phone lines, or maybe even over a PSN or another network.



A LAN will ALWAYS be a local direct connection.  The most common

set up on a LAN is that there are 2 or more terminals in one or

more rooms that are hooked up to one or more servers.  That is

the case we will assume is true in examples throughout this file

unless otherwise specified.  (We'll also assume that the LAN is

set up with IBM MS/PC-DOS compatible computers)



One scenario for how a LAN is set up would be like this:  There

are 20 IBM PS/2 Model 25's with Dual 720k drives, 640k of memory,

and no hard drive hooked up to an IBM PS/2 Model 80 w/ 20 megs of

memory, a 330 meg hard drive, and a 1.44 meg and 1.2 meg drive. 

In this case, the Model 80 would be the server.  Each terminal

would have to have a boot disk for the network.  (An alternate

situation would be if the computers had BOOT PROMS which redirect

local drive activity to allow the terminals to boot from the

server's hard drive) If you just put a dos disk in a terminal and

turned it on, you could use the full 640k of memory, and both

drives for whatever you wanted.  However, if you put in a network

boot disk, (or ran the network set-up and login programs from any

disk) you would then be connected or logged in to the network. 

At this point, you could access any program on the server's hard

drive (basically giving the 20 non-hard drive machines a 330 meg

drive to share).  There only needs to be one copy of each program

that will be run, no matter how many people are using it. 

(Assuming of course that the program is network compatible, some

programs such as perhaps a BBS program, or something using

communication interrupts, or with files constantly open, etc. may

not function with a network at all, or crash the terminal or the

whole network.)  There are however special programs installed on

the network to allow different terminals to share files and so

on.  Data files can be saved on the server's hard drive, or on

the local disk drives.



One function of the network software is to capture all DOS

interrupts (int 21 for MS/PC-DOS) and decide what to do with

them- either pass them on to DOS, or handle it itself.





::: the Basics of a Novell Network, and logging in :::



Novell Netware (tm) is one of the most common pieces of network

software availible for IBM MS/PC-DOS networks.



Basically, novell works like this:  either on the boot disk, or

if the computer has boot proms, on the hard drive, in the

AUTOEXEC.BAT you'll find a setup somewhat like this: (comments

will be preceded by semicolons (;))



@ECHO OFF

prompt $p$g       ;changes prompt to include path

mouse             ;load mouse driver

;and other such stuff in the very beginning

IPX /options      ;prepares the computer for the network

NET3              ;loads network

login 4           ;automatically logs in as computer #4

menu net          ;loads the nifty menu



Not all computers will have all of these things, there may not be

mouse drivers, there may be extra things (initialize plotters,

etc, etc) anyway, they should have IPX and NET3, and PROBABLY

login xxx.



The way the login program works is thus;  Running LOGIN with no

options will get you a prompt of "Username:" then, after entering

a valid username, "Password: " (prompts may be different..)  if

you don't enter a valid username, it'll let you know.  If you

enter LOGIN with one option, it will try to process that as a

username, and if it's valid you'll recieve just the "Password: "

prompt.  If you enter two parameters, it will process the first

as the username, and the second as the password.  If there isn't

a login xxx type of command, there should be just a LOGIN command

which will prompt you for username and password.



If the network prompts you for a username and password, you're

stuck, you have to do some hacking to get in.  This file mainly

covers what to do once you're on, but see the section later on

getting in.



The line "menu net" will execute the network's MENU function with

the menu defined as NET.  On my school's network this has

selections such as Word Perfect, a typing tutor, etc.   If there

is another command here, it will run that program.   If there is

no command here you are simply in DOS.  If you are on the MENU

NET, or any other MENU  command, then simply hit the

escape  key and answer yes, then press return and you are in

DOS.  I believe it is possible to have set up the network to

automatically log you out at this point, but I've never seen

this.  If this happens, you'll still be in dos, and you can just

type LOGIN to log in again, if you had to enter a name and

password before, do it again, and there you are, if not, then

type "type autoexec.bat" and see what the login command was, and

enter it again, and you'll be logged on to the network and in

DOS.  If you are automatically put in some other sort of program

when it boots up, then it's up to you to find out how to get into

DOS on your own.



The format for the menus will be discussed in detail in my next

file, but basically it's the name of the menu on the first line,

then each menu option on a seperate line, with the commands to

run for that menu option following with at least one space like

this:



---[cut here]---

MAIN MENU                     ; (menu name)

WORD PERFECT                  ; (menu option #1)

     CD\WP50                  ; (change to wp dir)

     WP                       ; (run word perfect)

     CD\LOGIN                 ; (change back to login dir)

FOX-BASE                      ; (menu option #2)

     CD\FOX

     FOX

     CD\LOGIN

---[cut here]---

Etcetera, etcetera.





::: Once you're in DOS :::



To find out what drives are availible to you do this (for you

non-IBM people)



type A: (followed by return) then B: (followed by return) then C:

(return), etc.. all the way through Z:, if you ever get a "Not

ready error reading drive : Abort, Retry or Ignore? "

just hit abort, it can't hurt anything.  And write down all the

letters which are successful.  A-E will most likely be the

terminal's drives.  If the terminal is a diskless terminal, then

A-E probably won't exist.  If not, A and B if they exist will be

floppies, and C-E will be local hard drives.  (Although it is

probably possible to configure A-E as network drives too).  



It is up to the system adminsitrator(s) how the LAN is set up,

but here is how one of my school's LANs is set up:



A: terminal floppy (720k)

B: terminal floppy (720k)

C-E: configured as local drives, but there are none installed

F: main network drive

V-Z: specific network programs, these aren't real drives, rather

"fake" drives created by the SUBST dos program.



the files and directories on F: are..



AUTOEXEC.BAT: 0 byte phoney autoexec (since bootdisks are req'd)

GUIDE   .BAT: (loads teachers guide or something)

Directory PUBLIC  : contains public info and all net programs

Directory SYSTEM  : contains network utilities

Directory MAIL    : subdirectories contain mail

Directory LOGIN   : dups of other files for logging in & data

Directory DBASE   : DBase III

Directory WP50    : contains Word Perfect 5.0

Directory VP      : V-planner

Directory TYPING  : Typing Tutor

Directory ALPHA   : Alphabetic Keyboarding

Directory FOX     : Fox-Base

(and some other directories for various programs)



Then the drives V-Z are like this:

V:\VP> (just the F:\VP> directory subst'd to V:)

W:\WP50> (just the W:\WP> directory subst'd to W:)

etc.. through Z:



(subst'd means "substituted" with a DOS program called SUBST.EXE

which allows you to make a directory on one drive into a complete

new virtual drive)



The most interesting programs are in F:\PUBLIC.  My system has no

mail on it (how boring), so I don't have any information on what

the mail directories are like (other than that they are set up

like this:

F:\MAIL\

F:\MAIL\Z14123

F:\MAIL\01234

F:\MAIL\D123111

etc) although I assume it would be easy enough to read the mail

with the TYPE command, or a program of your own for reading text

files..



The SYSTEM directory has some files that are interesting, but the

actual programs also exist in PUBLIC, and the data files are

generally boring (although you might want to scan through them to

see if there is anything interesting..)





::: System Files ::



This is one of the main sections I cut out of the file.  The

sequel to this file will have a COMPLETE list of all files

distributed with the network as well as all dos files for non-dos

familiar users, with complete descriptions of what they do, and

how to use them to your advantage.



In the meantime, for non-msdos users, here's a quick rundown on

how files are handled.





When you type DIR you get a directory listing which shows all the

files and directories in the current subdirectory.  A filename

under MSDOS consists of up to 8 characters plus up to 3

characters for an extension.  (ie AUTOEXEC.BAT, FILENAME.EXT, or

F.F.)  A file with an extension of .COM or .EXE can be executed

by typing the name of the file (and optionally the extension) at

the dos prompt (like C:\PUBLIC>)  A file with an extension of

.BAT is a script or shell file which is in straight ascii form

and can be executed also by typing the name at the dos prompt,

but it is executed line by line by the dos command interpreter,

instead of actually loaded as a program with data and code

segments.  Dos's .BATch language is pretty shitty as far as

script languages go, if you're used to dealing with unix or any

other more advanced language, you'll hate it.



A file which has a  instead of a file size is a sub-

directory.  You can make this your current directory by typing

"CD directory-name" (ie, "CD LAN") or you can go two sub-

directories by typing "CD LAN1\LAN2".  You can go up one

subdirectory by typing "CD .." (CD-space-period-period) or up to

the top by typing "CD\".  



Another note:  The AUTOEXEC.BAT file is automatically executed

each time the computer is booted from the disk it resides on, so

it's a good place to add your own commands.  The CONFIG.SYS file

loads drivers and such into memory.



I'm not going to cover any more about DOS files or commands here,

there may be some more in the next file, but if you are

completely dos-un-educated I suggest you ask friends or buy a

book.  I'm sure there are also dos tutorials availible in text

form.  If enough commodore and apple type people ask me, I'll

write a comprhensive file explaining all the dos commands

basically and some things that a hacker on a dos-system might

want to know.  Remember, they do call it MeSsy-DOS, and it is.







::: Brute force hacking into the system :::



If you get just a straight LOGIN.EXE w/ no options in the

Autoexec, or a login w/ a name, but you need to know the password

(I've never encountered that) then you have to actually do some

brute force hacking, or social engineering.  The two most common

accounts I know of are Supervisor (for the system admin) and

Guest, which will probably left on.  On my school's system there

are accounts 1-20 for each of the computers (in one lab, in

another it's c1,c2,c3..c20).  If the system is secure enough to

force a account/password to be known for each login, then I doubt

you can break out of the autoexec, but its worth a try, just bang

away on Ctrl-C or Ctrl-Break as much as you can.  Optionally, if

you have to have a boot disk, then make your own... w/ no

autoexec, so you can just login however you like.. or get someone

already on the system to install a trojan to snag passwords for

you, etc.



About actually finding other passwords once you're on, there are

several programs availible for various types of LANs on various

types of computers (with source sometimes) which intercept calls,

or log keystrokes from the login program, and store the results

in a hidden file, on an unsecure LAN, these programs are almost

defintely going to yield a 100% success rate, and probably won't

be found it installed right.  And on a LAN as unsecure as the one

at my school, you could stick pirate wares right in the PUBLIC

directory and no one would notice (or at least they haven't yet).





::: Conclusion :::



Well, that wraps it up.   In the next file I'll include all the

novell specific info, and complete information on all novell

files.



Also, I corrected a lot of mis-information and mis-wording in

this file.  I very likely missed some, I'll include any

corrections in the next file.  If you find anything wrong with

it, contact me on Solsbury Hill, we're in 301.



Laughing Gas, 5/17/91.