Physical Intrusion
Physical Intrusion
+{_OPENING_}+
After some expieramentation, I decided to write a guide to physical access. this will not cover how to get that access, that is an exercise that will be left up to the reader. This is a guide that will cover steps to take after physical access has been achived, and will cover such topics as getting into the system, gainig command prompt, and (maybe) getting an elevated privilage level. [DISCLAMER] This paper was not posted with malicious intent. Instead it was posted to further knowledge of physical intrusion and how to conduct test of it on your own networks. If you do choose to use this knowledge to gain unauthorized access to a network, your on your own. Neither I, the authour (n3w7yp3), nor the site that this is posted on will be responsible for your actions in any way shape or form. If you fuck up, you're on your own! [/DISCLAIMER]
+{_PHASE 1_}+
The first phase of physical intrusion (as with any hacking) is a good amount of recon. The more you know about the system(s), the better chance that you have of getting in. when you finda place that has public access terminals (local library, cyber cafe, your school, etc), there are several obersvations that you shouldmake. First, what OS do they run? do they use that OSs standard login screen or something differnt (eg: Novell)? what is the version number(s)? these are things to noyce about the software. As for physical things, do the computers have any disc drives? If so are they CD, floppy, ZIP, DVD a combination or any other types? Be sure to see of it has a floppy drive, as this can be used to easily preform some otherwise difficult top complete steps later. Take alook at the staff who are supposed to keep an eye on the users. This could be a librarian, teacher, cyber cafe staff member, etc. Are they attentive? do they walk around? do they glace over users shoulders? Also, try to become a regular at the target. Don't just come in twice (once to gather recon and the next to exploit), instead come a few days a week for about a month. That way the staff will get used to seeing you there. Take note of any other details that seem interesting. Try to learn as much as you can. But be sure to hide your knowledge. That could give you away. Now that you have gathered some knowledge about the target (and if you have not stop reading and do that recon!), it is time to assemble the list of what we will bring along. Here is a list of items that i find are useful:
- a small mirror like the type found in a womans cosmetic set (for seeing behid you and to the sides)
- a floppy disc (this can ontain several things. the most common is a linux boot disk)
- pen and paper (to write down useful info)
well that was a short list. but that is really all thgat you need. Now lets get to the next phase, Compromise.
+{_PHASE 2_}+
This is the compromise phase. in this phase you will go and gain access to the network. the stages that we will cover are:
- Gain access to the system
- Gain access to the network (if not already connected)
- Gain a command prompt
- Gain an elevated privialge level
Remember, when you go in there it will be tense. Speed is of the essence. But you have to try to look relaxed (if you don't it will draw attention to yourself). Try to dress like the other people at this palce. That way you blend in (no, you can't wear your 2600 t-shirt…). Basic social engeneering (SE) skills may come into play. Be ready. Make sure that you ahev an excues as to why you are doing what you are doing. This will help to waylay suspicions if you are caught. And be sure to reherse this excuse so you can say it with out tripping over your words.
Now when you first walk in, you will be presented with a choice of computers. Try to pick one away from most people preferably with a screen that is hard to see if some one is shoulder surfing. From your recon you should know various details about the system, including how you login to it. Most likely you have a username nad password to the system. If not, we have several thing you can try. The first is deafult passwords. Most systems contain a few of these. Here are some of the deafult passwds for Novell (courtesy of www.cirt.net):
-
Novell Product Groupwise 5.5 Enhancement Pack Version N/A Method Multi User ID servlet Password manager Level N/A Notes
-
Novell Product Groupwise 6.0 Version N/A Method Multi User ID servlet Password manager Level N/A Notes
-
Novell Product iManager Version 2.0.1 Method User ID admin Password novell Level Administrator Notes
-
Novell Product NDS iMonitor Version Method HTTP User ID sadmin Password (none) Level Administrator Notes
-
Novell Product Netware Version N/A Method Multi User ID ADMIN Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID ADMIN Password ADMIN Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID ARCHIVIST Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID ARCHIVIST Password ARCHIVIST Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID BACKUP Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID BACKUP Password BACKUP Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID CHEY_ARCHSVR Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID CHEY_ARCHSVR Password CHEY_ARCHSVR Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID FAX Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID FAX Password FAX Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID FAXUSER Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID FAXUSER Password FAXUSER Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID FAXWORKS Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID FAXWORKS Password FAXWORKS Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID GATEWAY Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID GATEWAY Password GATEWAY Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID GUEST Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID GUEST Password GUEST Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID GUEST Password GUESTGUE Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID GUEST Password GUESTGUEST Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID GUEST Password TSEUG Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID HPLASER Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID HPLASER Password HPLASER Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID LASER Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID LASER Password LASER Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID LASERWRITER Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID LASERWRITER Password LASERWRITER Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID MAIL Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID MAIL Password MAIL Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID POST Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID POST Password POST Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID PRINT Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID PRINT Password PRINT Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID PRINTER Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID PRINTER Password PRINTER Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID ROOT Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID ROOT Password ROOT Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID ROUTER Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID SABRE Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID SUPERVISOR Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID SUPERVISOR Password HARRIS Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID SUPERVISOR Password NETFRAME Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID SUPERVISOR Password NF Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID SUPERVISOR Password NFI Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID SUPERVISOR Password SUPERVISOR Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID SUPERVISOR Password SYSTEM Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID TEST Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID TEST Password TEST Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID USER_TEMPLATE Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID USER_TEMPLATE Password USER_TEMPLATE Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID WANGTEK Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID WANGTEK Password WANGTEK Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID WINDOWS_PASSTHRU Password (none) Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID WINDOWS_PASSTHRU Password WINDOWS_PASSTHRU Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID WINSABRE Password SABRE Level N/A Notes
-
Novell Product Netware Version N/A Method Multi User ID WINSABRE Password WINSABRE Level N/A Notes
Now, the system might not have Novell installed or none of those work. Well, if it is Windows 9x, simply poweroff the system (a hard poweroff will be just fine), unplug the ethernet cable fom the back and reboot. then at the login screen click cancle\'. Sometimes that will let you on. at this point create a new account and poweroff the system. replace the ethernet cable and boot it back up. then login in with the username/pass that you have just entered (you might have to select the
Local workstation only' option). If the system is Windows XP, try selecting the Local Workstatrion only\' option and entering the username as
Administrator' with no password. I have found that that works at my school. If none of these work (or none are viable), poweroff the machine. Now rebbot it and try to boot to get the boot menu (press the F8 ket during the boot process). If it comes up, select option 7 for the command line. Then entern the following commands (for Windows 9x):
C:\>cd windows C:\WINDOWS> ren *.pwl *.txt
then exit the command line and reboot. now when the login screen comes up you can enter anything as the username nad password (you might have to check the local workstation only\' box). if that fails, try to boot into safe mode (press and hold F5 during startup). If this succedes, it may give you Admin privilages. If it does, then the admin who oversees this network has \"As much intelligence as 2 tin cans and a rubber band\". At this point add a username, rebbot and login (again dont forget the
Local Workstation only' box). Alright, if all that has failed, insert your startup disk. You should have a Linux boot disk as well as one that matches the OS that we are trying to gain access to. Insert the one that matches the OS that we're hacking and reboot. now at the command prompt try the following:
C:\>cd windows C:\WINDOWS>win
Hopefully, that will boot us into windows. However chances are that that will not work. If that is the case, power off the box and insert the Linux boot disk. At this point are goal is to copy the password file to the disk and crack it at home. here are some common locations of password files:
Windows
*SAM file:
C:\\WINDOWS\\system32\\config\\sam
C:\\WINDOWS\\system32\\config\\sam.txt
HKEY_LOCAL_MACHINE\\SAM
C:\\WINDOWS\\system32repair\\sam
UNIX (and its varients. Linux, FreeBSD, etc)
*password file(s):
/etc/passwd
/etc/shadow
/.secure/etc/passwd
/etc/smbpasswd
/etc/nis/passwd
/etc/master.passwd
/etc/security/passwd
/etc/shadow-
/etc/shadow.lock (binary file)
VNC
*Windows:
HKEY_USURS\\.DEAFULT\\SOFTWARE\\ORL\\WinVNC3\\Password
*UNIX:
$HOME/.vnc/paswd
if you can't find the passwd file, go on google and run a search for the OS and it password file location. If you do get the password file, go home and crack it. then come back and login.
Okay, by this time we should have local access (one way or another). Also, set up the cosmetic mirror so that you can see behind you. and keep an eye on it. it is your early warning system in case some one comes up behind you. Now, your next goal is to get command prompt access. First lets try the eaisest things:
In Windows:
- Click start run and type cmd (works for all but Win 9x)
- Click start my programs, accessories and then cmd (again, all but win 9x)
- Clcik start, programs and then MS_DOS prompt (works for Win 9x)
In *nix:
- Right click on the desktop and select new terminal
- Click on the main menu, system tools and then terminal
Now if any of those work, then congrats, you have a shell. If not (which is more likley) then we have a few more things to try.
In Windows:
- Open up IE and type C:\ if it lets you in navigate to the location of the command line and clcik on the icon. you're in
- Open Notepad. type in the following code (save it as 8.cmd if you're on Win2K/XP. save it as *bat otherwise):
@ECHO OFF
CLS
START C:\\COMMAND.COM
START C:\\WINDOWS\\COMMAND.COM
START C:\\SYSTEM\\COMMAND.COM
START C:\\WINDOWS\\SYSTEM\\COMMAND.COM
START C:\\WINNT\\CMD.EXE
START C:\\WINNT\\COMMAND.COM
START C:\\WINNT\\SYSTEM32\\CMD.EXE
START C:\\WINNT\\SYSTEM32\\COMMAND.COM
START C:\\WINDOWS\\SYSTEM32\\CMD.EXE
START C:\\WINDOWS\\SYSTEM32\\COMMAND.COM
START c:\\WINDOWS\\CMD.EXE
START C:\\CMD.EXE
CALL COMMAND.COM
CALL CMD.EXE
2a. Now run it. I have never failed to get command line access using this script. 3. If that fails try the following: open up Notepad. now type in the following HTML code and save it as a *.html:
[HTML] [HEAD] [TITLE]HD Access[/TITLE] [/HEAD] [BODY] [P][A HREF="file:///C:"]Click here for C: drive access[/A][/P] [/BODY] [/HTML]
NOTE: be sure to remove the [ ] and replace them with the normal HTML tags.
3a. now open that *.html and click the link. everywhere that i have tried this, it has given me access. 4. Bring command.com on a floppy disk and execute it.
Anywhoo, you should have a command line one way or another. Now it is time to gather some info about the network. Here are some commands that can help us do this:
net view net view /domain net view /domain:domainame ipconfig ipconfig /all ipconfig /displaydns route print arp -a nbtstat -a [computer] nbtstat -A [computer] net use netstat -an nslookup (set the query type to any [all] and query the networks name server) hostname tracert [host]
alright from that little list we have gathered a good deal of info about the host/network. we know thier hostname naming schecme (from the hostname\' command) and now we can guess other hostnames and use
nbtstat' to query them to find out info. we know domain names from net view /domain\' and the computers in those domains from
net view /domain:domainame'. We learned what hosts on the intranet we are connected to from the netstat -an\' command.
tracert' if pointed towards an outside host (eg: www.google.com) will give us an idea of thier network structure, and maybe give us the IP of the gateway and/or router aloing with other hosts. well, now that we have some oinfo lets move on to the next phase: escalate
+{_PHASE 3_}+
Now it is time for us to get an elevated privilage level. First lets try the `at' command if it works then "YAY!!!". make it spawn a shell in a minuet (btw: oit will be the highest level, SYSTEM, whwich is even higher than admin). If not which is more likley, try to copy the passwd files to a disk (see the above section on boot disks), cracking it and then logging back in as an admin level acct. If all else fails, try to download and execute a local exploit on the system (yes, i know its lame). Okay, hopefully we got a elevated privilage level by some means….
+{_PHASE 4_}+
Now it is time for the final phase, hiding our tracks. The first thing to do is to delete all the file that we made earlier. then add an extra admin/SYSTEM/root/super user account. Give it a good strong password. then log off and walk away, knowing that you have access. BTW; don't forget the things you brought along!
+{_CLOSING_}+
Well, i hope that somebody out there learns something from this. Remember, don't be a black-hat/cracker and use the knowledge that you aquire for damaging systems. Always follow the Hacker Ethic. Well, thats all from me.
peace, –n3w7yp3
-=EOF=-
ghost 17 years ago
ROFL NOOB jesus christ this is a joke. I couldnt gain access with this guide even if i tried. and you said white-hats feed the skiddies now every starbucks is gunna be swamped with skiddies trying this thanks. Now my methods of intrusion are going to ahve to be advanced oh well i should have upgraded them a long time ago but i have a VB app that gets you admin PW without a linux disc it just shuts down the process that is using the sam file then copys the file to disc so go dig a hole and die in it loser!