📄 novell hacking for complete newbies.html
字号:
disk in your pocket......<br>
But you aren't on the network now. That's no fun is it? Shove the lead back
in and try to access a network drive. This is the bit where you hope the Admins
are sloppy or not computer geniuses. Windows by default caches ALL passwords
so unless the Admins have told it not to ( a key deep in the registry) then
windows will have a nice copy of their password. Go into 'My Computer' and click
on a drive. Whoop with glee as Netware logs you in as an Admin. Why does this
happen? Well windows still holds the username and password last used to access
the drive. You are logged into windows as Admin and windows knows what credentials
you last gave to the server. So it supplies them for you. Likewise because you
are now authenticated you know have full access to the NDS tree. Not only can
you read but you can no write, modify delete etc etc. Much more fun!<br>
Now, this is the bit where you have to be sneaky. You have to make a new account
for yourself or upgrade your old one. There are pros and cons to each of your
choices. If you alter your existing account and they check it for some reason
( maybe you got locked out? ) they'll notice you have admin rights and shoot
you. If you make a new user, it might get found quicker but there is no way
to point to you ( it was created by user admin after all tee hee ). The choice
is yours. You can always do both.</p>
<p><b><font size="4"><a name="9"></a>What's a backdoor and is it useful to me
?</font></b></p>
<p>A back door like the name suggests is a way into a system without going through
the front door. The front door being the proper way in. Your backdoor will give
you full access (or whatever it was set-up to do) without anyone else knowing
about it.<br>
It is useful to you because it gives you a lot of power and anonymity. People
won't know that it was you that deleted that account or altered your reports.
You'll be like the ghost in the machine. Invisible and all powerful. Doesn't
that sound wonderful to you?</p>
<p><b><font size="4"><a name="10"></a>Once I'm in, can I leave a back door?</font></b></p>
<p> Yes, there are many different ways of leaving a back door and may different
things a back door can be designed to do. Firstly, the most powerful backdoor
is the one that gives you full access to an entire system. Unfortunately, these
are the hardest to set-up (unless you did my Net Plug trick) and the Admins
aren't blind. They'll notice that a new admin account has appeared. Unless of
course you hide it. This isn't all that easy but it can be done. The second
type of backdoor gives you access to the server (like rconsole). These aren't
as powerful but they still have the ability to run things like the 'down' command.
The 'Down' command shuts the server down and dumps it at a DOS prompt. Another
powerful command is the load command. This sticks programs into memory. Unfortunately
all but the most stupid Admins log the console.</p>
<p><b><font size="4"><a name="11"></a>Leaving an Admin level user in the NDS Tree</font></b></p>
<p>This is the best way of hiding a user in the NDS Tree. Most Admins have only
been on the CNA (Certified Novell Administrator) course so won't have the expertise
to locate the user even if they did think that it existed. Even if they have
a CNE (Certified Novell Engineer) they aren't likely to find your user because
not only don't they know where to look, they won't know your user is there.
The best crimes aren't ones that you can get away with without being caught.
The best crimes are ones that the victim doesn't even know have happened.<br>
Anyway, here is what you have to do :</p>
<ul>
<li>Get logged in as Admin or equivalent ( Use the Net Plug trick )</li>
<li>In NWADMIN highlight an existing container.</li>
<li>Create a new container inside this container.</li>
<li>Create a user inside this new container. No home directory.</li>
<li>Give this user full Trustee Rights to their own user object.</li>
<li>Give this user full Trustee Rights to the new container.</li>
<li>Make this user security equivalent to Admin.</li>
<li>Modify the ACL for the new user so they can't be seen.</li>
<li>Adjust the Inherit Rights Filter on the new container so no one can see
it.</li>
</ul>
<p>I've not had the chance to really test this in the field. It worked for me
but whether or not it won't be detected in the field is another matter. It works
fine in theory though.</p>
<p><b><font size="4"><a name="12"></a>Okay, now how do I leave a backdoor into
the server itself?</font></b></p>
<p> This is a lot more difficult because you have to run a program on the server
itself. You do this by using the load command. It will automatically load the
program from the SYS: directory. You'd have to copy the files to this directory
first. Because this dir is filled with NLMs, it will be a lot harder to locate
your new program as a rogue. Problem is actually running it. As I said before
most Admins run the console logging program called CONLOG. So now what? If we
try anything it will be logged won't it? Sure, unless we turn off the logging
program first tee hee. Type "unload conlog" without the quotes. This
will stop logging console activity. Next type "load magicfile.nlm"
with the name of your program and without the quotes. Next type "load conlog"
again without the quotes. Loading up conlog is the last thing that you do before
leaving the server.<br>
Some Admins run a program called "Secure Console". This stops you
from loading any more programs. The only way to get round this is to use the
unload command again. However it is password protected. You can get past this
too but it will take some guts to do and it will take out the server for a few
minutes. Are you ready?</p>
<ol>
<li>Type "Down" at the prompt. If there are any users logged in, it
will warn you. Press Y to continue or N to cancel. Pressing Y will cut them
off. Any system that is on the Novell network will report to its users that
the server is going down. Try to do this at the end of the day when all the
clients are turned off or when you've got a chance to reset them before someone
sees the message</li>
<li>Turn the machine off</li>
<li>Wait a few seconds</li>
<li>Then turn it on again</li>
<li>Run outside and wait for the server to come back up. It is not a good idea
to get caught with the server in this state.</li>
<li>When the Admins rush in to find out why their precious server bit the dust,
their last concern is whether secure console is running or not.</li>
<li>When they leave, wait a few minutes before going back in.</li>
<li>Go to the console and turn off the console logger</li>
<li>Run your nasty little program</li>
<li>Turn the logging program back on</li>
<li>Walk out of the room as a super user.</li>
</ol>
<p>The program itself will not show up in the logs ( because you stopped logging
before you ran it ). When they shut the server down, the program will not longer
be resident. However, if you are taking the risk to run this program, make sure
you also run something that will catch the rconsole password. Admins hardly
EVER change this. They are far more careful with the NDS password and see no
reason why anyone would be able to find or to use their little rconsole password.
Once you have the rconsole password you don't really need a backdoor.</p>
<p><b><font size="4"><a name="13"></a>Accessing servers drives that you shouldn't
be able to see</font></b></p>
<p>When you are using Novell, you have your home area mapped as a network drive.
You can't press 'Up' to go higher because it will just take you to my computer.
How do you get around this and why would you want to?<br>
Well, most Admins don't login to everyone's user account to check that they
are set-up correctly ( I know I wouldn't bother going through 1000 different
accounts in the unlikely case that one of them is messed up). If they aren't
set-up correctly, you might have access to other peoples home areas. Thing is
though, how do you get there? You can't see higher than your own directory.<br>
First of all, you have to find out what server you are connected to. This is
pretty straight forward. Okay, go back to 'My Computer'. Right click on a network
drive and hit properties. It will tell you what server it is mapped on. I'll
use GANDALF as an example. My home directory is mapped to F:, however the real
location of my home directory is \\gandalf\data1\users\yr12_990\miggyx\ . Now,
I wouldn't have known that if I hadn't checked the properties. Admins usually
assume you won't know or won't bother looking. The server name directly follows
the '\\'. Go to the start menu and select run. Type in the server name. In my
example this would be \\gandalf. <br>
What if those pesky Admins have removed the Run command? Not a problem. Minimise
all the windows so you are looking at your desktop. Right click and select New
-> Shortcut. When asked what it should shortcut to, type in '\\servername'.
Press 'Enter' a few times. You should get an icon on your desktop. Click this
twice and it will pull up the server. Simple but effective. A word of caution
though. Delete the shortcut after use using shift+del. NEVER use just the delete
option. If you choose just to delete the file, it will go straight to the recycle
bin. Sometimes users don't have access to it and so can't remove the file themselves.
This is when those friendly Admins come along and see a nice shortcut to their
server with your name on it. Not a good thing to be doing. Shift + Del removes
the file directly. This also bypasses any logging software running on the machine
itself. The Admins won't be able to get to the file assuming they know it exists
in the first place. Best to play it safe. <br>
Once you have access to the server itself ( albeit only as yourself and not
as an admin unless your admin is really stupid), you might be able to browse
around. For instance, I still had read access to everything in the \\gandalf\data1\users\yr12_990
directory. I could go in a read everyone's work ( although I couldn't write
to it) and pass it off as my own. Also, you'll be able to access some of the
system directories. In here you'll find useful tools such as rconsole, fconsole
nwadmn32.exe and others. Running nwadmn32.exe as yourself only gives you your
own rights to the NDS tree. The NDS tree ( Netware directory Service ) contains
everything on the entire network. Even if you've got very limited access, you
will still see the whole tree. This includes the usernames for the Admins and
all the services they are running. You may even have some ability to alter users
in your group. It all depends on how your system is configured. Either way it
can be a powerful information tool. Usually you can see everything but alter
nothing. This is still useful. For instance, say there is this gal you really
like and you would kill for her phone number and address. Why go through all
the hassle? Most Admins stick all information about a user into their network.
It makes sense really. Load up nwadmn32.exe ( they can't restrict this because
it would restrict all windows programs and that would be really stupid) find
her username and click twice. Bang, you can see all her details. Sure you can't
actually alter them but you can read can't you?<br>
You should also be able to happily browse through the directories that you can
see. Even if you aren't logged in as an Admin, it is likely you can find some
fun files to play around with. If they need DOS access, you'd better log in
as an Admin. If you've read the above, you should be able to get Admin status.
<br>
I hope you have learnt something useful from this tutorial. It is only meant
as a starter guide for newbies and not as an in-depth Novell hacking tutorial.
Good luck with your efforts and if you have any comments, please <a href="mailto:miggyx@amicoders.demon.co.uk">e-mail</a>
me and I'll do my best to get back to you. Thanks!</p>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -