Grandma's txt-file/zine ingredients; ------------------------------------ No neat ascii art banners. No crews. No elite speak. No exploits. Questionable legality. Curiosity. Pretty girls. Curiosity V1 I1 "What's going on?" hiro. untoward. Ok lets start off, shall we? The plan is to find out as much about a network as we can. For our example we're going to use a local education net This isn't a text on hacking it or, for that matter, on hacking anything else. This is a text on looking around, being curious. So nyah nyah. We'll be using some fun tools. !nmap isn't a standard user tool, you have to download your own copy from www.insecure.org/nmap !dig comes with redhat 5.2, I dunno about others. !I may have some trouble getting you all to understand the complexities of FINGER and TELNET, but that is to be assumed. !Something else might come up, who knows? =-=-= dig www.XXX.XXX.ca mx Trademart-1.XXX.XXX.ca. 1D IN A 142.XXX.XXX.1 mars.XXX.XXX.ca. 10h23m27s IN A 131.XXX.XXX.3 /* whewt. here we start. some boring ol crap. */ /* Mars looks to be at the university of new brunswick. The telnet banner is capital letters AUTHORIZED USE ONLY */ nmap -sP XXX.XXX.ca/24 > list /* ping scanning to see what computers are on the network brings back the list. These computers are usually named really helpfully. */ nat webpages.XXX.XXX.ca /* the network auditing tool. get it. this'll list available shared drives on the computer. Webpages has one. */ [*]--- Attempting to access share: \\*\public [*]--- WARNING: Able to access share: \\*\public [*]--- Checking write access in: \\*\public [*]--- Attempting to exercise .. bug on: \\*\public /* SO.... */ smbclient \\\\WEBPAGES\\public -I webpages.XXX.XXX.ca /* blah blah */ password: /* none */ ls /* big ass list... theres a lot of programs here. full versions, I'd guess... a look at a file named ".message" verifies that. */ smb: \> get .message getting file \.message of size 109 bytes as .message (0.649056 kb/s) (average 0.649057 kb/s) smb: \> quit [root@hiro quest]# cat .message These files are _NOT_ for public consumption. Do not download unless authorized. You _HAVE_ been warned! /* so, lets back out of here, as these "tough guys" really frighten me. really. besides which, we're just looking and we don't want to cause any trouble, or annuerisms. another interesting filename is faxstat.pl since this is "webpages".XXX.XXX.ca it would make sense, if you were of the right mind, to grab it and look through the code. Odds are it is run on at least one of the web servers you've got listed in list (from the ping sweep earlier) */ /* The odds are also good that you have come across quite a few normal desktop win95 or 98 or even NT machines. These are often improperly configured to allow remote read and/or write access to their drives, and it's likely you may have print access as well. */ Hmn... looking at the first host returned... the trademart one.. we find; [root@hiro quest]# smbclient \\\\*\\public -I 142.XXX.XXX.1 No interface found for address 142.XXX.XXX.72 Added interface ip=142.XXX.XXX.72 bcast=142.XXX.XXX.255 nmask=255.255.0.0 Server time is Tue Aug 17 02:51:58 1999 Timezone is UTC-4.0 Password: Domain=[XXXX] OS=[Unix] Server=[Samba 2.0.2] security=share smb: \> get readme.txt /* blah blaH */ [root@hiro quest]# cat readme.txt This area is for authorized users only. Please respect this. [root@hiro quest]# /* this is a much nicer way to put this, I think. And I feel that I didn't violate this trust. :) Read the files .message readme.txt and README */ [root@hiro quest]# finger @webpages.XXX.XXX.ca [webpages.XXX.XXX.ca] Login Name Tty Idle Login Time Office Office Phone mjb /2 10:53 Aug 16 16:45 (iolan4.XXX.XXX.ca) mjb /0 7:34 Aug 16 20:20 (kenny.XXX.XXX.ca) mjb /5 8:29 Aug 16 20:21 (kenny.XXX.XXX.ca) /*YAY more hostnames PLUS a username. Hmn.. (I'm not sure I know when to quit) */ [root@hiro quest]# finger @iolan4.XXX.XXX.ca [iolan4.XXX.XXX.ca] [root@hiro quest]# finger @kenny.XXX.XXX.ca [kenny.XXX.XXX.ca] Login Name Tty Idle Login Time Office Office Phone mjb 3 5d Aug 11 15:26 mjb 6 32d Jul 15 08:04 root root *1 3d Jul 15 07:57 root root *2 3d Aug 3 15:10 /* interesting here to stop and note that nmap -O doesn't find the OS, but if you open the address in a web browser it'll tell you that they run Apache secure ssl on Red Hat */ [root@hiro quest]# finger mjb@kenny.XXX.XXX.ca [kenny.XXX.XXX.ca] Login: mjb Name: REEL NAME! Directory: /home/mjb Shell: /bin/bash On since Wed Aug 11 15:26 (ADT) on tty3 5 days 12 hours idle On since Thu Jul 15 08:04 (ADT) on tty6 32 days 20 hours idle Last login Mon Aug 16 19:20 (ADT) on ttyp0 from Virt Mail last read Thu Jul 29 15:21 1999 (ADT) No Plan. /* last login from Virt ?? * that doesn't sound like a hostname, but an alias... * maybe just for XXX.XXX.ca ? */ [root@hiro quest]# ping virt.XXX.XXX.ca PING virt.XXX.XXX.ca (142.XXX.XXX.193): 56 data bytes 64 bytes from 142.XXX.XXX.193: icmp_seq=0 ttl=59 time=34.1 ms /* YEP */ [root@hiro quest]# finger mjb@virt.XXX.XXX.ca [virt.XXX.XXX.ca] /bin/cat: /usr/local/etc/finger.txt: No such file or directory /* Muhaha thats odd, isn't it? Dorks, learn to setup a system correctly. */ [root@hiro quest]# lynx virt.XXX.XXX.ca -dump Department of Education and Culture Stand in Server Welcome the stand in server for Department of Education and Culture. Our real server should be online shortly. Thank you. [1]XXXX [2]GOV [3]Library [4]XXXXXX References 1. http://www.XXX.XXX.ca/ 2. http://www.XXX.gov.XXX.ca/ 3. http://www.Library.XXX.XXX.ca/ 4. http://www.XXXXX.XXX.ca/ /* One is tempted to run NAT against this computer to see what she runs.. * I think I've about killed the teaching aspect of this txt * now I'm just curious. * / /* Nothing OPEN :( */ =-=-=-=-= Anyway. thats all for today... just some boredom/curiosity killing fun. Now I'm going back to XXX out all the IPs and hostnames. Foo. some helpful info in; man nmap man dig man nat hiro/untoward 08/17/99