Found at: 0x1bi.net:70/textfiles/file?hacking/thuglan1.txt

        $$ Introduction to Hacking into LANs.. $$

              An official THUG production..
      Written by Laughing Gas for Solsbury Hill BBS.

 (Please keep the filename as THUGLAN1.TXT where possible)

::: Foreward :::

I don't have a lot of experience at hacking alot of different
type of LANs, or any secret information that couldn't be found by
any one else with a little hard work, but in an effort to spare
you that hard work, I wrote this file.. 

I was going to make this only one file, and include everything in
it, but since it's already about 13k and that's without any
specific discussion of the novell system, I'm going to break it
up into a series.  Keep a look out for the next file, it'll have
more information on the actual hacking of a novell system, and
possibly other files focusing on other systems.

Subjects discussed (contents basically):

About LANs: the basics
The basics of a Novell Network, and Logging In
Once you're in DOS
System Files
Brute force hacking in


::: About LANs: the basics :::

For people who know nothing at all about computers or
telecommunications, or networks, this file probably won't be very
useful, but I will attempt to provide information in a way that
the least experienced computer user can understand it.  To that
ends, here's a brief section on what exact is a LAN, and how it
works, and so-on.

LAN stands for Local Area Network.  A network, in computer terms
is any system which allows a person on one computer to share
resources with one or more other computers.  There are two main
types, the LAN and the WAN (Wide Area Network).  A WAN is
conforms to the definition of a network the same way a LAN does,
it allows a person on one computer to use the resources of one or
more other computers.  So what's the difference? A LAN is a small
network, usually contained in a single building, and if not, then
in a single complex.  A WAN is almost never contained in a single
building or complex, and usually extends over several states, or
across the entire nation, or internationally.  An example of a
WAN is the Internet, one of the biggest and most hacked WANs
ever.  The Internet is connected all over the world to thousands
upon thousands of computers at universities, military sites,
commerical sites, and more.

Another type of network is a PSN, which is similar to a WAN in
that they always extend out of a complex.  PSN stands for Packet
Switching Network.  What a PSN does is bundle a packet of data
from the local terminal, assemble it at the local PAD (packet
assembler/disaseembler), send it through a series of in-between
PADS and when it reachs a destination, it is disassembled by that
PAD, and fed to that computer.  This allows a PSN which has PADs
which are in a chain where PAD A is local to PAD B and PAD B is
local to PAD C but PAD A is not local to PAD C to send a packet
from A to B to C and not pay the expenses of sending directly
from A to C.  A PSN almost always uses phone lines for at least
part of it's connections.

A WAN or LAN operates on a different principal, it sends
information directly from the local terminal to it's destination.
In the case of a WAN, the information may pass through phone
lines, but it might not, depending on what exactly you are doing. 
On the Internet, if you are connected to a university, you can
log into a computer at that university and you will be on a
direct connection, but you can call another university or
military site from there, and your data will travel over the
phone lines, or maybe even over a PSN or another network.

A LAN will ALWAYS be a local direct connection.  The most common
set up on a LAN is that there are 2 or more terminals in one or
more rooms that are hooked up to one or more servers.  That is
the case we will assume is true in examples throughout this file
unless otherwise specified.  (We'll also assume that the LAN is
set up with IBM MS/PC-DOS compatible computers)

One scenario for how a LAN is set up would be like this:  There
are 20 IBM PS/2 Model 25's with Dual 720k drives, 640k of memory,
and no hard drive hooked up to an IBM PS/2 Model 80 w/ 20 megs of
memory, a 330 meg hard drive, and a 1.44 meg and 1.2 meg drive. 
In this case, the Model 80 would be the server.  Each terminal
would have to have a boot disk for the network.  (An alternate
situation would be if the computers had BOOT PROMS which redirect
local drive activity to allow the terminals to boot from the
server's hard drive) If you just put a dos disk in a terminal and
turned it on, you could use the full 640k of memory, and both
drives for whatever you wanted.  However, if you put in a network
boot disk, (or ran the network set-up and login programs from any
disk) you would then be connected or logged in to the network. 
At this point, you could access any program on the server's hard
drive (basically giving the 20 non-hard drive machines a 330 meg
drive to share).  There only needs to be one copy of each program
that will be run, no matter how many people are using it. 
(Assuming of course that the program is network compatible, some
programs such as perhaps a BBS program, or something using
communication interrupts, or with files constantly open, etc. may
not function with a network at all, or crash the terminal or the
whole network.)  There are however special programs installed on
the network to allow different terminals to share files and so
on.  Data files can be saved on the server's hard drive, or on
the local disk drives.

One function of the network software is to capture all DOS
interrupts (int 21 for MS/PC-DOS) and decide what to do with
them- either pass them on to DOS, or handle it itself.

::: the Basics of a Novell Network, and logging in :::

Novell Netware (tm) is one of the most common pieces of network
software availible for IBM MS/PC-DOS networks.

Basically, novell works like this:  either on the boot disk, or
if the computer has boot proms, on the hard drive, in the
AUTOEXEC.BAT you'll find a setup somewhat like this: (comments
will be preceded by semicolons (;))

prompt $p$g       ;changes prompt to include path
mouse             ;load mouse driver
;and other such stuff in the very beginning
IPX /options      ;prepares the computer for the network
NET3              ;loads network
login 4           ;automatically logs in as computer #4
menu net          ;loads the nifty menu

Not all computers will have all of these things, there may not be
mouse drivers, there may be extra things (initialize plotters,
etc, etc) anyway, they should have IPX and NET3, and PROBABLY
login xxx.

The way the login program works is thus;  Running LOGIN with no
options will get you a prompt of "Username:" then, after entering
a valid username, "Password: " (prompts may be different..)  if
you don't enter a valid username, it'll let you know.  If you
enter LOGIN with one option, it will try to process that as a
username, and if it's valid you'll recieve just the "Password: "
prompt.  If you enter two parameters, it will process the first
as the username, and the second as the password.  If there isn't
a login xxx type of command, there should be just a LOGIN command
which will prompt you for username and password.

If the network prompts you for a username and password, you're
stuck, you have to do some hacking to get in.  This file mainly
covers what to do once you're on, but see the section later on
getting in.

The line "menu net" will execute the network's MENU function with
the menu defined as NET.  On my school's network this has
selections such as Word Perfect, a typing tutor, etc.   If there
is another command here, it will run that program.   If there is
no command here you are simply in DOS.  If you are on the MENU
NET, or any other MENU  command, then simply hit the
escape  key and answer yes, then press return and you are in
DOS.  I believe it is possible to have set up the network to
automatically log you out at this point, but I've never seen
this.  If this happens, you'll still be in dos, and you can just
type LOGIN to log in again, if you had to enter a name and
password before, do it again, and there you are, if not, then
type "type autoexec.bat" and see what the login command was, and
enter it again, and you'll be logged on to the network and in
DOS.  If you are automatically put in some other sort of program
when it boots up, then it's up to you to find out how to get into
DOS on your own.

The format for the menus will be discussed in detail in my next
file, but basically it's the name of the menu on the first line,
then each menu option on a seperate line, with the commands to
run for that menu option following with at least one space like

---[cut here]---
MAIN MENU                     ; (menu name)
WORD PERFECT                  ; (menu option #1)
     CD\WP50                  ; (change to wp dir)
     WP                       ; (run word perfect)
     CD\LOGIN                 ; (change back to login dir)
FOX-BASE                      ; (menu option #2)
---[cut here]---
Etcetera, etcetera.

::: Once you're in DOS :::

To find out what drives are availible to you do this (for you
non-IBM people)

type A: (followed by return) then B: (followed by return) then C:
(return), etc.. all the way through Z:, if you ever get a "Not
ready error reading drive : Abort, Retry or Ignore? "
just hit abort, it can't hurt anything.  And write down all the
letters which are successful.  A-E will most likely be the
terminal's drives.  If the terminal is a diskless terminal, then
A-E probably won't exist.  If not, A and B if they exist will be
floppies, and C-E will be local hard drives.  (Although it is
probably possible to configure A-E as network drives too).  

It is up to the system adminsitrator(s) how the LAN is set up,
but here is how one of my school's LANs is set up:

A: terminal floppy (720k)
B: terminal floppy (720k)
C-E: configured as local drives, but there are none installed
F: main network drive
V-Z: specific network programs, these aren't real drives, rather
"fake" drives created by the SUBST dos program.

the files and directories on F: are..

AUTOEXEC.BAT: 0 byte phoney autoexec (since bootdisks are req'd)
GUIDE   .BAT: (loads teachers guide or something)
Directory PUBLIC  : contains public info and all net programs
Directory SYSTEM  : contains network utilities
Directory MAIL    : subdirectories contain mail
Directory LOGIN   : dups of other files for logging in & data
Directory DBASE   : DBase III
Directory WP50    : contains Word Perfect 5.0
Directory VP      : V-planner
Directory TYPING  : Typing Tutor
Directory ALPHA   : Alphabetic Keyboarding
Directory FOX     : Fox-Base
(and some other directories for various programs)

Then the drives V-Z are like this:
V:\VP> (just the F:\VP> directory subst'd to V:)
W:\WP50> (just the W:\WP> directory subst'd to W:)
etc.. through Z:

(subst'd means "substituted" with a DOS program called SUBST.EXE
which allows you to make a directory on one drive into a complete
new virtual drive)

The most interesting programs are in F:\PUBLIC.  My system has no
mail on it (how boring), so I don't have any information on what
the mail directories are like (other than that they are set up
like this:
etc) although I assume it would be easy enough to read the mail
with the TYPE command, or a program of your own for reading text

The SYSTEM directory has some files that are interesting, but the
actual programs also exist in PUBLIC, and the data files are
generally boring (although you might want to scan through them to
see if there is anything interesting..)

::: System Files ::

This is one of the main sections I cut out of the file.  The
sequel to this file will have a COMPLETE list of all files
distributed with the network as well as all dos files for non-dos
familiar users, with complete descriptions of what they do, and
how to use them to your advantage.

In the meantime, for non-msdos users, here's a quick rundown on
how files are handled.

When you type DIR you get a directory listing which shows all the
files and directories in the current subdirectory.  A filename
under MSDOS consists of up to 8 characters plus up to 3
characters for an extension.  (ie AUTOEXEC.BAT, FILENAME.EXT, or
F.F.)  A file with an extension of .COM or .EXE can be executed
by typing the name of the file (and optionally the extension) at
the dos prompt (like C:\PUBLIC>)  A file with an extension of
.BAT is a script or shell file which is in straight ascii form
and can be executed also by typing the name at the dos prompt,
but it is executed line by line by the dos command interpreter,
instead of actually loaded as a program with data and code
segments.  Dos's .BATch language is pretty shitty as far as
script languages go, if you're used to dealing with unix or any
other more advanced language, you'll hate it.

A file which has a  instead of a file size is a sub-
directory.  You can make this your current directory by typing
"CD directory-name" (ie, "CD LAN") or you can go two sub-
directories by typing "CD LAN1\LAN2".  You can go up one
subdirectory by typing "CD .." (CD-space-period-period) or up to
the top by typing "CD\".  

Another note:  The AUTOEXEC.BAT file is automatically executed
each time the computer is booted from the disk it resides on, so
it's a good place to add your own commands.  The CONFIG.SYS file
loads drivers and such into memory.

I'm not going to cover any more about DOS files or commands here,
there may be some more in the next file, but if you are
completely dos-un-educated I suggest you ask friends or buy a
book.  I'm sure there are also dos tutorials availible in text
form.  If enough commodore and apple type people ask me, I'll
write a comprhensive file explaining all the dos commands
basically and some things that a hacker on a dos-system might
want to know.  Remember, they do call it MeSsy-DOS, and it is.

::: Brute force hacking into the system :::

If you get just a straight LOGIN.EXE w/ no options in the
Autoexec, or a login w/ a name, but you need to know the password
(I've never encountered that) then you have to actually do some
brute force hacking, or social engineering.  The two most common
accounts I know of are Supervisor (for the system admin) and
Guest, which will probably left on.  On my school's system there
are accounts 1-20 for each of the computers (in one lab, in
another it's c1,c2,c3..c20).  If the system is secure enough to
force a account/password to be known for each login, then I doubt
you can break out of the autoexec, but its worth a try, just bang
away on Ctrl-C or Ctrl-Break as much as you can.  Optionally, if
you have to have a boot disk, then make your own... w/ no
autoexec, so you can just login however you like.. or get someone
already on the system to install a trojan to snag passwords for
you, etc.

About actually finding other passwords once you're on, there are
several programs availible for various types of LANs on various
types of computers (with source sometimes) which intercept calls,
or log keystrokes from the login program, and store the results
in a hidden file, on an unsecure LAN, these programs are almost
defintely going to yield a 100% success rate, and probably won't
be found it installed right.  And on a LAN as unsecure as the one
at my school, you could stick pirate wares right in the PUBLIC
directory and no one would notice (or at least they haven't yet).

::: Conclusion :::

Well, that wraps it up.   In the next file I'll include all the
novell specific info, and complete information on all novell

Also, I corrected a lot of mis-information and mis-wording in
this file.  I very likely missed some, I'll include any
corrections in the next file.  If you find anything wrong with
it, contact me on Solsbury Hill, we're in 301.

Laughing Gas, 5/17/91.