Cracking School Networks

We all start somewhere. Some of us start collecting outdated programs in hopes of being able to 'hack' anything with the click of a mouse. Others start in the 'hacker' rooms, asking questions about every little thing, without even bothering to try a search engine. In writing this article I am assuming that you are capable of teaching yourself. That you can look up things for yourself. I am also assuming that you have already started your search for knowledge, and at this point ready. I am also assuming that you have a better reason for cracking into your school's network than to change your grades. Maybe I am just assuming too much :). School networks are very ideal for beginners. You can work your way from the inside, default installations are very popular with schools, teachers can be unbelievably ignorant, and school sucks, so why not? Let's begin....


Section 1: Accessing the Shared Network

Computer class (if you have one) is of course a good place to start. Your computer class will undoubtedly use a windows operating system (not saying this is always the case, but usually...) so let's start from there. Usually these computers have two rights, user and administrator rights. So our first goal here is to jump from user(the privileges you currently have) to administrator privileges. If the operating system is Windows 9.x then we will look for the *.pwl file for the administrator account. This will be labeled according to the admin username. You'll find this in the windows directory. Just sneak in a floppy disk during class and copy the file to the floppy. Then take the file home and use a pwl cracker to crack the file (if you use brute force, make the settings lower case letters with 1-10 characters, but I'd suggest first trying a dictionary crack. Just collect yourself a few word lists). It'll take a while to crack the password so you will have to be patient. If the operating system is Windows XP then that just makes it even easier. Just grab a Windows 2k CD (download one off kazaa or overnet, if you don't have a copy) and sneak it into class. Place the CD in and boot up the computer.Then start the Win2k Recovery Console, which is a troubleshooting program. This will allow you to operate as administrator without even having to bother with the password. So now that you have administrator privileges go to "Network Neighborhood" and take a look through the network. Copy a few addresses (anything that seems interesting), and if the computers used are Win9.x, when you go home you can load up your internet browser and type "file://[target address]" to gain access. This is network access, but not the kind that will allow you to change your grades (unless the software the teachers use for accessing/modifying/deleting student records happens to be installed on the computer, and the password just conveniently happens to be the same password that the teacher uses on the windows administration account....which is not entirely far fetched). If the computer you are using is Win2k (Windows 2000) then you can try going to the site below to get a tool to crack the account....

http://www.lostpassword.com/windows-xp-2000-nt.htm (which also works for nt and xp)

p.s: If you don't have a computer class, then you can try the computers at the library.


Section 2: Network Exploitation

Now let's talk network operating systems (NOSs). If your school uses Windows workgroups as a NOS, then the method described above would be your method in. Most likely, if the NOS is not windows workgroups, then it is Novell Netware. So now lets get into novell. Novell Netware is a server-based operating system for networks. Novell runs off a version of DOS called dr-dos (also known as Caldera DOS, since it was created by Caldera Systems Inc). It also runs off a protocol called IPX/SPX (Internetwork Packet eXchange/Sequenced Packet eXchange), which is very TCP/IP compatible (the later versions of novell run off a protocol based off ipx/spx known as NCP, Netware Core Protocol). Now in novell netware there are four different kind of rights given. There is user which gives access to //public and some other basic files. There is superuser, which is the access given to teachers. With this access they can view and delete student accounts whenever neccessary, but they can not delete, create, or change accounts. There is supervisor, which is the access administrators give themselves to work off of. And finally there is console, which is the highest rights one could gain on a novell network. Now since there have already been many articles written on novell network infiltration (and I'm in a lazy mood) I am now going to point you in the direction of articles that I had posted up from a previous article on a very similar subject (exactly the same subject actually, but targetted at a specific school network)...

Novell Netware v1.x-4.x: http://www.geocities.com/anti_dcss/novell_faq.zip

Novell Netware v3.12-4.x: http://www.geocities.com/anti_dcss/novzero.zip

Novell Netware v5.x: http://www.geocities.com/anti_dcss/hack_novell.zip

There is also AppleTalk, which may be implemented in order to integrate the Macintosh computers with the rest of the network, but it isn't really neccessary to exploit AppleTalk so I won't get into it.

Now let's get into exploiting the network from the outside. If your school has a website, resolve the ip of the site and scan the network for other servers (i.e. open up a scanner and scan xxx.xxx.xxx.1-xxx.xxx.xxx.254). Use LANguard if you are running windows. The router will usually be *.1. Now if you scan this you will find either/both telnet (23) or snmp (161). If telnet is open then you can exploit the fact that all telnet sessions are unencrypted by using a tool like either Juggernaut or Hunt to hijack a session to sniff out sensitive information (like passwords of course). SNMP is protected by community strings, but in many cases these are set as default, which is "private". If not you can use a community string brute force program (for example SolarWinds) to break into the router. Once inside the router, you can easily use the access to bridge into the rest of the network. There will also be other servers you can try gaining access to bridge into the network. Web servers (port 80) are not important(unless you want to deface them), but ftp and pop3 servers can be cracked and used to bridge into the network. For ftp servers you can run network scanners to find vulnerabilities, and for pop3 servers you can look up scripts and see what might work (depends on the operating system the server is installed on). You need to organize the way you proceed with this crack however. Don't find and exploit vulnerabilities in the same night. Spread it out. Follow these three steps...Research, Plan, and Execute. This is no one day job. You need to be very patient or you will be caught. You also need to do this as late as possible (two or three o' clock in the morning is usually a safe time). Also you will want to bounce off proxies as much as possible. Better yet, for the tools you don't either have to compile or install, run them from the current location instead of off your computer. Most of the other tools needed should allow you to bounce off proxies/wingates. Remember, whether you are breaking in from the outside or the inside, to be cautious. Being paranoid is not a bad thing. After all, what you are doing IS against the law. Good luck ;).

Another Thing: If the teachers at your school use a program called TSIS to manage student records, then usually there will also be a TSIS remote login server on the network. Using a scanner you should be able to pick up on this. The address is usually...

http://tsis.(county name).k12.(state initials).us

If you happen to crack one of the teacher accounts, you can use this to change your grades from the comfort of your own home (not that I'm supporting such activities =) ).

scam , lock picking , hacking , phone phreak , security , weapons , homemade explosives , know learn at http://galillegal.blogspot.com/

No comments: