|
Unauthorised Access UK 0636-708063 10pm-7am 12oo/24oo Hackers Cove 8:30pm-7am +44 (0)204 792642 -------------------------------------------------------------------------------- Research Machines Nimbus hacking, by The Green Rhino -------------------------------------------------------------------------------- Please upload to other boards, but keep this header intact. Any corrections will be welcomed. -------------------------------------------------------------------------------- As everybody probably already knows, Research Machines sell, what they claim to be a computer, as the Nimbus. They charge double the price anybody else charges so that they can then give schools their traditional discount. Looking back through some PCW issues, I found a review that suggested that Nimbuses (Nimbi? Nimbus with a long 'u' ?), with MS-NET were the best computers that a school could buy. They were supposed to be faster, and more powerful, because of the 80186 processor, and the network was found to be the most reliable and fastest. They may have been better than any others at the time, but their performance still leaves a lot to be desired. Anyway, enough prattle, now what about hacking the network? The simplest, and quickest way to get at the root directory is of course to get at the fileserver, terminate the server program, and then you're in. Just type the user password file, and then CTRL-ALT-DEL to restart the server. As far as I know, there are two releases of the network software, and their file structures are organised slightly differently. I'll start with release 1. The logon screen is a light blue colour. This is limited to about 64 offers. An offer is a resource e.g. a printer, a floppy drive, or a fixed disk. An offer can be defined at the file server either at boot-up, or while the network is running. The syntax is: SHARE <resource name>=<path name> (password) (/[rwcd]) The resource name is an arbitrary name for the offer, up to (I think) 8 characters long. The path name is something like: "C:\FOO.BAR", or "PRN:". There can be one or more switches, which begin with a '/' , after the password . They are (R)ead access, (W)rite access, (C)hange access, (D)elete. They are independent of each other, but must occur in that order. If no access is given to a resource then anything connected to the resource can not do anything, apart from select, and deselect it. For example, if the resource without access is a drive, you can change to that drive, and even change directory, but you can't do a directory of the files on the disk. Usually read and write access is given to most resources, with important offers being given only read access. For example, in the standard setup, normal users are given only read access to drive P, which is public, and read/write/change access to drive N. By the way, if you are given read and write but not change, you just can't delete any file, although you can save files. Also, you would normally be given only write access to a printer! The resource name in Release 1 is usually the user name, for example two common resource shares might be: SHARE user1=C:\user1 pw1 /rwc SHARE public=C:\public pw2 /rwc So far, I haven't mentioned the password field, or how users are allocated to resources etc. The password field is just an optional, up to 8 character field that means that people with a little utility called USE, can't just get in. (But more of that later). The resources are totally separate from the users, and are held in a file called OFFERS, which, in Release1, is held on the root directory of the server boot-up floppy. The users information, passwords, access etc., are held in a file called USERS. NET somewhere on the Winchester. This is generated from USERS.TXT, which contains in ASCII format the passwords, and access. USERS.TXT is not essential, and it is redundant in Release 2. USERS.NET is not TYPEable, but if you try doing an ASCII dump, ignoring control characters (DEBUG.COM is good for this), you'll see somewhere a list of user names and passwords. This file also contains details of which resources are allocated to users. It will contain the resource names and passwords (if any). Another way to get the resource names and passwords is to watch the server's screen when it boots up! If you can't understand what is happening with USERS.NET, and your system has MAIL installed, try typing the file USERS in \MAIL. This contains the mail passwords which are by default the login ones. Using the user information is easy -- just type in the user name and password at the login screen. A user to watch out for is NETMGR. He has access to the whole hard disk -- if you succeed in cracking this user, try drives K,L,M and N. The default password is SECRET, and it is sometimes not changed. But doing it this way is a bit elementary, and you can get caught all too easily if someone types 'STATUS' on the file server, as the user name, and machine number will be displayed on the screen. If you manage to obtain the resource names and passwords, what use are they? Somewhere on the network you will find a little utility called USE.EXE. It may be on the public drive, or the server boot-up floppy. The files NET.EXE, NET.HLP, and USE.HLP, and SETNAME.COM may be of use as well. Anyway, the syntax is: To connect: USE <device name> \\netname\resourcename (password) To disconnect: USE <device name> /d Alternatively, REUSE.EXE will do just as well. Its syntax is: REUSE <device name> \\netname\resourcename (password) What do they do? USE (dis)connects you to a resource. REUSE connects you to a different resource. The fields for these commands are the same as for the SHARE command, apart from the netname command. Try typing 'SET' when you're logged on. Somewhere there may be a line saying 'SERVER=', and then the net name. If not, it will usually be SERVER, or SERVER1. This is a rather sketchy report, since I don't have time to explain everything, but another idea is to monitor the data sent across the network directly, using sub-Bios calls. You can use BBC BASIC, or RM BASIC with the Sub_Bios extension package to make them. For details of the calls, have a look in the Advanced Reference Manual. If you do manage to get USE working, then first type 'SETNAME .'. That is: setname <dot>. This means that nobody will notice that you are using the root directory resource. Release 2 is slightly different. This has a dark blue screen, and the standard system message after booting up is: 'Welcome to The Standard Network release 2', or something of the sort. There is also a space at the bottom where the network manager can place messages. In release 2, all the interesting files are kept in \network, and \mgr of the hard disk. The files in \mgr are automatically copied over to \network on boot-up, and so the \network files are the ones in operation, the \mgr files are the ones that will be used next boot-up. Make any modifications to files in the \mgr directory, so that the changes won't immediately be noticed. An interesting file to change is SYSMESS.TXT. There are other executable files in the \MGR directory, the most notable of which is NETMAN. Just be careful using it. The best thing is to copy all the files in \MGR over to your ram drive, run NETMAN in the ramdrive, and then copy NETGO.BAT, and USERS.NET back to \MGR . You get sharing violation errors if more than one person tries to run netman directly, so check first. If you add a line at the beginning of the file NETGO.BAT saying NETST, and create a batch file which copies USERS.NET over to the public drive under an innocuous name, then you will be able to find out anybody's password at any time. Whatever you do DON'T delete important files, or somebody else's work. It's just hooliganism and is absolutely pointless, like the viruses that are going round. Anybody who knows enough and wants to can easily stop them -- it's only innocent users who don't know what's going on who get caught. What might be an idea is a little suggestion in SYSMESS.TXT that the security is improved. --------------------------------------------------------------------------------