boz4: THE REAL DEAL ON THE ENTERPRISE HOLE
So here's the gig. In the first issue I talked about a hole I found in Netscape Enterprise Server 3.0, but I didn't really give anybody the low down because I wanted to get more info. Well I've been pretty busy digging around in that hole and here's what I found out.
First of all it is a real legitimate honest to god fuckup on netscape's part. Using your browser to login to the isp's ftp site you can see the entire directory structure and view atleat 70% of all the files on the server. For instance the almighty passwd, loads of config files, the online documentation to the server, and the admin passwd file encrypted in some weak des easily broken in under 5 seconds with john the ripper on an AMD/K62-400. The only problem is by default the server admin must be at the console.
SO HOW DO I EXPLOIT THIS TO GET FLY GIRLY'S AND FREE ACCOUNTS?
You'll have to get your own "fly girly's" but our good friends at the isp will be more than happy to hand out accounts like thier candy. First of all go to netscape's homepage and download any one of thier 3.x browsers. Then go kill your parents and take a bath in thier blood while wearing thier heads as hats and chanting "fly girly's forever" over and over. Ok not really, actually it's time to go hunting. Grab a phonebook and look up ISP's for your area, call all of them and make a list rating them on a stupidity scale of one to ten, ten being "braniac" one being your mom. Now search altavista for the bomb ass scanner "Superscan" and download it. Open a dos box and type "tracert www.victim-isp.com". It's gonna look like this.
C:\>tracert ntserver
Tracing route to ccmgate.victim-isp.com [10.10.11.3] over a maximum of 30 hops:
1 1 ms <10 ms <10 ms ccmgate.victim-isp.com [10.10.11.3]
Trace complete.
So you resolved the name to an ip. Hang on to that ip you'll need it later. Right now you need to find out what this http server knows about you. So we need to check the echo from the header request. Go here http://echo.znet.de and check your header request for anything that would be easily traced back to you, like an isp account that your using to down restricted files in your name with your real home address and telephone number listed in plaintext in an easily accessed database updated daily by the isp. If your header info dosen't look good then get a free trial account from altavista or lycos and dialup from a line that isn't gonna come back on you. Alright you will also notice on that same site http server response - click that and put in the victim isp. When you get the server response back and it looks like this then your in business.
HTTP/1.0 200 OK
Server: Netscape-Communications/1.1
Date: Wednesday, 09-Feb-00 17:32:54 GMT
Last-modified: Thursday, 28-Oct-99 14:26:56 GMT
Content-length: 521
Content-type: text/html
Now your in for trouble. You have to get one account on the server somehow. Usually you can call and give a fake name and address and ask for a 5 or 10 day trial account to see if thier service is good or not. Then you take that account info and from a dosbox see if you can ftp over there. Type ftp ftp.target.com and it will come up with a logon. Logon and then type your password and at the prompt type ls and enter. If it scrolls up a few worthless files then your account is ftp enabled and its all gravy from here on out. Open up netscape 3.x and input your ftp - ftp://user:pass@ftp.isp.com/ KABLAM. Hmm.. looks like you can browse the whole server. Alright now dont get greedy make sure your at the top level directory and click on the etc listing. Your looking for a file called passwd and if you dont know what the purpose of that file is then I want you to go into the kitchen and get a cup of bleach and a cup of limeaway and mix them in a bowl and inhale excessively. Most likely the netscape server is gonna be running on a unix based server which means they almost certainly shadowed the passwd file and with IRIX the only way your gonna read it is to nab root. However you don't have to have it to read the user names, which in my case were followed by the real names in the passwd file.
SO.. WHAT THE HELL AM I SUPPOSED TO DO WITH A BUNCH OF USER NAMES?
It's time to go to social engineering school. Call the isp and pretend to be the user, ask to verify billing information tell them satan himself came and commanded you to forget your password, tell them anything just get those passwords. If you get lucky enough to have the entire list of real names for users in the passwd file then call the users at home and tell them the database crashed and thier password records were lost. Not all of them but most will just give it up.
If you really dont have any mad people skills at all there are a myriad of web based crackers out there. You need to generate a dictionary file and then go find a pop3 cracker and let it run against one user at time. The pop server is almost always mail.isp.com. However unless you just happen to have a big phat t3 or something its gonna take a pretty long time. Most accounts will be lowercase and between 6 to 8 charachters long usually having some or all of the user's real name in it. You could also try an ftp cracker which might have faster authentication but is also usually logged.
WHAT ABOUT ADVANCED TECHNIQUE?
Alright now that you have 15 or 20 accounts and your sittin' around just power trippin' its time to use that ip you saved. Superscan that ip and check port 79, it just might be a finger server. NO? Then while your online run winipcfg and take your ip address and scan the whole range. For instance : 206.29.98.10 is your ip, so you scan 206.29.98.1 - 255. One of those should have a finger server on port 79. Go search for your new best friend coded by commander crash - haktek. Down it and open it up put in the ip of the finger server and hit the finger button on the haktek interface. KABLAM. A list of online users ip's and idle times..
<<< insert scan here p >>>
So now you know pretty much everything the isp knows about its users. In fact really you are an admin of sorts. It's just a little more complicated to get things done. You have loads of possibilities by watching the users, one of gave you a hard time about thier pass?? Kick em offline. Nuke em? Probably wont work, ICMP echo attack?? Good idea well just flood those bastards right off the network. "I dont have linux though" Fine then, its time for some OLD SKOOL mad funk. Cross reference the user with his real name nab his home phone number and pick up your neighbors line, then dial the op and request an emergency breakthrough on his #. Not only will he go offline while you watch but if you happen to have an extra line around a wardialer will keep him offline for as long as you want.
