

     THE REAL DEAL ON THE ENTERPRISE HOLE



   So here's the gig.  In the first issue I talked about a hole I found in 
   Netscape Enterprise Server 3.0, but I didn't really give anybody the low
   down because I wanted to get more info.  Well I've been pretty busy digging
   around in that hole and here's what I found out.


   First of all it is a real legitimate honest to god fuckup on netscape's part.
   Using your browser to login to the isp's ftp site you can see the entire 
   directory structure and view atleat 70% of all the files on the server. For
   instance the almighty passwd, loads of config files, the online documentation
   to the server,  and the admin passwd file encrypted in some weak des easily
   broken in under 5 seconds with john the ripper on an AMD/K62-400.  The only
   problem is by default the server admin must be at the console.  



   SO HOW DO I EXPLOIT THIS TO GET FLY GIRLY'S AND FREE ACCOUNTS?


   You'll have to get your own "fly girly's" but our good friends at the isp
   will be more than happy to hand out accounts like thier candy.  First of
   all go to netscape's homepage and download any one of thier 3.x browsers.
   Then go kill your parents and take a bath in thier blood while wearing 
   thier heads as hats and chanting "fly girly's forever" over and over. Ok
   not really, actually it's time to go hunting.  Grab a phonebook and look
   up ISP's for your area, call all of them and make a list rating them on
   a stupidity scale of one to ten, ten being "braniac" one being your mom.
   Now search altavista for the bomb ass scanner "Superscan" and download
   it.  Open a dos box and type "tracert www.victim-isp.com". It's gonna 
   look like this.


C:\>tracert ntserver

Tracing route to ccmgate.victim-isp.com [10.10.11.3]
over a maximum of 30 hops:

  1     1 ms   <10 ms   <10 ms  ccmgate.victim-isp.com [10.10.11.3]

Trace complete.


   So you resolved the name to an ip. Hang on to that ip you'll need it
   later.  Right now you need to find out what this http server knows 
   about you.  So we need to check the echo from the header request.
   Go here http://echo.znet.de and check your header request for anything
   that would be easily traced back to you, like an isp account that your
   using to down restricted files in your name with your real home address
   and telephone number listed in plaintext in an easily accessed database
   updated daily by the isp.  If your header info dosen't look good then
   get a free trial account from altavista or lycos and dialup from a 
   line that isn't gonna come back on you.  Alright you will also notice
   on that same site http server response - click that and put in the
   victim isp.  When you get the server response back and it looks like
   this then your in business.


HTTP/1.0 200 OK
Server: Netscape-Communications/1.1
Date: Wednesday, 09-Feb-00 17:32:54 GMT
Last-modified: Thursday, 28-Oct-99 14:26:56 GMT
Content-length: 521
Content-type: text/html

  
   Now your in for trouble.  You have to get one account on the server
   somehow.  Usually you can call and give a fake name and address and
   ask for a 5 or 10 day trial account to see if thier service is good
   or not.  Then you take that account info and from a dosbox see if 
   you can ftp over there.  Type ftp ftp.target.com and it will come 
   up with a logon.  Logon and then type your password and at the 
   prompt type ls and enter.  If it scrolls up a few worthless files 
   then your account is ftp enabled and its all gravy from here on out.
   Open up netscape 3.x and input your ftp - ftp://user:pass@ftp.isp.com/
   KABLAM. Hmm.. looks like you can browse the whole server.  Alright 
   now dont get greedy make sure your at the top level directory and 
   click on the etc listing.  Your looking for a file called passwd and
   if you dont know what the purpose of that file is then I want you to
   go into the kitchen and get a cup of bleach and a cup of limeaway and
   mix them in a bowl and inhale excessively.  Most likely the netscape
   server is gonna be running on a unix based server which means they 
   almost certainly shadowed the passwd file and with IRIX the only way
   your gonna read it is to nab root.  However you don't have to have it
   to read the user names, which in my case were followed by the real 
   names in the passwd file.  

   
   SO.. WHAT THE HELL AM I SUPPOSED TO DO WITH A BUNCH OF USER NAMES?

   
   It's time to go to social engineering school.  Call the isp and pretend
   to be the user, ask to verify billing information tell them satan himself
   came and commanded you to forget your password, tell them anything just
   get those passwords.  If you get lucky enough to have the entire list of
   real names for users in the passwd file then call the users at home and
   tell them the database crashed and thier password records were lost.  Not
   all of them but most will just give it up.  


   If you really dont have any mad people skills at all there are a myriad
   of web based crackers out there.  You need to generate a dictionary file
   and then go find a pop3 cracker and let it run against one user at time.
   The pop server is almost always mail.isp.com.  However unless you just
   happen to have a big phat t3 or something its gonna take a pretty long
   time.  Most accounts will be lowercase and between 6 to 8 charachters
   long usually having some or all of the user's real name in it.  You 
   could also try an ftp cracker which might have faster authentication
   but is also usually logged.


   WHAT ABOUT ADVANCED TECHNIQUE?

   Alright now that you have 15 or 20 accounts and your sittin' around just
   power trippin' its time to use that ip you saved.  Superscan that ip and
   check port 79, it just might be a finger server. NO?  Then while your 
   online run winipcfg and take your ip address and scan the whole range.
   For instance : 206.29.98.10 is your ip, so you scan 206.29.98.1 - 255.
   One of those should have a finger server on port 79.  Go search for your
   new best friend coded by commander crash - haktek.  Down it and open it
   up put in the ip of the finger server and hit the finger button on the
   haktek interface.  KABLAM.  A list of online users ip's and idle times..


   <<<  insert scan here  p  >>>


   So now you know pretty much everything the isp knows about its users.
   In fact really you are an admin of sorts.  It's just a little more
   complicated to get things done.  You have loads of possibilities by
   watching the users,  one of gave you a hard time about thier pass??
   Kick em offline.  Nuke em?  Probably wont work,  ICMP echo attack??
   Good idea well just flood those bastards right off the network. "I
   dont have linux though" Fine then,  its time for some OLD SKOOL mad
   funk.  Cross reference the user with his real name nab his home phone
   number and pick up your neighbors line, then dial the op and request 
   an emergency breakthrough on his #.  Not only will he go offline while
   you watch but if you happen to have an extra line around a wardialer
   will keep him offline for as long as you want.   
   
   
