Женский туризм и женское благополучие
Что мы знаем про женский туризм? Список антицеллюлитных средств растет с каждым днем: гимнастика, лимфодренаж, лазерная, цвето- и ароматерапия, целлюлолиполиз, липосакция, обертывания... Но одно из самых видных мест занимают разные виды массажа. Массаж – прекрасное средство, улучшающее кровообращение и стимулирующее обмен веществ. К тому же, его удобно сочетать с антицеллюлитными кремами и сыворотками, что дает взаимно усиливающий эффект. Женская красота и женский туризм: новости из жизни знаменитостей в женском интернете. Если кожа на лице чувствительная, то скорее всего на всем остальном теле она такая же, поэтому требует не меньшей заботы. Делать это надо круглый год, так она находится под постоянным воздействием неблагоприятных факторов. Окружающая среда для чувствительной кожи может стать агрессивной. Летом – это солнце, зимой – мороз и сухость в помещениях от отопительных приборов, весной – нехватка витаминов. Пожалуй только осенью кожа может вздохнуть свободно. Но мы все равно расслабляться не должны. Напротив, самое время подготовиться к зиме.( Читать про женские товары ...Collapse )
May. 15th, 2006 @ 10:18 am
does anyone know of a free-to-download keylogger that can be remotely (and inconspicuously) installed?
Oct. 5th, 2005 @ 05:10 pm
hi, i'm new here. i was wondering if anyone that has an aol account would be willing to help me out with something i need an aol account for... if you're interested please email me at firstname.lastname@example.org, thanks.
Check it out, it's a resource that I think some of you could use
A new idea, or more properly. An old idea; done correctly
15 7|-|3|?3 |\|3-0|\|3 1|\|73|?3573|) 1|\| |\/|3|\|70|?1|\|6 |\/|3 ?
Hi! I wonder is could anyone help me with advanced Nessus docs or links to books about Nessus?|
|» yahoo password needed.|
my mom is cheating, and i need to get her yahoo password!|
can you help me?Email to be hacked: Chattycathy1200@yahoo.com
please post here.
|» 20.0 Netware Passwords|
20.1 How do I access the password file in Netware?|
Contrary to not-so-popular belief, access to the password file in Netware is not like Unix - the password file isn't in the open. All objects and their properties are kept in the bindery files on 2.x and 3.x, and kept in the NDS database in 4.x. An example of an object might be a printer, a group, an individual's account etc. An example of an object's properties might include an account's password or full user name, or a group's member list or full name. The bindery files attributes (or flags) in 2.x and 3.x are Hidden and System, and these files are located on the SYS: volume in the SYSTEM subdirectory. Their names are as follows:
Netware version File Names
2.x NET$BIND.SYS, NET$BVAL.SYS
3.x NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS
The NET$BVAL.SYS and NET$VAL.SYS are where the passwords are actually located in 2.x and 3.x respectively.
In Netware 4.x, the files are located in a different location on the SYS: volume. It is a hidden directory called _NETWARE. In this directory are located the NDS files, license files, and a number of other system-related files such as login scripts and auditing files.
File What it is
VALUE.NDS Object and property values
BLOCK.NDS Extended property values
ENTRY.NDS Object and property types
PARTITIO.NDS NDS partition info (replication info, etc.)
MLS.000 License file.
VALINCEN.DAT License validation
To view the hidden SYS:_NETWARE directory, you can try to use RCONSOLE and the Scan Directory option, although later versions of Netware 4.x have patched this (starting with 410pt3). Here is another way to view these files, and potentially edit them. After installing NW4 on a NW3 volume, reboot the server with a 3.x SERVER.EXE. On volume SYS will be the _NETWARE directory. SYS:_NETWARE is hidden better on 4.1 than 4.0x, but in pre-410pt3 patched 4.1 you can still see the files by scanning directory entry numbers using NCP calls (you need the APIs for this) using function 0x17 subfunction 0xF3.
Using JCMD.NLM, it is possible to access SYS:_NETWARE, and do many fun things, like copy NDS, etc. But what hackers have asked for is a way to access this directory WITHOUT uploading an NLM via RCONSOLE. You can try using NETBASIC.NLM (see the Netware Console Attacks section for details), and actually copy NDS files to a directory you can access (like SYS:PUBLIC).
20.2 What's the full story with Netware passwords?
A Novell proprietary algorithm takes the password, and produces a 16 byte hash. This algorithm is the same for versions 3.x and 4.x of Netware. The algorithm is also inside the LOGIN.EXE file used by the client when logging in. The details of the algorithm itself can be found in the crypt.txt file included with Pandora (see Pandora <http://www.nmrc.org/project/pandora/index.html> for details).
The 16 byte hash is stored within the bindery files in Netware 3.x and NDS in Netware 4.x. Since the object ID is used in the algorithm, it adds the equivalent of a salt. This along with the fact that the password length plays into the algorithm increases the overhead in cracking multiple passwords at once.
Fortunately for the cracker, both the object ID and the password length are stored with the hash, along with that fact that lower case letters are converted to upper case before generating the hash does simplify the process slightly. Password crackers can brute force a little easier since they can eliminate trying lower case letters and concentrate on a particular password length.
20.3 How does password cracking work with Netware?
Because of the complexity of the algorithm, using it the way it was designed is somewhat slow for cracking, especially by brute force. However the algorithm can be mathematically improved, and in fact WAS improved and optimized just for cracking purposes. See Jitsu-Disk's document crypt.txt <http://www.nmrc.org/project/pandora/crypt.txt> that was included with Pandora <http://www.nmrc.org/project/pandora/index.html> that details this. The algorithm is dozens of times faster than Novell's original code. However brute force is slow work with Netware, so only use it as a last resort, especially if you have a LOT of time.
This is especially true with regards to the brute force crackers that attack from the client. Since you are dealing with the network itself, expect AT BEST about a password attempt a second from most network cracking utilities.
20.4 How does password cracking work with Netware?
With Pandora v3.0 you have the fastest dictionary cracking available. And if you must attack from a client, make sure if you are using a cracker that you are using dictionary attacking.
For Netware 3.x systems, consider using Al Grant's Bindery tool.
20.5 Can an Sys Admin prevent/stop Netware password hash extraction?
The best way for a Sys Admin to prevent Netware password hash extraction is to at least try the following:
Protect the server console. If the console is compromised, all bets are off. Don't use RCONSOLE at all. Go to the console to do any administrator-type work.
Protect administrative accounts. If one of these accounts are compromised, once again all bets are off. Use these accounts minimally from secured workstations.
Clean up after yourself. If you run a BINDFIX, DSMAINT, or DSREPAIR, remember that you are leaving files out there that passwords can be recovered from. Do your business, confirm you don't have to fall back using one of these leftover files and then delete and purge them.
You see, once the server has been compromised, sometimes not even completely, there will be NOTHING to stop unwanted password recovery. Hackers, just do the opposite of the above items and you'll be fine ;-)
20.6 Can I reset an NDS password with just limited rights?
There is a freeware utility called N4PASS, that is meant for Netware 4.10 (uses NDS calls and is not bindery based). The intention of this package is to enable a Help Desk to reset passwords for users without granting them tons of rights. It uses full logging and does not require massive ACL manipulation to do it.
Obviously being set up to use this utility opens a few doors. You can download it here <http://www.novellfans.com/n4util/n4pa32.zip> from Novellfans.com <http://www.novellfans.com/>.
A couple of interesting things about this utility -- if configured incorrectly the server may be compromised in a number of ways. For instance, the password generated is a calculation that uses a 'temp filename', the date, the user's loginname, helpdesk login name, seed value, and a few other items. (its in the n4pass.txt file)
N4PASS is not set to purge immediately, the file is salvagable. Also, if the rights to the N4PASS directory are too open, you can discover the default password, among other things. The text file included with the utility covers this, so read it carefully if you are installing it. If you are hacking, read it carefully too ;-)
It is critical that access to the sys:\n4pass\password is secure since any 'temp file' (.1st extension) can cause the 'password reset' for the person listed in the 'temp file'.
20.7 What is OS2NT.NLM?
OS2NT.NLM is a Novell-supplied NLM for recovering/fixing Admin, like after it becomes an Unknown object, as opposed to User -- especially after a DSREPAIR. This module is considered a "last resort" NLM and you must contact Novell to use it. While I haven't seen it, it is supposed to be on one of Novell's FTP sites. It supposedly is customized by Novell to work with your serial number and is a one-time use NLM. You have to prove to Novell who you are and that your copy of Netware is registered.
I would suspected it is possible that this NLM could be hacked to get around the one-time use and serial number/password thing, but a restore of NDS from a good backup would accomplish things better. This way is a little destructive.
20.8 How does password encryption work?
From itsme -
the password encryption works as follows:
1- the workstation requests a session key from the server
2- the server sends a unique 8 byte key to the workstation
3- the workstation encrypts the password with the userid,
- this 16 byte value is what is stored in the bindery on the server
4- the WS then encrypts this 16 byte value with the 8 byte session key
resulting in 8 bytes, which it sends to the server
(NCP-17-18 = login), (NCP-17-4a = verify pw) (NCP-17-4b = change pw)
5- the server performs the same encryption, and compares its own result
with that sent by the WS
-> the information contained in the net$*.old files which can be found
in the system directory after bindfix was run, is enough to login
to the server as any object. just skip step 3
20.9 Can I login without a password?
If you have acquired the one-way hash from Bindery or NDS files, you have enough info to login without password, as stated by Itsme in the previous section. Pandora v3.0 includes tools for accomplishing this -- see Pandora <http://www.nmrc.org/project/pandora/index.html> for details.
20.10 What's with Windows 95 and Netware passwords?
Windows 95 has its own password file, and uses this file to store passwords to Windows 95 itself as well as Netware and NT servers. The problem here is that the PWL file is easily cracked by brute force, by using exploit code readily available on the Internet. To keep this from happening either Service Pack 1 should be applied (see Microsoft) or disable password caching.
But you can still access the WIN386.SWP file. Either using a disk utility like DiskEdit from Norton or by booting from DOS, you can access the swap file and scan it for the password in plaintext. Look for a string like nwcs and the password will follow that.
|» 19.0 Netware Accounts|
19.1 What are common accounts and passwords for Netware? |
Out of the box Novell Netware has the following default accounts - SUPERVISOR, GUEST, and Netware 4.x has ADMIN and USER_TEMPLATE as well. All of these have no password to start with. Virtually every installer quickly gives SUPERVISOR and ADMIN a password. However, many locations will create special purpose accounts that have easy-to-guess names, some with no passwords. Here are a few and their typical purposes:
PRINT Attaching to a second server for printing
LASER Attaching to a second server for printing
HPLASER Attaching to a second server for printing
PRINTER Attaching to a second server for printing
LASERWRITER Attaching to a second server for printing
POST Attaching to a second server for email
MAIL Attaching to a second server for email
GATEWAY Attaching a gateway machine to the server
GATE Attaching a gateway machine to the server
ROUTER Attaching an email router to the server
BACKUP May have password/station restrictions (see below), used
for backing up the server to a tape unit attached to a
workstation. For complete backups, Supervisor equivalence
WANGTEK See BACKUP
FAX Attaching a dedicated fax modem unit to the network
FAXUSER Attaching a dedicated fax modem unit to the network
FAXWORKS Attaching a dedicated fax modem unit to the network
TEST A test user account for temp use
ARCHIVIST Palidrome default account for backup
CHEY_ARCHSVR An account for Arcserve to login to the server from
from the console for tape backup. Version 5.01g's
password was WONDERLAND. Delete the Station
Restrictions and use SUPER.EXE to toggle this
account and you have an excellent backdoor.
WINDOWS_PASSTHRU Although not required, per the Microsoft Win95
Resource Kit, Ch. 9 pg. 292 and Ch. 11 pg. 401 you
need this for resource sharing without a password.
ROOT Found on Shiva LanRovers, gets you the command-line
equiv of the AdminGUI. By default, no password. A lot
admins just use the AdminGUI and never set up a
VARs (Value Added Resellers) repackage Netware with their own hardware or with custom software. Here is a short list of known passwords:
VAR Account Password Purpose
------- ---------- -------- -------------------------------------------
STIN SUPERVISOR SYSTEM Travel agency running SABRE
STIN SABRE -none- Like a guest account
STIN WINSABRE WINSABRE Windows guest account for NW 2.15c
STIN WINSABRE SABRE Windows guest account for NW 3.x
HARRIS SUPERVISOR HARRIS Tricord reseller, ships NW preinstalled
NETFRAME SUPERVISOR NF Also NETFRAME and NFI
NETFRAME aaa New installation default password
This should give you an idea of accounts to try if you have access to a machine that attaches to the server. A way to "hide" yourself is to give GUEST or USER_TEMPLATE a password. Occassionally admins will check up on GUEST, but most forget about USER_TEMPLATE. In fact, I forgot about USER_TEMPLATE until itsme reminded me.
This list is also a good starting point for account names for "backdoors". In some environments these account names will be left alone, particularly in large companies, especially Netware 4.x sites with huge trees. And don't forget account names like Alt-255 or NOT-LOGGED-IN.
19.2 How can I figure out valid account names on Netware?
Any limited account should have enough access to allow you to run SYSCON, located in the SYS:PUBLIC directory. If you get in, type SYSCON and enter. Now go to User Information and you will see a list of all defined accounts. You will not get much info with a limited account, but you can get the account and the user's full name.
If your in with any valid account, you can run USERLST.EXE and get a list of all valid account names on the server.
If you don't have access (maybe the sys admin deleted the GUEST account, a fairly common practice), you can't just try any account name at the LOGIN prompt. It will ask you for a password whether the account name is valid or not, and if it is valid and you guees the wrong password, you could be letting the world know what you're up to if Intruder Detection is on. But there is a way to determine if an account is valid.
From a DOS prompt use a local copy (on your handy floppy you carry everywhere) of MAP.EXE. After you've loaded the Netware TSRs up through NETX or VLM, Try to map a drive using the server name and volume SYS:. For example:
Since you are not logged in, you will be prompted for a login ID. If it is a valid ID, you will be prompted for a password. If not, you will immediately receive an error. Of course, if there is no password for the ID you use you will be attached and mapped to the server. You can do the same thing with ATTACH.EXE:
The same thing will happen as the MAP command. If valid, you will be prompted for a password. If not, you get an error.
Another program to check for valid users and the presence of a password is CHKNULL.EXE by itsme. This program checks for users and whether they have a password assigned.
In 4.1 CHKNULL shows you every account with no password and you do not have to be logged in. For this to work bindery emulation must be on. But there is another way to get them in 4.1.
Once you load up the VLMs you may be able to view the entire tree, or at least all of the tree you could see if logged in. Try this:
CX /T /A /R
During the installation of 4.1, [Public] has browse access to the entire tree because [Public] is added to [Root] as a Trustee. The Inherited Rights Filter flows this stuff down unless explicitly blocked. If you have the VLMs loaded and access to CX, you don't even have to log in, and you can get the name of virtually every account on the server.
If CX /T /A /R works, then NLIST USER /D will yield a massive amount of information, including who belongs to what groups, and their object ID. By combining the information between these two along with other NLIST options, you can learn a lot about an NDS tree and a server. Here a few more that come in handy:
NLIST GROUPS /D -List of groups, descriptions, and members.
NLIST SERVER /D -List of servers, versions, if attached you can determine if accounting is installed.
NLIST /OT=* /DYN /D -List of all readable objects, including dynamic objects, names of NDS trees, etc.
Between using CHKNULL, CX, and NLIST an intruder could not only learn who is in what group and who has access to what, but certainly could learn who the administrators are, and specifically select accounts for attack.
Finally, consider using the Intruder utility from NMRC's Pandora v3.0. This utility has a mode that allows you to give it a list of potential account names, and it will tell you if they are valid and even if they have no password. See Pandora <http://www.nmrc.org/project/pandora/index.html> for details.