Let me explain further. When you dialup to my isp (and many others), you
get a terminal server which is nothing but the router itself. The router
(probably cisco) runs the terminal server program. I don't really know the
details from a subscriber point of view; however, I will explain it the way
I understand.
You normally dialup to an isp with "Dialup Networking" and the dialup
networking (ppp) software automatically logs in and creates a ppp
connection. What happens is the software logs in with username password
(depending on which authentication method you use) and then starts ppp on
the server end. Next it starts ppp on your end, thus creating a ppp
conneciton and assigns you an ip address from the pool. It also uses other
protocols such as PAP, CHAP, etc. for authentication.
Now a totally different way of logging in if your isp allows it is to use a
dialup terminal program intead. You dialup with terminal and you get a
username password prompt (the same way you dial in to the old BBS). After
you are authenticated, your isp may start ppp automagically. If it doesn't
you are left with a terminal server prompt which is not equivilent to root
on a server, but you are logged into a router running a terminal server
program. Here is the command list, some are restricted and some are not. I
may even be able to dial out using one of my isp's modems! Look at the
"test" EXEC!
?
? Display help information
help " " "
quit Closes terminal server session
hangup " " " "
test test <phone-number> [ <frame-count> ] [ <optional
fields> ]
local Go to local mode
remote remote <station>
set Set various items. Type 'set ?' for help
show Show various tables. Type 'show ?' for help
iproute Manage IP routes. Type 'iproute ?' for help
dnstab Manage local DNS table. Type 'dnstab ?' for help
slip SLIP command
cslip Compressed SLIP command
ppp PPP command
menu Host menu interface
telnet telnet [ -a|-b|-t ] <host-name> [ <port-number> ]
tcp tcp <host-name> <port-number>
ping ping <host-name>
traceroute Trace route to host. Type 'traceroute -?' for help
rlogin rlogin [ -l user -ec ] <host-name> [ -l user ]
open open < modem-number | slot:modem-on-slot >
resume resume virtual connect session
close close virtual connect session
kill kill <session ID>
pptp pptp <server-name>
PROPMT>show ?
Session ID current 273782382, saved base 273777530
GASOTN-R03> show mm^H ^H^H ^Hip ?
show ip ? Display help information
show ip stats Display IP Statistics
show ip address Display IP Address Assignments
show ip routes Display IP Routes
As you can see, you can do many things from this type of connection. You
telnet to a server to read your mail; or, run ping or traceroute. I also
found an article at http://pactestorm.securify.com/ that states there are
other commands you can use that don't show up in help. Saying that just
because it doesn't show up in help that does not mean that a normal user can
run the command. This is how the misconfiguration occurs. The system
administrator assumed that if the command didn't show up in "sh ?" that
normal users cannot run the EXEC -- when in fact, they can...
[Now if you telnet to the server after you connect PPP(verses dialing in
directly) you will not get a username prompt (this screams, I'm a router!),
only a password prompt.] The same thing you get if you used the "local"
command above! Some routers ask for both username and password. Some
routers are computers and some are hardware (cisco, etc.).
* Note: when refer to "router" I mean hardware router.
The kill and show users EXEC's should be restricted for normal users. Also
note that if you dialup this way without use ppp then you do not have an ip
address. You are directly connected to the router via...well a terminal
program, usually DEC or VT100 mode.
Exactly how the authentication works, I do not know. But I do know that if
you use an isp the dialup password and email passwords are different.
Apparently the dialup password is authenticated by the router itself or some
forwarding mechanism, and the email password is kept on the email server.
Note that your email password is the same as your ftp and/or telnet password
with most isps.
I was booted off an isp once when someone got my password and used my
account. I basically had no recourse nor was I allowed to resign up for an
indefinate period. This is what law suites are made of... but it's not
financial feasiable and the provider knows this.
ABOUT AOL
Realize that AOL is a service, they take infomation off the web and store it
on their servers for members to view. They have direct control of what you
see. Where as most isps, don't care what you do since they (by current US
law) are not responisble for YOUR actions. However, as noted above they
boot customers all the time with little or no evidence. The problem with
AOL is that if you want to learn computers, internet and networking it is
more difficult on AOL since they control what protocols and programs you can
use. They use non-standard protocols for mail, etc.
INVESTIGATION REVEALS SECURTIY HOLE
I did actually find out how the user got my password. The mail server
(which was NT) had netbios running. I ran a scan and it revealed "teresa's"
password was "teresa"! Well since teresa was a normal user this didn't
answer the question of how someone got my password. Ok, I typed the ip of
the server in start/find/computer To my surprise teresa was with customer
service and she had a text file in one folder with a 2,600 username/password
list of customers to be added to the system! The file not only contained my
username and password but over 2,600 other usernames and passwords. I
imagine this is how he/she hacker got my password; or I could have been an
employee. I used a long cryptic password and it was very unlikely that a
hacker brute forced the password.
Since I was booted (from that other isp) and many 3 letter words was
exchanged, I did not notify that provider. The open share and file is
probably still there for the world to view. Although, it's a local isp and
not many hackers could use this these accouts for dialup without long
distance chargers. It also would allow anyone to suck feed all 2,600 users
email. If in fact the user received plain text email with say, usernames
and password, credit card numbers from customers or mom/dad then this would
be a major security hole. In fact it is. A Blackmailer's gold mine!
So remember, be nice to your customers and listen to their side of the
story. They may hold more information than you realize.
Yes, another good reason to go change your passwords (plural);0)
Jay Daniels ----------------------------------
,_, mailto:[EMAIL PROTECTED]
(O,O) http://web.infoave.net/~jay
( ) 76B1 A850 6F40 2A25 0BE6 378E CDC9 6408
-"-"------------------------------------------
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 09, 2000 11:47 PM
To: [EMAIL PROTECTED]
Subject: Re: * informant * Recent letter to my ISP
Perhaps I'm confused here but isn't that the equivalent of having "root" Or
"admin" access to any user? It seems that there is a simple failure there to
assign access levels.
This sounds like so many of the early AOL gaffs. By growing so rapidly as
the
"premiere" online access point back in the "early days" of the internet as a
consumer entity, AOL was literally inundated with hacks and access
violations.
I'd submit that AOL's early experiences led to a great many discoveries
relating to security issues to be encountered online.
Great catch Jay!
Sterling
----
post: [EMAIL PROTECTED]
url: http://theMezz.com/informant
forum: http://theMezz.com/bbs
subscribe: [EMAIL PROTECTED]
unsubscribe: [EMAIL PROTECTED]
digest: [EMAIL PROTECTED]
notDigest: [EMAIL PROTECTED]
___________________________________________________________
T O P I C A The Email You Want. http://www.topica.com/t/16
Newsletters, Tips and Discussions on Your Favorite Topics
