Date : Sun, 13 Nov 2011 14:50:57 +0100
From : rick@... (Rick Murray)
Subject: Security Project - Update 1
On 13/11/2011 13:49, Martyn Ruks wrote:
> written some python code that will talk to a Level 2 FileStore using
Just a small note - Level2 and Level3 are file servers; for "FileStore"
is a dedicated box solution - in other words, Level2 != FileStore.
> Searching for valid users on the FileStore. Any other common users
> that are observed on these systems would be welcomed to add into my
> username list.
[...]
> Then you can read files from the system using a crude copy of dump,
> also available is a mode to dump the password file in friendly
> format. This is the latter mode.
I am wondering if you aren't finding some sort of limitation in your
emulated environment instead of testing the REAL system security.
Let's look at what you have done. You appear to be blindly testing a
list of users (starting with SYST, obviously) against - what, the login
process, expecting a "user not known" response?
At my school, the logins were predictable. It was based upon year number
and your surname in alphabetical form - this user "Y3U12" would be user
12 in third form. [I understand a lot of education has gone to the
Americanised 'X grade' format - I have *no* idea about translations,
I'll just say a third former would have been 14ish!]
For reasons known only to them, numbering was NOT sequential. Go figure.
Anyway, I find it *highly* suspicious that you have managed to determine
a user with a blank password that allows read-only access to the
passwords file. Was this user privileged? I ask this, because what on
earth would be the point of the password mechanism if any random user
could *DUMP the passwords file to see the contents? Can somebody please
try this on their server, if they have one running - for I'd have
imagined the reply for opening the file would ought to have been
"Locked" or somesuch.
> If anybody has BASIC versions of what I have done in python please
> let me know as would love to run these attacks from an emulator or
> hardware as well.
I suspect that they would behave somewhat differently given access to
*real* hardware. If you recall past postings in your request for
anecdotes (one from myself!), we mentioned coding up ways of
commandeering a machine to sniff the entire data transport doing on the
Econet (because each byte is available to each station) in order to scan
for logins to grab both the user name and the password. Why go to all
that bother if you can just *DUMP the file?
Also, Level2 was Acorn's entry level server. There are better:
1. Level3 - the de facto Beeb+copro kit.
2. FileStore - either E01 or (preferred) E01S; a slightly more
advanced Level3 in a custom box. This is the one I've seen
most often.
3. Level4 - a server running on RISC OS kit.
Then, there's the MDFS. Everybody who knows Econet drools. Just... drools.
Really, for your report to have any solidity, you ought to get yourself
the following:
1x server hardware
1x clockbox
1x station (pref. 2x)
For server hardware, in order of preference:
MDFS
FileStore
Some sort of old RISC OS machine with Econet card
For station, any Acorn machine with Econet will suffice. It will be
friendlier on a RISC OS machine, but a Beeb will work.
For clockbox, any clockbox, though the FileStore (if you can get one)
can generate its own clock. Sort of. It isn't very good, but it will be
more than adequate if you're just going to connect a station
back-to-back to it.
Ask around here, or look on eBay (avoid anything that says "vintage"
with three digit prices!), you ought to be able to get some real
hardware sorted out; then you can try your hand at real genuine Econet!
Best wishes,
Rick.
--
Rick Murray, eeePC901 & ADSL WiFI'd into it, all ETLAs!
BBC B: DNFS, 2 x 5.25" floppies, EPROM prog, Acorn TTX
E01S FileStore, A3000/A5000/RiscPC/various PCs/blahblah...