The Disclaimer

 

I don't encourage illegal activities, I really mean this! And if you really want

to try something against the law, and you get caught I have warned you, hehe :p

 

 

Introduction

 

This is the first tutorial I have wrote. It was intensely only written for BSRF

(Black Sun Research Facility), and it will be properly not the last one :)

though. So if you discover some errors, please let me remind you this was my

first one. Last note before I will begin writing about "Cracking Netware", at

the moment you can't contact me by e-mail or whatsoever... I rather remain

'hidden', for the moment.

 

Index Novell Netware tutorials:

 

Novell Netware - Cracking Netware

Maybe I'll write an advisory for system administrators or even my own found

vulnerabilities in Netware, but remember I can't guarantee anything!

 

It's possible that I'll write some other tutorials about different topics as

well.

 

Well this one will be about:

 

 

Novell Netware - Cracking Netware (v 1.04)

 

Like many other Operating Systems Netware original (before 5.xx) doesn't work

with the TCP protocol, it uses it's own protocol called Internet Packet eXchange

(IPX). This protocol isn't vulnerable at the moment to any kind of Denial of

Service (DoS) attacks like SYN-flood, while the TCP protocol is. Because Netware

didn't get much attention from crackers they thought there system was

impenetrable, and so they didn't much about security updates. Now many of you

guys think this is really cool, and think they can crack any Netware server with

some help from the many tools that are available online. Well, I can tell you

that's not that easy.

 

The most important reason; Which Netware version they run, if running version

4.1 or higher the change you will sneak in unnoticed will be really small.

Unless you have to deal with some really lame most times lazy system

administrators.

If the system administrators patch the Netware server(s) on regular base...

Also if you have some kind of permanent account with standard Netware rights,

not one who's adjusted.

You will need much time and don't be disturbed. Especially in classrooms this

will be difficult to get, so you have to find a way with Social Engineering to

accomplish this :(

 

Before I continue with Netware security and how to bypass it, first I'm going to

tell you something about Servers & Clients.

 

After a Netware client in Windows 9x has been installed it's possible to access

the Netware server. When you arrive in Windows you'll see a login screen. Before

you have logged into the network the "client <--> server" has already

established a connection with each other, only this connection isn't validated

by the user who created the connection! You can see this connection on the

console when monitor.nlm is loaded. You people don't know what the console

means? Ok, I'll explain. The server is nothing less but a computer, not a normal

one like a desktop or tower. No call it a very big tower. On this machine the

Netware server software is installed, when you turn on this machine first dos

(6.22 or lower) will be loaded. After this you can boot Netware by executing

file "server.exe", now many files will be loaded and you'll get a lot of

messages. It looks like when you're booting a Linux machine. After the boot

process you look at a sort of dos screen, this is called the console. At the

console you have the highest rights on the particularly Netware server. You can

down the server any time you want with just one simple command. So the main

group of crackers tries to get this access. But there are many different ways to

crack a Netware server. It just depends on what you want to do at the Netware

server.

 

By default you have the following rights on a Netware server:

 

User: Normal user who can access some files in //public, //login and //mail.

Mostly they have some print rights too, also have a home directory.

SuperUser:      At school's this right has been given to teachers. They can view

      students accounts and delete files if necessary. They cannot create,    

      delete or change accounts from the NDS.

SuperVisor:      Only the system administrators are permitted to control everything

on the file system and the NDS. When they want to down the server they have to

walk to the console, or do it remote by starting a program called rconsole which

stands for "Remote Console". The word explains itself. For security reasons they

first have to load "remote.nlm" and "rspx.nlm" at the console. So by default

these NLM's aren't loaded.

Console:      This is the highest right on a Netware server, once you have gained

this rights illegal nothing can stop you at the moment but a power failure. Also

be aware of the log files! Many crackers who have gained console right have been

snapped by them, and if you are dealing with very smart system administrators,

they have some program that automatically sends the logs to an off-line

location. And once they have arrived overthere you have a serious problem...

 

When you want to gain some high level access on a Netware server, remember

that this can be done in many ways I explain two differents ways.

A note before trying one of the two ways. Way one will require a lot of luck,

some skills of cracking and also some tools. Way two will require a lot of time

(two weeks maybe a month). You have to see for yourself what's the best way. O

by the way, if you want to get some high level access while trying way one...

remember it's critically you don't make any mistakes, because the properbility

you'll be caught is high (log files and some other things)!

Please first read the tutorial, before trying one way or another. I really

recommend it!!!

 

First way

 

If you are very, and I mean very lucky the system administrators could have

loaded "remote.nlm & rspx.nlm" on the Netware console. Try to find a program

called "rconsole.exe", normally you can find this program in the following

directory on the Netware server "//public". If you haven't file scan or read

rights on this directory, you have to get this program at another way. The

program needs alot of other files before you can execute it, so download these

too! To make it a little harder for our 'beloved' system administrators to trace

you (and give you more time), don't verify yourself to the server while trying

to

access the console by remote! Before they know who's trying to establish a

connection to the Netware server, they have to walk to the server and load

monitor.nlm. Now they can see the attackers ethernet address, from at this

moment they can close your connection to the server any time they feel fit. But

mostly they want to collect some evidence against you, so they just let you

'crack

the server'. In meantime you have already spend some minutes guessing the

correct console password, and every attempt has been written automatically to a

logfile. Or even worse, every attempt has also been written to their monitor

including (again) your ethernet address, and if you guessed the password right

or not. This sucks, doesn't it? Well we can combine these two problems into one

solution. But again you'll need some luck! Here we go:

 

The most difficult problem will be getting the password, because you don't have

enough time to guess the password, even with some kind of bruteforce-crack

program you haven't, we need to approach this problem from another way. Now

you'll need some luck because for this trick the following nlm's have to be

loaded: "remote & rspx"  at the console! The system administrators will only

load these if they want to check the console (remote) regularly, as I explained

before.  Just try to access the console with "rconsole.exe" to verify if those

nlm's are loaded, note only try this once! If you get a blue empty window, well

skip to part two! Well when you are sure those two nlm's are loaded, continue

reading, if not skip to the second way to crack Novell Netware.

When the system administrators are accessing the console they also have to enter

a password. This password is being send in plain text over the network ( plain

text means: unencrypted). If you're dealing with Netware version 4.11 or higher,

skip to way two because the transmitted console password is encrypted!

When you have the same node address as the system administrators have, it's

possible to intercept (sniffing) the packets from the system administrators to

the console. You are questioning yourself "How do I know?", the answer: If

you're on a small network with approximately 10-50 users you are on the same

node address. Unless you're dealing with some paranoid system administrator. If

you're dealing with some bigger kind of network you have to get yourself a copy

of a program called "getconn.exe" that reveals the node address of the Netware

server. Again you do need some luck, if you're not on the same node address as

they are, skip to way two.

Dont's make the following mistake: When an user or the system administrator is

logging into netware, it's completely senceless to 'sniff' this password.

Because this password is encrypted with RSA encryption. The next time the person

will (re-)login the encryption will be changed.

 

We now arrive at properly the most difficult part of all.

What we now need is a packetsniffer that supports IPX sniffing, I recommend

"SpyNet" for the job. Install and execute SpyNet. Configure SpyNet so it will

write all captured packets to one file. Let the program run a couple of hours,

because the system administrators have to access the console remote. You can use

your social engineering skills to speed up this process. One way to do this is

to call them and say you think someone is trying to crack their network. Don't

sound to professional because they could suspect you're the one doing something

illegal! Remember when you're sniffing, and write the packets to disk:

First: This will take really some network occupence, so if you'll run the

program to long (a day or more) the system administrator will detect an

intruder... Oohw by the way, if the network is protected by some intrusion

Detection Programs your sniff attemps will automaticly reported to the system

administrator's. There are (as usually) some anti-anti-sniffers. But this is a

whole other story, so I decided NOT to mention it any further.

Second: It's almost impossible to write all sniffed packets(frames) to disk,

especially not when the network is overloaded... also remember your ethernet

card is 10/100 mbit/s, and almost all times the network traffic does exceed

above this value.

Almost all sniffers does have an option to only write packets from a specified

address to disk. This has ofcourse some advantages... (more stealthy and less

disk space is needed).

Once you've the packets which contain the password, you have to find a way

yourself to extract the password from Spynet's logfile. Note, the password is

separated into many packets. Example: If the password would be "Netware" you'll

could find the password in this order:

packet 34643: j

packet 34644: 6

packet 34645: n

packet 34646:g

packet 34647: 8

packet 34648: e

packet 34649: f

packet 34650: t

packet 34651:2

packet 34652:w

packet 34653:a

packet 34654: l

packet 34655:r

packet 34656: d

packet 34657: 4

packet 34658:e

packet 34659: v

As you see, this could take some time before you find it, note netware is not

case sencetive! When you get the password, access the console remote as soon as

possible and create a supervisor account. If you don't know how to create one,

just download burglar.nlm from (blacksun.box.sk) and before trying anything with

the program, first take a good look at the readme.

When you're finished with anything you want to do at the Netware server,

remember to erase the logfile! You'll find the file in the /etc/console.log, you

can delete this file at the console. Just unload "conlog.nlm" and then load it

again! Now the old logfile is being overwritten by the new one, if you terminate

the connection between you and the server your ethernet address will be written

to the new logfile! So before quitting I suggest  to unload once more the

"conlog.nlm". Now you can quit the remote session with ALT-F1.

 

NDS Addon:

 

If you really want to do some damage you have to delete the files where the NDS

(Netware Directory Structure) is being stored. These four files are located in

an hidden directory named "/_netware". You can only access this directory from

the console with the program "monitor.nlm". Remember: If the system

administrator's doesn't have backup's of these files, they have a really big

problem.

Some problems i'm aware of:

Nobody can log into Netware anymore, even the admin can't!

All information about the users, containers, scripts, printers, bordermanager  

are permently lost!

If there are multiple Netware servers (almost always) connected to eachother,

who are sharing one NDS... well they have to install the Netware Server software

again on all servers.

And the system administrator's have an hell of a job to backup  all data from

console.

 

I really recommend and I seriously do, to backup these four files to a

floppydisk, in case you'll get caught. And if you have a little respect for them

please send them the disk with those four files anonymously. Because it will

take weeks to restore everything. I do really mean this!

 

 

Second Way

 

The primairy goal here is to gain access to all files and folders at a Netware

server. This is NOT the same as console access! Note: This way takes very lot of

time and patience.

 

When you have a normal user account on any particularly Netware server, you only

have read&write&remove rights at your homedirectory. But what you proberly don't

know is that you also have some read rights at: //public, //login and //mail.

But you cannot 'see' these directory's because they aren't mapped to a logically

drive. I explain... Whenever you have typed in your username and password, the

Netware server will granted you the rights to all directory's and files the

system administrators have allowed you. If your homedirectory is at

//home/yourhomedir you have to browse to //home/yourhomedir to view files over

there.. But if your homedirectory is located somewhere 'deeper' in the

directorystructure , like //home//school/it/it2/class2c/yourhomedir then it

takes some time to get to your own directory. So here's where drivemapping comes

along. When you have created a drivemapping to

//home/school/it/it2/class2c/yourhomedir, just click onto the specific station

(by default "z:\") and now you are directly transmitted to yourhomedir. The

local system administrators have created a login script that will do this task

for you every time when you're logging into the network. Now you know what drive

mapping means... So as I told before, by default all users (including normal

users) have only read access to //public, //login and //mail.To access these

directory's you'll have to create a drivemapping to them. The most important one

is //public. In this directory you'll find all sorts of binary files and some

clients like "rconsole.exe".  So, map this directory to a logically drive for

example "y:\".

It will really come in handy if we have some 'other' accounts for the following

part. Otherwise you'll have to explain to the system administrators what you

were doing last week in the late afterhours at school or work. In other words we

need a few other accounts at the netware server. It's really not advisible to

use an account from a student or college at work, if you know his/her password

ofcourse! The best accounts for the crack job is one of the printer or backup,

and most times it has a NULL password! Sounds good, doesn't it? Well I can make

it even better, remember I told you that ALL users have (by default) read rights

to //public, //login and //mail? So does these accounts have them too... The

only problem is to guess the correct usernames. Many Novell Netware tutorials

will give you some default printer accounts, but many times these accounts

doesn't exists anymore. So I'm going to explain how to get existing usernames at

your local Netware server. Here weg go:

First you'll need to run a binary file at //public/win95/nwclnt95.exe, when all

the loading work is done you'll see a window like 'explorer' from Windows.

You're now viewing at the NDS (Netware Directory Structure). Inhere all

information (containers, scripts, printers & accounts) about the netware server

is being strored. Search inhere for a name with the word(s) print, printer, ps

or pservice. It's possible you find multiple printer accounts like printerti,

printersys or psserv. If you didn't find anything you have to try to get some

accounts a different way, grab a program called "chknull.exe" made by NOMAD (The

Noturious Netherlands Hacker). This program will check all existing netware

account for NULL passwords. If this program didn't find anything, you really

have a bad day and it's advisible to stop reading this tutorial right here :'(. 

If you did found something, always doublecheck before you are doing anything

(wrong) with it. You really have to be sure if it's really a printer or

backup...

 

Now you have some Netware accounts with NULL passwords we can continue.

Note: Never change passwords from hijacked accounts, the properbility the system

administrator will discover it, is way to riscy. And if you change the password

from a printer, nobody can print anything anymore! You can guess that it only

take a few hours before the system administrator's will discover the leak. Now

log into the Netware network with the 'stolen' accountinformation, and if you

are lucky the system administrator's have granted some dir&filerights. By the

way if the system administrators are using Netware Bordermanager as Firewall and

/ or HTTP Gateway you can't surf the web without suffients rights. But most

proberly you can surf the web when you are logged in as printer (i could)! This

could come in handy when you need to reach the database from packetstorm for

some kind of exploit. Nevertheless use HTTP only when it's really necessary!

Because the firewall will log all requests to the outside world. And we don't

want to make the job to easy for the system administrator's!

 

Again I hadn't enough time to complete this tutorial so I will continue this

subject in Version 1.04. My problem is always the goddamn time.

 

 

Copyright (C) 2001, Data Wizard, The Netherlands.