The Disclaimer

I don’t encourage illegal activities, I really mean this! And if you really want to try something against the law, and you get caught I have warned you, hehe :p

Introduction

This is the first tutorial I have wrote. It was intensely only written for BSRF (Black Sun Research Facility), and it will be properly not the last one 🙂 though. So if you discover some errors, please let me remind you this was my first one. Last note before I will begin writing about “Cracking Netware”, at the moment you can’t contact me by e-mail or whatsoever… I rather remain ‘hidden’, for the moment.

Index Novell Netware tutorials:

Novell Netware – Cracking Netware
Maybe I’ll write an advisory for system administrators or even my own found vulnerabilities in Netware, but remember I can’t guarantee anything!

It’s possible that I’ll write some other tutorials about different topics as well.

Well this one will be about:

Novell Netware – Cracking Netware (v 1.04)

Like many other Operating Systems Netware original (before 5.xx) doesn’t work with the TCP protocol, it uses it’s own protocol called Internet Packet eXchange (IPX). This protocol isn’t vulnerable at the moment to any kind of Denial of Service (DoS) attacks like SYN-flood, while the TCP protocol is. Because Netware didn’t get much attention from crackers they thought there system was impenetrable, and so they didn’t much about security updates. Now many of you guys think this is really cool, and think they can crack any Netware server with some help from the many tools that are available online. Well, I can tell you that’s not that easy.

The most important reason; Which Netware version they run, if running version 4.1 or higher the change you will sneak in unnoticed will be really small. Unless you have to deal with some really lame most times lazy system administrators.
If the system administrators patch the Netware server(s) on regular base… Also if you have some kind of permanent account with standard Netware rights, not one who’s adjusted.
You will need much time and don’t be disturbed. Especially in classrooms this will be difficult to get, so you have to find a way with Social Engineering to accomplish this 🙁

Before I continue with Netware security and how to bypass it, first I’m going to tell you something about Servers & Clients.

After a Netware client in Windows 9x has been installed it’s possible to access the Netware server. When you arrive in Windows you’ll see a login screen. Before you have logged into the network the “client <–> server” has already established a connection with each other, only this connection isn’t validated by the user who created the connection! You can see this connection on the console when monitor.nlm is loaded. You people don’t know what the console means? Ok, I’ll explain. The server is nothing less but a computer, not a normal one like a desktop or tower. No call it a very big tower. On this machine the Netware server software is installed, when you turn on this machine first dos (6.22 or lower) will be loaded. After this you can boot Netware by executing file “server.exe”, now many files will be loaded and you’ll get a lot of messages. It looks like when you’re booting a Linux machine. After the boot process you look at a sort of dos screen, this is called the console. At the console you have the highest rights on the particularly Netware server. You can down the server any time you want with just one simple command. So the main group of crackers tries to get this access. But there are many different ways to crack a Netware server. It just depends on what you want to do at the Netware server.

By default you have the following rights on a Netware server:

User: Normal user who can access some files in //public, //login and //mail. Mostly they have some print rights too, also have a home directory. SuperUser: At school’s this right has been given to teachers. They can view
students accounts and delete files if necessary. They cannot create,
delete or change accounts from the NDS. SuperVisor: Only the system administrators are permitted to control everything on the file system and the NDS. When they want to down the server they have to walk to the console, or do it remote by starting a program called rconsole which stands for “Remote Console”. The word explains itself. For security reasons they first have to load “remote.nlm” and “rspx.nlm” at the console. So by default these NLM’s aren’t loaded.
Console: This is the highest right on a Netware server, once you have gained this rights illegal nothing can stop you at the moment but a power failure. Also be aware of the log files! Many crackers who have gained console right have been snapped by them, and if you are dealing with very smart system administrators, they have some program that automatically sends the logs to an off-line location. And once they have arrived overthere you have a serious problem…

When you want to gain some high level access on a Netware server, remember that this can be done in many ways I explain two differents ways. A note before trying one of the two ways. Way one will require a lot of luck, some skills of cracking and also some tools. Way two will require a lot of time (two weeks maybe a month). You have to see for yourself what’s the best way. O by the way, if you want to get some high level access while trying way one… remember it’s critically you don’t make any mistakes, because the properbility you’ll be caught is high (log files and some other things)! Please first read the tutorial, before trying one way or another. I really recommend it!!!

First way

If you are very, and I mean very lucky the system administrators could have loaded “remote.nlm & rspx.nlm” on the Netware console. Try to find a program called “rconsole.exe”, normally you can find this program in the following directory on the Netware server “//public”. If you haven’t file scan or read rights on this directory, you have to get this program at another way. The program needs alot of other files before you can execute it, so download these too! To make it a little harder for our ‘beloved’ system administrators to trace you (and give you more time), don’t verify yourself to the server while trying to access the console by remote! Before they know who’s trying to establish a connection to the Netware server, they have to walk to the server and load monitor.nlm. Now they can see the attackers ethernet address, from at this moment they can close your connection to the server any time they feel fit. But mostly they want to collect some evidence against you, so they just let you ‘crack the server’. In meantime you have already spend some minutes guessing the correct console password, and every attempt has been written automatically to a logfile. Or even worse, every attempt has also been written to their monitor including (again) your ethernet address, and if you guessed the password right or not. This sucks, doesn’t it? Well we can combine these two problems into one solution.

But again you’ll need some luck! Here we go:

The most difficult problem will be getting the password, because you don’t have enough time to guess the password, even with some kind of bruteforce-crack program you haven’t, we need to approach this problem from another way. Now you’ll need some luck because for this trick the following nlm’s have to be loaded: “remote & rspx” at the console! The system administrators will only load these if they want to check the console (remote) regularly, as I explained before. Just try to access the console with “rconsole.exe” to verify if those nlm’s are loaded, note only try this once! If you get a blue empty window, well skip to part two! Well when you are sure those two nlm’s are loaded, continue reading, if not skip to the second way to crack Novell Netware. When the system administrators are accessing the console they also have to enter a password. This password is being send in plain text over the network ( plain text means: unencrypted). If you’re dealing with Netware version 4.11 or higher, skip to way two because the transmitted console password is encrypted! When you have the same node address as the system administrators have, it’s possible to intercept (sniffing) the packets from the system administrators to the console. You are questioning yourself “How do I know?”, the answer: If you’re on a small network with approximately 10-50 users you are on the same node address. Unless you’re dealing with some paranoid system administrator. If you’re dealing with some bigger kind of network you have to get yourself a copy of a program called “getconn.exe” that reveals the node address of the Netware server. Again you do need some luck, if you’re not on the same node address as they are, skip to way two.
Dont’s make the following mistake: When an user or the system administrator is logging into netware, it’s completely senceless to ‘sniff’ this password. Because this password is encrypted with RSA encryption. The next time the person will (re-)login the encryption will be changed.

We now arrive at properly the most difficult part of all. What we now need is a packetsniffer that supports IPX sniffing, I recommend “SpyNet” for the job. Install and execute SpyNet. Configure SpyNet so it will write all captured packets to one file. Let the program run a couple of hours, because the system administrators have to access the console remote. You can use your social engineering skills to speed up this process. One way to do this is to call them and say you think someone is trying to crack their network. Don’t sound to professional because they could suspect you’re the one doing something illegal! Remember when you’re sniffing, and write the packets to disk: First: This will take really some network occupence, so if you’ll run the program to long (a day or more) the system administrator will detect an intruder… Oohw by the way, if the network is protected by some intrusion Detection Programs your sniff attemps will automaticly reported to the system administrator’s. There are (as usually) some anti-anti-sniffers. But this is a whole other story, so I decided NOT to mention it any further. Second: It’s almost impossible to write all sniffed packets(frames) to disk, especially not when the network is overloaded… also remember your ethernet card is 10/100 mbit/s, and almost all times the network traffic does exceed above this value.

Almost all sniffers does have an option to only write packets from a specified address to disk. This has ofcourse some advantages… (more stealthy and less disk space is needed).
Once you’ve the packets which contain the password, you have to find a way yourself to extract the password from Spynet’s logfile. Note, the password is separated into many packets. Example: If the password would be “Netware” you’ll could find the password in this order:

packet 34643: j
packet 34644: 6
packet 34645: n
packet 34646:g
packet 34647: 8
packet 34648: e
packet 34649: f
packet 34650: t
packet 34651:2
packet 34652:w
packet 34653:a
packet 34654: l
packet 34655:r
packet 34656: d
packet 34657: 4
packet 34658:e
packet 34659: v

As you see, this could take some time before you find it, note netware is not case sencetive! When you get the password, access the console remote as soon as possible and create a supervisor account. If you don’t know how to create one, just download burglar.nlm from (blacksun.box.sk) and before trying anything with the program, first take a good look at the readme. When you’re finished with anything you want to do at the Netware server, remember to erase the logfile! You’ll find the file in the /etc/console.log, you can delete this file at the console. Just unload “conlog.nlm” and then load it again! Now the old logfile is being overwritten by the new one, if you terminate the connection between you and the server your ethernet address will be written to the new logfile! So before quitting I suggest to unload once more the “conlog.nlm”. Now you can quit the remote session with ALT-F1.

NDS Addon:

If you really want to do some damage you have to delete the files where the NDS (Netware Directory Structure) is being stored. These four files are located in an hidden directory named “/_netware”. You can only access this directory from the console with the program “monitor.nlm”. Remember: If the system administrator’s doesn’t have backup’s of these files, they have a really big problem.
Some problems i’m aware of:
Nobody can log into Netware anymore, even the admin can’t! All information about the users, containers, scripts, printers, bordermanager are permently lost!
If there are multiple Netware servers (almost always) connected to eachother, who are sharing one NDS… well they have to install the Netware Server software again on all servers.
And the system administrator’s have an hell of a job to backup all data from console.

I really recommend and I seriously do, to backup these four files to a floppydisk, in case you’ll get caught. And if you have a little respect for them please send them the disk with those four files anonymously. Because it will take weeks to restore everything. I do really mean this!

Second Way

The primary goal here is to gain access to all files and folders at a Netware server. This is NOT the same as console access! Note: This way takes very lot of time and patience.

When you have a normal user account on any particularly Netware server, you only have read&write&remove rights at your homedirectory. But what you proberly don’t know is that you also have some read rights at: //public, //login and //mail. But you cannot ‘see’ these directory’s because they aren’t mapped to a logically drive. I explain… Whenever you have typed in your username and password, the Netware server will granted you the rights to all directory’s and files the system administrators have allowed you. If your homedirectory is at //home/yourhomedir you have to browse to //home/yourhomedir to view files over there.. But if your homedirectory is located somewhere ‘deeper’ in the directorystructure , like //home//school/it/it2/class2c/yourhomedir then it takes some time to get to your own directory. So here’s where drivemapping comes along. When you have created a drivemapping to //home/school/it/it2/class2c/yourhomedir, just click onto the specific station (by default “z:\”) and now you are directly transmitted to yourhomedir. The local system administrators have created a login script that will do this task for you every time when you’re logging into the network. Now you know what drive mapping means… So as I told before, by default all users (including normal users) have only read access to //public, //login and //mail.To access these directory’s you’ll have to create a drivemapping to them. The most important one is //public. In this directory you’ll find all sorts of binary files and some clients like “rconsole.exe”. So, map this directory to a logically drive for example “y:\”.

It will really come in handy if we have some ‘other’ accounts for the following part. Otherwise you’ll have to explain to the system administrators what you were doing last week in the late afterhours at school or work. In other words we need a few other accounts at the netware server. It’s really not advisible to use an account from a student or college at work, if you know his/her password ofcourse! The best accounts for the crack job is one of the printer or backup, and most times it has a NULL password! Sounds good, doesn’t it? Well I can make it even better, remember I told you that ALL users have (by default) read rights to //public, //login and //mail? So does these accounts have them too… The only problem is to guess the correct usernames. Many Novell Netware tutorials will give you some default printer accounts, but many times these accounts doesn’t exists anymore. So I’m going to explain how to get existing usernames at your local Netware server. Here we go:

First you’ll need to run a binary file at //public/win95/nwclnt95.exe, when all the loading work is done you’ll see a window like ‘explorer’ from Windows. You’re now viewing at the NDS (Netware Directory Structure). Inhere all information (containers, scripts, printers & accounts) about the netware server is being strored. Search inhere for a name with the word(s) print, printer, ps or pservice. It’s possible you find multiple printer accounts like printerti, printersys or psserv. If you didn’t find anything you have to try to get some accounts a different way, grab a program called “chknull.exe” made by NOMAD (The Noturious Netherlands Hacker). This program will check all existing netware account for NULL passwords. If this program didn’t find anything, you really have a bad day and it’s advisible to stop reading this tutorial right here :'(. If you did found something, always doublecheck before you are doing anything (wrong) with it. You really have to be sure if it’s really a printer or backup…

Now you have some Netware accounts with NULL passwords we can continue. Note: Never change passwords from hijacked accounts, the properbility the system administrator will discover it, is way to riscy. And if you change the password from a printer, nobody can print anything anymore! You can guess that it only take a few hours before the system administrator’s will discover the leak. Now log into the Netware network with the ‘stolen’ accountinformation, and if you are lucky the system administrator’s have granted some dir&filerights. By the way if the system administrators are using Netware Bordermanager as Firewall and / or HTTP Gateway you can’t surf the web without suffients rights. But most proberly you can surf the web when you are logged in as printer (i could)! This could come in handy when you need to reach the database from packetstorm for some kind of exploit. Nevertheless use HTTP only when it’s really necessary! Because the firewall will log all requests to the outside world. And we don’t want to make the job to easy for the system administrator’s!

Again I hadn’t enough time to complete this tutorial so I will continue this subject in Version 1.04. My problem is always the goddamn time.

Leave a Reply

Your email address will not be published. Required fields are marked *