2. Agenda
• Why Hack Netware
• Data Gathering in Novell Environments
• Intrusion Techniques
• Pandora Overview
3. Why Hack Netware
• Wide Deployment
– Novell has large market share.
• Security Often Overlooked
– Admins usually just know the basics.
• File and Print Focus
– Secure data often inside desktop productivity
documents.
5. Data Gathering - Offline
• Public Sources
– SEC filings, Annual Report, etc.
• The Internet
– Whois, company web site, Internet postings.
• Social Engineering
– Contacting company employees directly.
6. Data Gathering - Online
• CHKNULL.EXE
– Will check for accounts with no password in
the current context.
– Can check all accounts for a single password.
7. Data Gathering - Online (cont.)
• CX.EXE
– CX /T /A /R will dump the complete tree if the
default rights are still set. This will give a
complete list of account names.
8. Data Gathering - Online (cont.)
• NLIST.EXE
– NLIST USER /D will list a ton of info
regarding valid accounts.
– NLIST GROUPS /D will list group names,
descriptions and members.
– NLIST SERVER /D will list servers and OS
versions, and if attached will state if accounting
is active.
9. Data Gathering - Online (cont.)
• NLIST.EXE
– NLIST with the /OT options will list object
information. For example NLIST /OT=*
/DYN /D will list information on all readable
objects, including dynamic objects, names of
NDS trees, etc.
10. Intrusion Techniques
• LOGIN
– Attach directly to the server.
• MAP, ATTACH
– Attach indirectly to the server although a user
name and password are required.
• Once logged in, re-run CX.EXE and
NLIST.EXE commands.
12. NDS’s Hidden User - Supervisor
• On all Netware 4.x and 5.x servers.
– First object built in NDS during Netware server
installation.
– Initial password is same as initial Admin
password.
• Full access to server’s file system.
– Read/write access to every subdirectory.
13. Invading Supervisor
• Brute Force Attacks
– KNOCK, NWPCRACK will attack brute force
against a bindery account.
• Dictionary Attack
– Pandora’s Intruder will dictionary attack using
“stealth” methods.
15. Console Attacks (cont.)
• Remote Console
– Password is “decrypted” in server RAM.
– Trivial to decrypt if NCF file captured.
– Rconsole sessions are in plaintext.
16. Console Attacks (cont.)
• NCF Files
– Batch files executed at highest priviledge.
– Sometimes not in secure directory.
• NDS Files
– Copying for offline analysis.
17. Pandora v3
• Command Line Utilities
• Offline Password Cracking
• Online Server Attacks
• Denial of Service
• Open Source Freeware
• Developed with 100% Freeware
18. Pandora v4
• Offline Password Cracking
• Online Server Attacks
• Full GUI - “point, click, and attack”
• Open Source Freeware
• Developed with 100% Freeware
• GUIs for Win 95/98/NT and X (Linux only)
19. Pandora v4 Online
• Denial of Service
• Auto-gathering of Detailed System
Information
• User account “discovery”
• Dictionary Password Attacks with Lockout
Detection
• Packet Signature Spoofing
20. Pandora v4 Offline
• Complete Netware 4.x & 5.x Password
Auditor
• Dictionary and Brute Force Attacking
• Will Read BACKUP.DS and
DSREPAIR.DIB Files
• Multi-threaded for Multiple Account
Cracking
21. Anatomy of an Attack
• Gather Info
– CHKNULL, CX, NLIST, Onsite
• Gain Initial Access
– No/weak password on an account.
– Dictionary/Brute force attack
22. Anatomy of an Attack (cont.)
• Advanced Techniques
– Onsite, sniffers, GameOver
• Attack Supervisor Account
– Intruder
• Copy NDS Files
– Offline cracking of passwords
• Attack Additional Systems
24. Defensive Techniques
• Latest Service Packs and Patches
• Limited rights on [Public], [Root], and
USER_TEMPLATE
• Turn on Intruder Detection on each
container (default is off)
• Packet Signature Level 3 on server
• Strong security policy
Novell Netware can be found in more than 55% of U.S. corporations. In other words, a lot of corporate America has data sitting on Netware servers.
Novell is making leaps and bounds into a more open world of web servers, NetWare/IP, and other connectivity to public networks, and security has become very important in all aspects of Novell's products. Novell has also been less than forthcoming regarding security patches for vulnerabilities in their products, and often release security patches as a part of regular maintenance patches without communicating the nature of the original security problem and the security implications behind not loading the latest patches.
You typically do not find the R&D’s source code sitting on a Netware server, but you do find tons of word processing, spreadsheets, charts, graphs, and other general productivity documentation on a Netware server. These documents can contain everything from marketing plans to legal briefs to hostile takeover strategies, making them a prime target for intruders. In shops that focus on Netware for file and print, expect system administration documentation to also reside on the server.
To hack Netware, we start with gathering of data. This falls into two different categories -- offline and online resources. Offline refers to data gathering that does NOT involve direct Netware server access, and online data gathering is using the Netware server and a few easy techniques to reveil information.