More Related Content
Similar to Module 17 (novell hacking)
Similar to Module 17 (novell hacking) (20)
More from Wail Hassan (20)
Module 17 (novell hacking)
- 1. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 1 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Ethical Hacking
Module XVII
Novell Hacking
Ethical Hacking (EH)
Module XVII: Novell Hacking
Exam 312-50 Ethical Hacking and Countermeasures
- 2. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 2 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Module Objectives
Common Accounts and passwords
Accessing password files
Password crackers
Netware hacking tools
– Chknull
– NOVELBFH
– NWPCRACK
– Bindery
– BlnCrack
– SETPWD.NLM
– Kock
– userdump
– Burglar
– Getit
– Spooflog
– Gobbler
– Novelffs
– Pandora
Module Objectives
In this module we will be looking at the security concerns one must address in the context of
Novell Netware. At the time of writing this document, the newest version is 6.5. However, we
address hacking Novell NetWare from its earlier versions such as version 4. The idea behind
including the legacy versions is to give the reader a wide perspective of how Netware has evolved.
In this module we will cover:
• Common Accounts and passwords
• Accessing password files
• Password crackers
• Netware hacking tools - Chknull, NOVELBFH, NWPCRACK, Bindery, BlnCrack,
SETPWD.NLM, Kock, userdump, Burglar, Getit, Spooflog, Gobbler, Novelffs, Pandora
- 3. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 3 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Novell Netware Basics
Object Model
Access Control Lists
Rights
Levels of Access
Packet Signature
Before we discuss about attack methodologies, we will briefly visit Netware Architecture. It must
be remembered that the NetWare directory services was the “inspiration” behind Microsoft’s
Active Directory Services and hence we will review Netware from a generic point of view. We will
give a simplified view of the object model; explain trustees and rights discuss items such as Packet
Signature, and the levels of access.
Object Model: All parts of the overall NetWare system are objects. Each of these objects can
be treated as an individual item, and objects can be grouped together for easier administration.
Access Control List: Each object in the security model has an Access Control List, or ACL.
This defines what level of access is required to access the object. Objects can have rights assigned
to help determine what other objects they can access. The rights assigned to each object are fairly
granular, and can allow various levels of reading and modification.
Rights: Objects are clustered together in an overall hierarchy. There are parent and child
relationships between objects. When a new object is created, it receives a “default” set of access
controls. These are inherited from the parent. To prevent excessive rights from being inherited
farther down the chain, there are “inherited rights filters” which help control the flow of inherited
rights. At the file system level are trustee rights. These are rights assigned which determine an
object’s ability to access a file or directory.
- 4. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 4 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Access Levels
There are a total of five different levels of access that can be logically defined from the security
model – not logged in, logged in, supervisory access, administrative access, and console access.
• Not logged in – If an object has Public read access, then the object can be read without
authentication, assuming the object can be accessed.
• Logged in – If a user has authenticated, they will have additional access to objects. This
additional access is typically basic minimal access to allow the user to use the system.
• Supervisory rights – If a user can administer another object, control and manipulate the
object’s properties, and/or assign rights to others for this object.
• Administrative rights – Overall control of the security model is considered administrative
access. While it is possible to hide portions of the model, typically this level of access
allows almost complete control.
• Console access – Access to the NetWare server’s console is the highest level of access
possible. While the controls are not as pretty or easy to use, console access can override
all other access levels imposed by the administrators.
Packet Signature
Another feature of Netware is the packet signature. Packet Signature is an interesting idea in
itself, as it suggests that all packets moving in and out of the server are cryptographically signed to
prevent forgery. It should be noted that Packet Signature does not encrypt any data; it simply
added a layer of complexity upon the communications.
There are 4 levels of Packet Signature: 0 – No packet signature; 1 – No packet signature unless
explicitly asked; 2 – Packet signature present unless explicitly asked not to; and 3 –
Communication using packet signature only.
Now that we have covered the basics of Novell Netware, we can go into the details of security and
hacking.
- 5. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 5 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Default Accounts and Settings
Server Settings
Supervisor Account
Default Rights
RCONSOLE security concerns
Server Commands and Settings
First and foremost, Netware raises security concerns if it has been installed using the default
settings. The first concern is physical security. This is because NetWare server by design itself
does not offer much in the way of protection as there is no means of auditing events done at the
console. Moreover, NetWare servers start and run without accounts. Therefore it is appropriate to
state that NetWare server security depends on physical security of the server. Obviously the server
itself should be locked up, but in the event of someone gaining access to the console it is advisable
to severely limit access to what they can do once at the console. The screen saver in NetWare 5
provides some measure of protection since it requires NDS authentication.
Supervisor Account: On the server, the default setting will include the Supervisor account.
Since Netware3.x, the supervisor account has been allowed as a default account on Netware for
legacy support or backward compatibility. The supervisor account is a special user designed for
programs and clients that need bindery-based complete access to all the volumes, directories, and
files on the file server. This account is a fully privileged user in NetWare 2.x or 3.x. However,
NetWare 4.x and later it is limited in its privileges.
The security concern arises out of the fact that the supervisor account password is the same
as the first password for the Admin user until it is changed using a bindery administration utility.
The password holds good even after the Admin password has been changed causing many
administrators to falsely believe that the default password has been changed. On some systems,
the supervisor user may have a “default” initial password used for the Admin account such as
“netware.”
As we have seen, in Netware, all components are objects and the supervisor object in the NetWare
tree is invisible to the standard NDS (non-bindery) utilities. Therefore if this account is searched
- 6. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 6 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
for using the NDS utilities such as NWADMIN.EXE or NLIST.EXE, it does not appear. However if
a binder-based utility such as SYSCON.EXE is used, the account is detected.
If an attacker has access to the system, he can try SUPE.EXE, KNOCK.EXE or other
NetWare Supervisor password cracking utilities to extract the supervisor password. On retrieving
the password, the attacker can launch as denial of service attack by running an old Netware
bindery utility such as FCONSOLE.EXE and use the “Down File Server Request” to down any
server, including remote servers.
Countermeasure is to disable the account if it is not needed. If it is required, ensure that the
password is changed by logging in as supervisor and using the SETPASS.EXE DOS command or
using the bindery-based SYSCON.EXE to set the password.
RCONSOLE: Another security concern is the default setting when it comes to using the DOS
utility RCONSOLE (remote console). NetWare servers come with REMOTE.NLM, which can be
loaded with a password at the server console, or from a start-up file, allowing remote access to the
server from client workstations. REMOTE.NLM enables the use of RCONSOLE to remotely access
the server console from a workstation. During setup, this is given a fairly easy password.
Typically, an administrator loads REMOTE.NLM at the server console and enters a password, as
required by REMOTE.NLM.
When RCONSOLE is launched from the client side, it prompts for a password and then sends a
hash of that password to the server for authentication. For RCONSOLE to be enabled, the
RCONSOLE password hash must match the REMOTE password hash stored in memory at the
server.
The security concern arises from the nature of RCONSOLE, which like the server console,
does not use NDS accounts for accountability. Due to this flaw in design, RCONSOLE cannot
enforce access level control or limit console level commands or applications. Therefore, it
becomes difficult to monitor remote server activity.
MITM and Brute Force Cracking: An attacker who has access to the network can sniff a valid
RCONSOLE session and initiate a man-in-the-middle attack by sending a packet(s) with the
correct hash, host IPX address and also the correct NCP sequence number. This may have been
patched in versions later than 5.x. It goes without saying that possession of the RCONSOLE
password grants the attacker complete control of the given server – similar to that of being
physically present at the server console. Protecting the RCONSOLE password, therefore, is vital in
securing NetWare. The attacker has a greater chance of sniffing the password as RCONSOLE has
no lockout. Moreover, there are predictable delays in remote console authentication, which makes
it easier for the attacker to launch a brute force attack. While failed RCONSOLE attempts are
- 7. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 7 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
logged, other approaches such as using XCONSOLE, avoid effective logging. The attacker thus
takes advantage of the intrusion detection gap.
Rights: There are eight Rights on Netware. Let us briefly take a look at these.
• S Supervisory: Once granted to a user or group on a specific directory, this right gives the
trustee holding it all rights, as well as the ability to grant all rights to other users or user
groups on that directory and its subdirectories. The supervisory right itself is
automatically propagated for the trustee holding it to all subdirectories below the one
where it was granted, and it cannot be revoked for the trustee from subdirectories below
the original assignment. It also overrides any restrictions put in place by the Netware
Inherited Rights Mask. At the file level, it allows a user all rights to the file - and the
ability to grant or modify any right to any file for any user or group in any directory at or
below the directory where the supervisory rights were assigned.
• R Read: This right allows a user or group to open a file for reading or to run an executable
program.
• W Write: Allows a user or group to open and modify a file’s contents.
• C Create: At the directory level, Create allows a user or group to make subdirectories and
files within them. If this right is the only one granted at the directory level, it allows the
trustee holding it to create subdirectories and files. But once a file is closed, it cannot be
seen using standard DOS or Netware commands (for example DIR or NDIR).
• E Erase: Controls whether or not a directory, its subdirectories and the files within the
directory and subdirectories can be deleted.
• M Modify: Users or groups with this right have the ability to set and change file or
directory attributes. This includes renaming directories or files within directories. This
trustee right has no effect on the ability to modify the contents of a file.
• F File Scan: Users or groups must have this trustee right to see that directories or files
within directories exist.
• A Access Control: This right allows a user to modify the trustee assignments or the
Inherited Rights Mask of a directory or file. It does not allow a user to grant the
supervisory trustee right, but it does allow them to grant trustee rights to others that they
themselves do not have.
By default, NetWare users receive the following file system rights: All users have RWCEMFA (all
possible rights except Supervisor) to their own home directories, which are created along with the
NDS User objects. Users in the same container as the SYS Volume object receive RF (Read and
File Scan) rights to volume SYS so they can log in.
- 8. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 8 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Server SET COMMAND and Default Settings: Netware servers come with default settings
that must be configured to ensure adequate security. Let us take a look at some of these settings.
Typing SET at the NetWare console prompt gives a list of the various categories of SET
commands available.
Communications SET Commands
• Local Clients IP NetNumber List - Example usage: SET LOCAL CLIENTS IP
NETNUMBER LIST = 192.168.20.0; 192.168.41.0
• NAT Realm Name - If NAT is not used, it is not required. Example usage: SET NAT
REALM NAME = BVEW
• Maximum Pending TCP Connection Requests - The default value is 128. For high risk
servers such as public servers, this may be raised up to the maximum of 4096. Example
usage: SET MAXIMUM PENDING TCP CONNECTION REQUESTS = 2500
• TCP Defend Land Attacks - The default is ON and this is the preferred setting. Example
usage: SET TCP DEFEND LAND ATTACKS = ON
• TCP Defend SYN Attacks - The default is OFF. The ON setting is preferred. Example
usage: SET TCP DEFEND SYN ATTACKS = ON
• IP WAN Client Validation - The default is OFF, and this is the preferred setting unless
there are remote clients to attend. Example usage: SET IP WAN CLIENT VALIDATION =
OFF
• Allow IP Address Duplicates - The default is OFF, and this is the preferred setting.
Example usage: SET ALLOW IP ADDRESS DUPLICATES = OFF
• Maximum Packet Receive Buffers - The default value is 500, although on high volume
servers this should be increased. Example usage: SET MAXIMUM PACKET RECEIVE
BUFFERS = 1000
Memory SET Commands
• Memory Protection Fault Cleanup - The default is ON, and this is the preferred setting.
Example usage: SET MEMORY PROTECTION FAULT CLEANUP = ON
- 9. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 9 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
File System SET Commands
• Immediate Purge Of Deleted Files - The default is OFF and this is the preferred setting to
recover files that are deleted accidentally. Example usage: SET IMMEDIATE PURGE OF
DELETED FILES = ON
NCP SET Commands
• NCP Packet Signature Option - The default is 1. This should be increased to 3 to help
prevent packet spoofing. It should be issued from AUTOEXEC.NCF before the protocols
are bound to the network card, to prevent an odd sort of spoofing attack that allows a user
to masquerade as the server object itself and forge administrative commands that could
lead to complete system compromise. Example usage: SET NCP PACKET SIGNATURE
OPTION = 3
• Enable IPX Checksums - The default is 1. This should be increased to 2, which will force
IPX checksums. Example usage: SET ENABLE IPX CHECKSUMS = 2
• Enable UDP Checksums on NCP packets - The default is 1. It is recommended to set it to
2, if UDP and NCP protocol are used. Example usage: SET ENABLE UDP CHECKSUMS =
2
• NCP Protocol Preferences - This will typically be set to TCP and IPX. Change to TCP
(version 6 uses TCP alone) Example usage: SET NCP PROTOCOL PREFERENCES = TCP
• Display NCP Bad {Component|Length} Warnings - The default is OFF. To monitor bad
warnings this can be set ON. Example usage: SET DISPLAY NCP BAD COMPONENT
WARNINGS = ON
• Reject NCP Packets with Bad {Components|Lengths} - The default OFF is the preferred
setting. Example usage: SET REJECT NCP PACKETS WITH BAD COMPONENTS = OFF,
Example usage: SET REJECT NCP PACKETS WITH BAD LENGTHS = OFF
• Allow Change To Client Rights - The default is ON. Unless the server is a print server or a
job server, this should be set to OFF. Example usage: SET ALLOW CHANGE TO CLIENT
RIGHTS = OFF
Miscellaneous SET Commands
• Display Incomplete IPX Packet Alerts - The default is ON. Example usage: SET DISPLAY
INCOMPLETE IPX PACKET ALERTS = ON
- 10. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 10 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• Enable SECURE.NCF - The default is OFF. If used to house the majority of security
settings, then this should be set to ON in the STARTUP.NCF. Example usage: SET
ENABLE SECURE.NCF
• Allow Audit Passwords - The default is OFF. Example usage: SET ALLOW AUDIT
PASSWORDS = OFF
• Display Old API Names - The default is OFF, but it is recommended that it be turned ON.
Example usage: SET DISPLAY OLD API NAMES = ON
• CPU Hog Timeout Amount - The default is 1 minute. On high-usage servers this may be
set a little lower. Example usage: SET CPU HOG TIMEOUT AMOUNT = 1 MINUTE
• Allow Unencrypted Passwords - Originally in place to ensure that older clients the
default OFF should always be used. Example usage: SET ALLOW UNENCRYPTED
PASSWORDS = ON
- 11. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 11 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Valid Account names on Novell
Netware
Any limited account should have enough access
to allow you to run SYSCON, located in
SYS:PUBLIC directory.
If you get in, type SYSCON and enter. Now go to
User Information and you will see all defined
accounts.
You will not get much info with a limited
account, but you can get the account and the
user's full name.
If you are IN with any valid account, you can
run USETLST.EXE and get a list of all valid
account names on the server.
By default NetWare keeps rights to certain areas away from the general user/group. However,
there are two default users, anonymous and guest, that have rights automatically to
the public and etc system directories. These users are created without a password so the first
security setting with regard to users is to assign a password to both users; disable the
accounts; strip them of all rights to the etc directory; or all of the above.
In Netware 4.x, any limited account can give access to an attacker to run SYSCON, located in
the SYS: PUBLIC directory. Once he is able to get in, he can go to User Information and list all
defined accounts - the account and the user's full name. However, if he has a valid account, he can
run USERLST.EXE and get a list of all valid account names on the server.
Another possibility is to use a local copy of MAP.EXE and try to map a drive using the server
name and volume SYS:. Password guessing can be done to uncover a valid account. The same can
be done with ATTACH.EXE as well.
- 12. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 12 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Hacking Tool: Chknull.exe
CHKNULL shows you every account with no
password and you do not have to be logged in. For
this to work bindery emulation must be on.
Typically, before an attacker gets to use CHKNULL, he will try his hand at other options,
especially if he has command line access to the server (maybe through a backdoor). He will use
the CX and NDIR commands without logging in to retrieve valuable information. Both CX and
NDIR are Novell utilities that will take advantage of the default NDS settings on the tree.
Used with the CX /T /A /R options the query will dump the complete tree if the default rights are
still set. This will give a complete list of account names, as well as the tree hierarchy. Similarly, the
attacker can also use NLIST to obtain valuable information.
- 13. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 13 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
NLIST USER /D will dump a lot of account information; NLIST GROUPS /D will list group
names, their members, and the description field for the group; NLIST SERVER /D will list the
servers along with version information, and if he is attached to that server it will tell if accounting
is active. NLIST with /OT will list detailed information regarding NDS objects. Using NLIST
/OT=* /DYN /D will list everything in NDS that is by readable by default.
CHKNULL is usually run after CX and NLIST since the attacker has now gained a fair
assessment as to which accounts or which sections of the tree are good target areas. CHKNULL is
a good example of a hacker tool that uses bindery calls against an NDS server. Running
CHKNULL with no options will list all accounts in the current context that have no password, and
it can also check all accounts in the current context with a single password (such as “password”).
Typically this will yield at least one account that can be used to log in, especially in larger
organizations. Once logged in with the account, running the CX and NLIST commands again will
help retrieve even more information.
In Windows environments, using Network Neighborhood and the Novell-supplied Onsite will
yield valuable information. Onsite is capable of providing as much information and more as CX
and NLIST, including detailed information on volumes, free space, etc. Using Onsite and
CHKNULL together will help uncover a weakly protected account.
Written by Itsme, CHKNULL has several parameters which can be used to extend its
functionality:
Usage: chknull [-p] [-n] [-v] [wordlist]
-p = check username as password
-n = don't check null password
-v = verbose output
It can also check specified words on the command line as passwords.
In 4.1 CHKNULL shows every account with no password and the attacker does not have to be
logged in. For this to work bindery emulation must be on.
- 14. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 14 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Access the password file in Novell
Netware
Access to the password file in the Netware is not like
Unix - the password file is not in the open. All objects
and their properties are kept in the bindery files on the
3.x, and kept in the NDS database in the 4.x.
The bindery file attributes (or Flags) in 3.x are hidden
and System, and these files are located on the SYS:
volume in the SYSTEM subdirectory.
3.x - NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS
The NET$BVAL.SYS and NET$VAL.SYS are where the
passwords are actually located in 3.x and 4.x
respectively.
All objects and their properties are kept in the bindery files on 2.x and 3.x, and kept in the NDS
database in 4.x. An example of an object might be a printer, a group, an individual's account etc.
An example of an object's properties might include an account's password or full user name, or a
group's member list or full name. The bindery files attributes (or flags) in 2.x and 3.x are Hidden
and System, and these files are located on the SYS: volume in the SYSTEM subdirectory. Their
names are as follows:
The NET$BVAL.SYS and NET$VAL.SYS are where the passwords are actually located in 2.x and
3.x respectively.
Netware version File Names
2.x NET$BIND.SYS
NET$BVAL.SYS
3.x NET$OBJ.SYS
NET$PROP.SYS
NET$VAL.SYS
- 15. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 15 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Access the password file in Novell
Netware (contd..)
In Netware 4.x. the files are physically located in
different location than on SYS:volume.
By using the RCONSOLE utility and using the Scan
Directory option, you can see the files in
SYS:_NETWARE:
There is another way toview these files and potentially
edit them. After installing NW4 on a NW3 volume, reboot
the server with 3.x SERVER.EXE
On a volume SYS will be on the _NETWARE directory.
SYS:_NETWARE is hidden better on 4.1 that 4.0x. But in
4.1 you can still see the files by scanning the directory
entry numbers using NCP calls (you need the APIs for
this) using the function 0x17 sub function 0xF3.
In NetWare 4.x, the files are located in a different location on the sys: volume. It is a hidden
directory called _netware. In this directory are located the nds files, license files, and a number of
other system-related files such as login scripts and auditing files.
The _netware directory will be on volume sys. Sys:_netware is hidden better on 4.1 than 4.0x, but
in pre-410pt3 patched 4.1 one can still see the files by scanning directory entry numbers using ncp
calls. Using jcmd.nlm, it is possible to access sys:_netware. To access this directory an attacker
can try using netbasic.nlm and if they succeed, they can actually copy nds files to a directory they
can access such as sys: public.
With regard to password, a Novell proprietary algorithm takes the password, and produces a 16
byte hash. This algorithm is the same for versions 3.x and 4.x of netware. The algorithm is also
inside the login.exe file used by the client when logging in. The 16 byte hash is stored within the
bindery files in Netware 3.x and NDS in Netware 4.x. Since the object ID is used in the algorithm,
it adds the equivalent of a salt.
However, these security settings can be easily compromised as both the object ID and the
password length are stored with the hash, along with that fact that lower case letters are
converted to upper case before generating the hash does simplify the process slightly. Password
crackers can brute force a little easier since they can eliminate trying lower case letters and
concentrate on a particular password length.
Because of the complexity of the algorithm, using it the way it was designed makes it slow for
cracking, especially by brute force.
- 16. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 16 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Tool: NOVELBFH.EXE &
NWPCRACK.EXE
Novelbfh is brute force password cracker which works on
Netware 3.x versions.
NWPCRACK is a password cracker that works against a
single account and uses a dictionary wordlist.
NOVELBFH, Novell Brute Force Hacker, is a program written by DGE Alofs in Holland. It is
a menu driven program that attempts to crack accounts by using the verify password function and
trying various guesses for password.
The password checking is done using the unencrypted password call, so this program can be
rendered useless on NetWare 3 by disabling the unencrypted password call at the server (this is
the default).
NWPCRACK is a brute-force password cracker for cracking passwords on the Novell
platform. This utility is best used from a remote location, working on passwords over long periods
of time. As the author points out, there is a period of delay between password attempts and thus,
brute forcing could take some time. This utility would probably work best if the cracker were
attacking a network that he knew something about.
Countermeasure
Use strong passwords. If the server has been upgraded, check the AUTOEXEC.NCF file for
encrypted passwords setting. If this setting is OFF, it will permit passwords to be sent over the
wire in clear text for legacy support. To ensure that this setting is off, use the SET command at the
server console:
SET allow unencrypted passwords = OFF
- 17. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 17 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Hacking Tool: Bindery.exe &
BinCrack.exe
Bindery.exe is a password cracker that works directly
against the .OLD bindery files.
This tool extracts user information out of bindery files
into a Unix-style password text file.
Then you can use BINCRACK.EXE to "crack" the
extracted text file.
BINDERY.EXE accesses the bindery and extracts the cipher resulting from the NetWare one-
way encryption feature. BINDERY.EXE outputs a text file containing the encrypted password and
the USER ID. This text file can be cracked by a function of BINDERY.EXE, BINCRACK.EXE,
through a dictionary file.
With powerful CPUs, multiple CPUs, and orchestrated networks, BINCRACK.EXE can make
short work of the task of delivering passwords.
An intruder must have first gained supervisor equivalency in order to attack the bindery files.
There is a way around this. A clever hacker might copy the old files produced every time BINDFIX
runs. As system administrator you must guard against this by ensuring that the proper rights are
set for the SYS: SYSTEM directory.
Countermeasure:
A bindery context setting is used to emulate the bindery database of the earlier NetWare versions.
This bindery emulation makes the server vulnerable and should be removed. In the
AUTOEXEC.NCF file check the status of the SET BINDERY CONTEXT command line.
- 18. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 18 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Hacking Tool: SETPWD.NLM
Ifyou have access to
the console, either by
standing in front of it
or by RCONSOLE, you
can use
SETSPASS.NLM,
SETSPWD.NLM or
SETPWD.NLM to
reset passwords.
Just load the NLM
and pass it command
line parameters:
How to Use SETPWD.NLM
SETPWD.NLM decompresses into a NLM, Netware Loadable Module. SETPWD.NLM resets
any user password, including that of supervisor.
NetWare 6 does provide some policy settings that are intended to protect passwords. The
settings provided are: password required, password length, password unique, expiration and
grace login limit. This version also provides for intruder detection, in the form of lockout periods.
A summary of these recommended settings are:
• Enable intruder detection at the OU level.
• Set incorrect login attempts to 3.
• Make and use a User Template object to apply password policies to new users.
• Require users to have passwords with a minimum length.
• Require users to have unique passwords. Netware remembers the last 8 passwords used.
• Set grace login to 3.
Another design feature is the elimination of the additional client required by older versions for a
workstation to access the server. Netware 6 comes with Native File Access Protocols (NFAP)
implemented. This allows Macintosh, Windows and UNIX clients to access Netware server file
systems without requiring additional client software. However, as Windows and Mac native
protocols cannot use the NDS passwords, the clients using this software have their password
stored in the NDS by NMAS (Novell Modular Authentication Services). To ensure security, both
the NDS password and the simple password must be set when creating users. As long as the
passwords are in a synchronized state, the user is able to change their own password.
- 19. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 19 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Other Tools
Hacking Tool: Kock
For Netware 3.11, exploits bug in a Netware attached to log in
without a password.
Hacking Tool: userdump
UserDump simply lists all users in the Bindery. Works for
Netware 3.x and 4.x (in Bindery Mode)
Hacking Tool: NWL
Replacement LOGIN.EXE for Novell Netware. Run PROP.EXE
from a Supervisor account to create a new property.
Replace existing LOGIN.EXE in SYS:LOGIN.
Each time a user logs in, the text is stored in the new property.
Use PROP.EXE to retrieve captured logins.
KOCK
For Netware 3.11, exploits bug in a Netware attach to log in without a password.
UserDump
UserDump simply lists all users in the Bindery. Works for Netware 3.x and 4.x (in Bindery Mode)
NWL
It is a replacement LOGIN.EXE for Novell Netware. Run PROP.EXE from a Supervisor account to
create a new property. Replace existing LOGIN.EXE in SYS:LOGIN. The version of LOGIN.EXE
that shipped with 4.0 had a flaw that under the right conditions the account and password could
be written to a swap file created by LOGIN.EXE. Once this has occurred, the file can be undeleted
and the account and password retrieved in plain text. Each time a user logs in, the text is stored in
the new property. Use PROP.EXE to retrieve captured logins.
- 20. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 20 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Hacking Tool: Getit
Getit is a hacking tool designed to capture
passwords on a Novell network.
This tool is triggered by an instance of the
LOGIN.EXE application used in Novell to
authenticate and begin a login session on a
workstation.
It works directly at the operating system level,
intercepting calls to Interrupt 21h. It's probably
the most well known NetWare hacking tool ever
created.
Reportedly written by students at George Washington High School in Denver, Colorado, Getit
is designed to capture passwords on a Novell network. The program was written in assembly
language and is therefore quite small.
This tool is triggered by any instance of the LOGIN.EXE application used in Novell to authenticate
and begin a login session on a workstation. Technically, because of the way Getit works, it can be
marginally qualified as a sniffer. It works directly at the operating system level, intercepting (and
triggering on) calls to Interrupt 21h. It's probably the most well known NetWare hacking tool ever
created.
Getit is a TSR (Terminate and Stay Resident) and takes advantage of weaknesses in the security at
the boot phase. Into the regular flow of action in the AUTOEXEC.BAT file, a line that executes the
(hidden) program is copied onto the boot disk. The TSR remains in the background and the
process continues. Visual signs of the break-in are imperceptible.
As soon as a program named LOGIN is executed, the TSR springs to life and records all the
keystroke action into a hidden file on the boot disk. The attacker can later return to check if the
hack has been successful.
Getit uses the same "hook" that the Novell shell does - by capturing the centralized portal to DOS
at interrupt 21h.* Then, it intercepts all function calls. Specifically, it checks for the EXECute file
function call and the "terminate" interrupt. Whenever an EXEC call is made with a filename
LOGIN, the program records keystrokes until the program terminates. Note that the above
technique requires the program be loaded _subsequent_ to the Netware shell.
- 21. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 21 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Hacking Tool: Burglar, SetPass
It can only be used where an individual has
physical access to the NetWare File server.
The utility is usually stored on a floppy disk.
The attacker sometimes has to reboot the
server.
SetPass is a loadable module, designed to give
the user, supervisor status.
This module also requires physical access to the
machine.
Burglar is a somewhat dubious utility. It can only be used where an individual has physical
access to the NetWare file server. It is an NLM, or a loadable module. Most of Novell NetWare's
programs executed at the server are loadable modules. This includes everything from the system
monitor to simple applications such as editors.
The utility is usually stored on a floppy disk. The attacker sometimes has to reboot the server.
Provided that the attacker can reach the Novell server prompt without encountering any
password-protected programs along the way, the utility is then loaded into memory. This results
in the establishment of an account with supervisor privileges.
Burglar.nlm is a Novell loadable Module. If it is executed on the SERVER it will create an account
with supervisor privileges. The attack methodology goes like this.
• The program is copied to a floppy diskette.
• It is then loaded on to the server.
• The attacker waits till the: prompt is obtained.
• At the: prompt the load command is issued. Example "load a:burglar.nlm super2".
• The diskette is taken out and the server rebooted to erase evidence of the program. The
log file is later deleted.
- 22. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 22 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Another loadable module, Setpass is designed to give the user supervisor status. This module also
requires physical access to the machine. Basically, it is a variation of Burglar. It will also send a
broadcast message to all users, so keep this in mind when it's run.
SETPASS
Purpose: Use at a workstation to change a user's password.
Syntax: SYS:PUBLICSETPASS.EXE [servername/] [username] [/? | /VER]
Parameter Use to
(no parameter) Change your password on the network.
servername/ Replace with the name of the server where you want to change the user's
password.
username Replace with the name of the user whose password you want to change.
/? View online help. All other parameters are ignored when /? is used.
/VER View the version number of the utility and the list of files it uses to execute. All
other parameters are ignored when /VER is used.
Examples
• To change your password on the network, type
SETPASS
• To change user John’s password (if you have rights), type
SETPASS JOHN
• To change user Bob’s password on server PROD, type
SETPASS PROD/BOB
• To change user password on server CONSOLE, type
SETPASS CONSOLE/
- 23. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 23 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Hacking Tool: Spooflog, Novelffs
http://www.gregmiller.net/novell.html
Spooflog is a program, written in C, by Greg
Miller, that can spoof a workstation into
believing that it is communicating with the
server.
This is a fairly advanced exploit.
Novelffs creates a fake file server. It was written
by Donar G E Alofs
Needs rebooting after work is done.
Spoofing is the act of using one machine to impersonate another by forging the other's
"identity" or address. There are different forms of spoofing. We have discussed spoofing at length
in the preceding modules at various points. Here, the consideration is hardware address spoofing.
Spoofing in the NetWare environment is not impossible; it is just difficult. In version 4.x and
below, this exploit is a possibility. The NET.CFG file contains parameters that are loaded on boot
and connection to the network. Options include number of buffers, what protocols are to be
bound to the card, port number, MDA values, and, of course, the node address.
The popular way to spoof is by altering the address in the NODE field in the NET.CFG file. In an
attack scenario, the attacker assigns the node an address belonging to another workstation. In
order for this type of attack to work, many variables must be just right. For example, if there are
any network interfaces between the attacker and the target, this may not work.
Spooflog is a program, written in C by Greg Miller that can spoof a workstation into believing
that it is communicating with the server. This is a fairly advanced exploit. It should be observed
here that Miller is not a cracker. This is the classic man in the middle attack which we have
discussed earlier in preceding modules.
Written by donar ge alofs, novelffs is a program which simulates a Novell file server. The
server will be visible for about 1 to 2 minutes. On some systems the server will be visible for as
long as the program is running, if the computer is rebooted it will disappear after 1 to 2 minutes.
The Ethernet-address of the computer from where NOVELFFS is started is visible in the SLIST so
it’s traceable.
- 24. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 24 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Hacking Tool: Gobbler
Gobbler is a hacking tool which 'sniffs' network traffic on
Novell servers.
"The Gobbler" is an Ethernet troubleshooter/protocol analyzer that runs on common PC, AT
and PS/2 computers and can be operated from a remote central network management station. It
features a packet capture program with extensive filtering capabilities for catching selected
Ethernet packets and writing them to disk for later examination, and a dumpfile view and
protocol analyzing program for examining the captured packets. "The Gobbler" is based on a
event-driven multitasking operating system called the Network Packet Dispatcher, developed by
the network performance group of the Delft University of Technology.
"The Gobbler" consists in fact of two separate programs: a local "Gobbler" to be operated from the
local network management station, and a remote "Gobbler" to be operated from a remote central
network management station. Both "Gobblers" run on PC, AT and PS/2 computers with a
network device that supports promiscuous mode.
The local "Gobbler" is meant for use on a local network management station. It is therefore
provided with a menu-driven user interface, but lacks a SNMP interface. It features two
Dispatcher Application Programs: a packet capture program with extensive filtering capabilities
for catching selected Ethernet packets and writing them to disk for later examination, and a
dumpfile view and protocol analyzing program for examining the captured packets.
The packet capture program writes the packets that pass the filters to disk. The user can set the
name of the output dumpfile and its maximum size, the maximum runtime of the program and
the maximum number of packets that may be captured. A status window keeps the user informed
about the selected dumpfile name, the current and maximum number of captured packets, the
current and maximum dumpfile size, the current and maximum runtime, the number of selected
filters and the total received and missed packets. It is also possible to open a window displaying
- 25. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 25 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
the source and destination address and protocol type of the captured packets. The program stops
automatically on exceeding one of the limits, but can also be stopped by the user.
The remote "Gobbler" is meant to be operated from a remote central network management
station using SNMP. Its variables can therefore not be set from the local network management
station, nor does it display its results on the local screen. It features five Dispatcher Application
Programs, a packet catcher with filtering capabilities, and four others (among which a SNMP
agent and a tftp server) to make the control by SNMP and the transfer of the dumpfile from the
local station to the remote station possible. The dumpfile viewer in this case is a separate program
to be run on the remote station itself, not on the local station.
- 26. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 26 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Hacking Tool: Pandora
Pandora is a set of tools for hacking, intruding and
testing the security and insecurity of Novell Netware 4.x
and 5.x. Pandora consists of two distinct sets of
programs - an "online" version and an "offline" version.
Features
• Searches for target servers and grabs user accounts without
logging in.
• Multiple DOS attacks and dictionary attacks against user
account
• Attaches to server with password hashes extracted from Offline
program.
• Improved spoofing and hijacking by using real-time sniffing.
Silently 'read' files as they are downloaded from server to client.
Pandora is a project that was developed by Simple Nomad and sponsored by the Nomad Mobile
Research Centre. The goal of Pandora is to provide the tools for the opening of Novell's Netware
Directory Services.
Pandora is a set of tools for hacking, intruding, and testing the security and insecurity of
Novell Netware. It works on versions 4 and 5. Pandora consists of two distinct sets of programs --
an "online" version and an “offline" version. Pandora Online is intended to be used for direct
attack against a live Netware 4 or 5 servers. Pandora Offline is intended to be used for password
cracking after you have obtained copies of NDS.
- 27. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 27 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
A typical attack goes as follows:
• Use Pandora online version to determine common user accounts passwords.
• Pandora Online can be used to determine the password to the special Supervisor Object.
• By exploiting the information collected from Pandora Online, try to access SYS:SYSTEM.
If BACKUPS and/or DSREPAIR>DIB exist, they can be copied off the server. By
exploring the NCF files, it should be possible to determine the remote console password.
• After gaining control access, using Novell's DSMAINT a fresh BACKUP.DS can be created
and copied down. BACKUP.DS can be converted into the original NDS file using Pandora
Offline.
• The NDS files can have Pandora Offline run against them to create the PASSWORD.NDS
file. Pandora Offline can be run against PASSWORD.NDS to do either a brute force attack
or a dictionary attack to obtain additional passwords.
- 28. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 28 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Pandora Countermeasure
The best protection against this type of attack is
establishing and enforcing a strong password
policy.
Physical access to all servers should be
prevented. Remote management tools like
RCONSOLE over SPX or RCONj or TCP/IP
should not be used.
In Netware 5.x environment, screen saver also
gives good protection, because the screen saver
requires an NDS username and password of a
user with supervisor rights to the server to log
in.
Defense against Pandora includes the following measures:
• Removing the ability for anyone to read the NDS tree. The rights for [Root], should not be
public.
• Isolating admin servers from end users on an Ethernet segment, or adopting a switched
Ethernet.
• Using Packet Signature at the highest settings on servers and workstations at all times.
• Using the latest patches on servers and workstations.
• The SET PACKET SIGNATURE line should be in the STARTUP.NCF, not the
AUTOEXEC.NCF.
• Building a dummy NDS account named SUPERVISOR attributing it no rights and
disabling it.
• Giving the bindery Supervisor account a complex password.
• Ensuring that the server object is not in the same container as the Admin account.
• Using Intrusion Detection on every container.
• Enforcing a minimum password length of 8 for normal users, LAN administrators should
have an even longer password.
- 29. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Novell Hacking
Module XVII Page 29 of 29 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Summary
All parts of the overall NetWare system are objects. Each object in
the security model has an Access Control List, or ACL. Objects are
clustered together in an overall hierarchy. There are a total of five
different levels of access that can be logically defined from the
security model – not logged in, logged in, supervisory access,
administrative access, and console access.
NetWare server(<=4.X) by design itself does not offer much in the
way of protection as there is no means of auditing events done at
the console. This is a physical security concern.
There is a security concern as the supervisor account password is
the same as the first password for the Admin user until it is
changed using a bindery administration utility.
Similar concerns in Novell are exploited by vigilant attackers.
Novell Password cracking tools can provide the attackers with
room for further actions.
Summary
Recap
• All parts of the overall NetWare system are objects. Each object in the security model has
an Access Control List, or ACL. Objects are clustered together in an overall hierarchy.
There are a total of five different levels of access that can be logically defined from the
security model – not logged in, logged in, supervisory access, administrative access, and
console access.
• NetWare server(<=4.X) by design itself does not offer much in the way of protection as
there is no means of auditing events done at the console. This is a physical security
concern.
• There is a security concern as the supervisor account password is the same as the first
password for the Admin user until it is changed using a bindery administration utility.
• Similar concerns in Novell are exploited by vigilant attackers.
• Novell Password cracking tools can provide the attackers with room for further actions.