EC-Council Novell Netware Basics Object Model Access Control Lists Rights Levels of Access Packet Signature
EC-Council Default Accounts and Settings Server Settings Supervisor Account Default Rights RCONSOLE security concerns Server Commands and Settings
EC-Council Valid Account names on Novell Netware Any limited account should have enough access to allow you to run SYSCON, located in SYS:PUBLIC directory. If you get in, type SYSCON and enter. Now go to User Information and you will see all defined accounts. You will not get much info with a limited account, but you can get the account and the user's full name. If you are IN with any valid account, you can run USETLST.EXE and get a list of all valid account names on the server.
EC-Council Hacking Tool: Chknull.exe CHKNULL shows you every account with no password and you do not have to be logged in. For this to work bindery emulation must be on.
EC-Council Access the password file in Novell Netware Access to the password file in the Netware is not like Unix - the password file is not in the open. All objects and their properties are kept in the bindery files on the 3.x, and kept in the NDS database in the 4.x. The bindery file attributes (or Flags) in 3.x are hidden and System, and these files are located on the SYS: volume in the SYSTEM subdirectory. 3.x - NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS The NET$BVAL.SYS and NET$VAL.SYS are where the passwords are actually located in 3.x and 4.x respectively.
EC-Council Access the password file in Novell Netware (contd..) In Netware 4.x. the files are physically located in different location than on SYS:volume. By using the RCONSOLE utility and using the Scan Directory option, you can see the files in SYS:_NETWARE: There is another way to view these files and potentially edit them. After installing NW4 on a NW3 volume, reboot the server with 3.x SERVER.EXE On a volume SYS will be on the _NETWARE directory. SYS:_NETWARE is hidden better on 4.1 that 4.0x. But in 4.1 you can still see the files by scanning the directory entry numbers using NCP calls (you need the APIs for this) using the function 0x17 sub function 0xF3.
EC-Council Tool: NOVELBFH.EXE & NWPCRACK.EXE Novelbfh is brute force password cracker which works on Netware 3.x versions. NWPCRACK is a password cracker that works against a single account and uses a dictionary wordlist.
EC-Council Hacking Tool: Bindery.exe & BinCrack.exe Bindery.exe is a password cracker that works directly against the.OLD bindery files. This tool extracts user information out of bindery files into a Unix-style password text file. Then you can use BINCRACK.EXE to "crack" the extracted text file.
EC-Council Hacking Tool: SETPWD.NLM If you have access to the console, either by standing in front of it or by RCONSOLE, you can use SETSPASS.NLM, SETSPWD.NLM or SETPWD.NLM to reset passwords. Just load the NLM and pass it command line parameters: How to Use SETPWD.NLM
EC-Council Other Tools Hacking Tool: Kock For Netware 3.11, exploits bug in a Netware attached to log in without a password. Hacking Tool: userdump UserDump simply lists all users in the Bindery. Works for Netware 3.x and 4.x (in Bindery Mode) Hacking Tool: NWL Replacement LOGIN.EXE for Novell Netware. Run PROP.EXE from a Supervisor account to create a new property. Replace existing LOGIN.EXE in SYS:LOGIN. Each time a user logs in, the text is stored in the new property. Use PROP.EXE to retrieve captured logins.
EC-Council Hacking Tool: Getit Getit is a hacking tool designed to capture passwords on a Novell network. This tool is triggered by an instance of the LOGIN.EXE application used in Novell to authenticate and begin a login session on a workstation. It works directly at the operating system level, intercepting calls to Interrupt 21h. It's probably the most well known NetWare hacking tool ever created.
EC-Council Hacking Tool: Burglar, SetPass It can only be used where an individual has physical access to the NetWare File server. The utility is usually stored on a floppy disk. The attacker sometimes has to reboot the server. SetPass is a loadable module, designed to give the user, supervisor status. This module also requires physical access to the machine.
EC-Council Hacking Tool: Spooflog, Novelffs Spooflog is a program, written in C, by Greg Miller, that can spoof a workstation into believing that it is communicating with the server. This is a fairly advanced exploit. Novelffs creates a fake file server. It was written by Donar G E Alofs Needs rebooting after work is done.
EC-Council Hacking Tool: Gobbler Gobbler is a hacking tool which 'sniffs' network traffic on Novell servers.
EC-Council Hacking Tool: Pandora Pandora is a set of tools for hacking, intruding and testing the security and insecurity of Novell Netware 4.x and 5.x. Pandora consists of two distinct sets of programs - an "online" version and an "offline" version. Features Searches for target servers and grabs user accounts without logging in. Multiple DOS attacks and dictionary attacks against user account Attaches to server with password hashes extracted from Offline program. Improved spoofing and hijacking by using real-time sniffing. Silently 'read' files as they are downloaded from server to client.
EC-Council Pandora Countermeasure The best protection against this type of attack is establishing and enforcing a strong password policy. Physical access to all servers should be prevented. Remote management tools like RCONSOLE over SPX or RCONj or TCP/IP should not be used. In Netware 5.x environment, screen saver also gives good protection, because the screen saver requires an NDS username and password of a user with supervisor rights to the server to log in.
EC-Council Summary All parts of the overall NetWare system are objects. Each object in the security model has an Access Control List, or ACL. Objects are clustered together in an overall hierarchy. There are a total of five different levels of access that can be logically defined from the security model – not logged in, logged in, supervisory access, administrative access, and console access. NetWare server(<=4.X) by design itself does not offer much in the way of protection as there is no means of auditing events done at the console. This is a physical security concern. There is a security concern as the supervisor account password is the same as the first password for the Admin user until it is changed using a bindery administration utility. Similar concerns in Novell are exploited by vigilant attackers. Novell Password cracking tools can provide the attackers with room for further actions.