The Disclaimer I don't encourage illegal activities, I really mean this! And if you really want to try something against the law, and you get caught I have warned you, hehe :P Introduction This is the first tutorial I have wrote. It was intensely only written for BSRF (Black Sun Research Facility), and it will be properly not the last one :). So if you discover some errors, please let me remind you this was my first one. Last note before I will begin writing about "Cracking Netware", at the moment you can't contact me by e-mail or whatsoever... I rather remain 'hidden', for the moment. Index Novell Netware tutorials: Novell Netware - Cracking Netware Maybe I'll write an advisory for system administrators or even my own found vulnerabilities in Netware, but remember I can't guarantee anything! It's possible that I'll write some other tutorials about different topics as well. Well this one will be about: Novell Netware - Cracking Netware (v 1.01) Like many other Operating Systems Netware doesn't work with the TCP protocol, it uses his own protocol called Internet Protocol eXchange (IPX). This protocol isn't vulnerable at the moment to any kind of Denial of Service (DoS) attacks like SYN-flood, while the TCP protocol is. Because Netware didn't get much attention from crackers they thought there system was impenetrable, and so they didn't much about security updates. Now many of you guys think this is really cool, and think they can crack any Netware server with some help from the many tools that are available online. Well, I can tell you that's not that easy. It depends on many thing, like: The most important reason; Which Netware version they run, if running version 4.1 or higher the change you will sneak in unnoticed will be really small. Unless you have to deal with some really stupid most times lazy system administrators. If the system administrators patch the Netware server(s) on regular base... Also if you have some kind of permanent account with standard Netware rights, not one who's adjusted. You will need much time and don't be disturbed. Especially in classrooms this will be difficult to get, so you have to find a way with Social Engineering to accomplish this :( Before I continue with Netware security and how to bypass it, first I'm going to tell you something about Servers & Clients. When a Netware client in Windows 9x has been installed it's possible to access the Netware server. When you arrive in Windows you'll see a login screen. Before you have logged into the network the "client <--> server" have already established a connection with each other, only this connection isn't validated by the user who created the connection! You can see this connection on the console when monitor.nlm is loaded. You people don't know what the console means? Ok, I'll explain. The server is nothing less but a computer, not a normal one like a desktop or tower. No call it a very big tower. On this machine the Netware server software is installed, when you turn on this machine first dos (6.22 or lower) will be loaded. After this you can boot Netware by executing file "server.exe", now many files will be loaded and you'll get a lot of messages. It looks like when you're booting a Linux machine. After the boot process you look at a sort of dos screen, this is called the console. At the console you have the highest rights on the particularly Netware server. You can down the server any time you want with just one simple command. So the main group of crackers tries to get this access. But there are many differents ways to crack a Netware server. By default you have the following rights on a Netware server: User: Normal user who can access some files in //public, //login and //mail. Mostly they have some print rights, also have an own home directory. SuperUser: At school's this right has been given to teachers. They can view students accounts and delete files if necessary. They cannot create, delete or change accounts. SuperVisor: Only the system administrators are permitted to control everything on the file system. When they want to down the server they have to walk to the console, or they start a program called rconsole which stands for "Remote Console". The word explains itself. For security reasons they first have to load "remote.nlm" and "rspx.nlm" at the console. So by default this future is turned off! Console: This is the highest right on a Netware server, once you have gained this rights illegal nothing can stop you at the moment but a power failure. Also be aware of the log files! Many crackers who have gained console right have been snapped by them, and if you are dealing with very smart system administrators, they have some program who automatically sends the logs to an off-line location. And once arrived there you have a serious problem... When you want to gain some high level access on a Netware server, remember that this can be done many ways I explain two differents ways. A note before trying one of the two ways. Way one will require a lot of luck, some skills of cracking and also some tools. Way two will require a lot of time (two weeks maybe a month). You have to see for yourself what's the best way. O by the way, if you want to get some high level access while trying way one... remember it's critically you don't make any mistakes, because the properbility you'll be caught is high (log files and some other things)! First way If you are very, and I mean very lucky the system administrators could have loaded "remote.nlm & rspx.nlm". Try to find a program called "rconsole.exe", normally you can find this program in the following directory on the Netware server "//public". If you haven't file scan or read rights on this directory, you have to get this program on another way. The program needs a lot of other files before you can execute it, so download these too! To make it a little harder for our 'beloved' system administrators to trace you (and give you some more time), don't verify yourself to the server while trying to access the console remote! Before they know who's trying to establish a connection to the Netware server, they have to walk to the server and load monitor.nlm. Now they can see the attackers ethernet address, from at this moment they can close your connection to the server any time they feel fit. But mostly they want to collect some evidence against you, so they just let you 'crack the server'. In meantime you have already spend some minutes guessing the correct password, and every attempt will be automatically written in a file. No even worse, every attempt will also been written to their monitor including (again) your ethernet address, and if you guessed the password right or not. This sucks, doesn't it? Well we can combine these two problems into one solution. But again you'll need some luck! Here we go: The most difficult problem will be getting the password, because you don't have enough time to guess the password, even with some kind of bruteforce-crack program you haven't, we need to approach this problem on another way. Now you'll need some luck because for this trick there have to be two nlm's "remote & rspx" loaded on the console! The system administrators will only load these if they want to check the console regularly. Well, when you are sure the two nlm's are loaded continue reading, if not well skip to the second way to crack into Novell Netware. Just try to access the console with "rconsole.exe" to verify if those nlm's are loaded, note only try this once! If you do get an empty window, well skip to part two! When the system administrators are accessing the console they also have to enter a password. This password is being send in plain text over the network ( plain text means: unencrypted). If you're dealing with Netware version 4.11 or higher, skip to way two because the transmitted password is encrypted! When you have the same node address as the system administrators have, it's possible to intercept (sniffing) the packets from the system administrators to the console. You are questioning yourself "How do I know?", the answer: If you're on a small network with approximately 10-50 users you are on the same node address. Unless you're dealing with some paranoid system administrator. If you're dealing with some bigger kind of network you have to get yourself a copy of a program called "HIER NOG IETS INVULLEN". Again you do need some luck, if you're not on the same node address as they are, skip to way two. We now arrive at properly the most difficult part of all. What we now need is a packetsniffer that supports IPX sniffing, I recommend "SpyNet" for the job. Install and execute SpyNet. Configure SpyNet so it will write all captured packets to one file. Let the program run a couple of hours, because the system administrators have to access the console remote. You can use your social engineering skills to speed up this process. One way to do this is to call them and say you think someone is trying to crack their network. Don't sound to professional because they could suspect you're the one doing something illegal! Once you've the packets which contain the password, you have to find a way yourself to extract the password from Spynet's logfile. Note, the password is separated into many packets. Example: If the password would be "Netware" you'll find the password in this order: packet 34643: j packet 34644: 6 packet 34645: n packet 34646:g packet 34647: 8 packet 34648: e packet 34649: f packet 34650: t packet 34651:2 packet 34652:w packet 34653:a packet 34654: l packet 34655:r packet 34656: d packet 34657: 4 packet 34658:e packet 34659: v As you see, this could take some time before you find it. When you get the password, access the console remote as soon as possible and create a supervisor account. When you're finished with anything you did, remember to erase the logfile! You'll find the file in the /etc/console.log, you can delete this file at the console. Just unload "conlog.nlm" and then load it again! Now the old logfile is being overwritten by the new one, if you terminate the connection between you and the server your ethernet address will be written to the new logfile! So before quitting I suggest to unload once more the "conlog.nlm". Now you can quit the remote session with ALT-F1. The second way to hack Novell Netware will be described in the following version. Copyright (C) 2000, Data Wizard, The Netherlands.