Modern Netware Hacking Simple Nomad Mobile Research Centre
Modern Netware Hacking Simple Nomad Mobile Research Centre
About. . . • Myself – thegnome@nmrc. org • Nomad Mobile Research Centre – http: //www. nmrc. org/
Agenda • • Why Hack Netware Data Gathering in Novell Environments Intrusion Techniques Pandora Overview
Why Hack Netware • Wide Deployment – Novell has large market share. • Security Often Overlooked – Admins usually just know the basics. • File and Print Focus – Secure data often inside desktop productivity documents.
Data Gathering • Offline Techniques • Online Techniques
Data Gathering - Offline • Public Sources – SEC filings, Annual Report, etc. • The Internet – Whois, company web site, Internet postings. • Social Engineering – Contacting company employees directly.
Data Gathering - Online • CHKNULL. EXE – Will check for accounts with no password in the current context. – Can check all accounts for a single password.
Data Gathering - Online (cont. ) • CX. EXE – CX /T /A /R will dump the complete tree if the default rights are still set. This will give a complete list of account names.
Data Gathering - Online (cont. ) • NLIST. EXE – NLIST USER /D will list a ton of info regarding valid accounts. – NLIST GROUPS /D will list group names, descriptions and members. – NLIST SERVER /D will list servers and OS versions, and if attached will state if accounting is active.
Data Gathering - Online (cont. ) • NLIST. EXE – NLIST with the /OT options will list object information. For example NLIST /OT=* /DYN /D will list information on all readable objects, including dynamic objects, names of NDS trees, etc.
Intrusion Techniques • LOGIN – Attach directly to the server. • MAP, ATTACH – Attach indirectly to the server although a user name and password are required. • Once logged in, re-run CX. EXE and NLIST. EXE commands.
Intrusion Techniques (cont. ) • Bindery-based Tools – NWPCRACK – KNOCK – Intruder from Pandora • Additional Tools – Onsite – Sniffers
NDS’s Hidden User - Supervisor • On all Netware 4. x and 5. x servers. – First object built in NDS during Netware server installation. – Initial password is same as initial Admin password. • Full access to server’s file system. – Read/write access to every subdirectory.
Invading Supervisor • Brute Force Attacks – KNOCK, NWPCRACK will attack brute force against a bindery account. • Dictionary Attack – Pandora’s Intruder will dictionary attack using “stealth” methods.
Console Attacks • Monitor Lock Bypass • Other “Debugger” Attacks • Rogue NLMs – Setpwd – Setpass
Console Attacks (cont. ) • Remote Console – Password is “decrypted” in server RAM. – Trivial to decrypt if NCF file captured. – Rconsole sessions are in plaintext.
Console Attacks (cont. ) • NCF Files – Batch files executed at highest priviledge. – Sometimes not in secure directory. • NDS Files – Copying for offline analysis.
Pandora v 3 • • • Command Line Utilities Offline Password Cracking Online Server Attacks Denial of Service Open Source Freeware Developed with 100% Freeware
Pandora v 4 • • • Offline Password Cracking Online Server Attacks Full GUI - “point, click, and attack” Open Source Freeware Developed with 100% Freeware GUIs for Win 95/98/NT and X (Linux only)
Pandora v 4 Online • Denial of Service • Auto-gathering of Detailed System Information • User account “discovery” • Dictionary Password Attacks with Lockout Detection • Packet Signature Spoofing
Pandora v 4 Offline • Complete Netware 4. x & 5. x Password Auditor • Dictionary and Brute Force Attacking • Will Read BACKUP. DS and DSREPAIR. DIB Files • Multi-threaded for Multiple Account Cracking
Anatomy of an Attack • Gather Info – CHKNULL, CX, NLIST, Onsite • Gain Initial Access – No/weak password on an account. – Dictionary/Brute force attack
Anatomy of an Attack (cont. ) • Advanced Techniques – Onsite, sniffers, Game. Over • Attack Supervisor Account – Intruder • Copy NDS Files – Offline cracking of passwords • Attack Additional Systems
Additional Items • IMP – Borrows from Pandora’s source code. – Fast and free password auditor.
Defensive Techniques • Latest Service Packs and Patches • Limited rights on [Public], [Root], and USER_TEMPLATE • Turn on Intruder Detection on each container (default is off) • Packet Signature Level 3 on server • Strong security policy
Defensive Techniques (cont. ) • Checking for backdoors • Logging & Auditing
Questions • Q&A
- Slides: 27