In this module we will be looking at the security concerns one must address in the context of Novell Netware. At the time of writing this document, the newest version is 6.5. However, we address hacking Novell NetWare from its earlier versions such as version 4. The idea behind including the legacy versions is to give the reader a wide perspective of how Netware has evolved. In this module we will cover:
Common Accounts and passwords
Accessing password files
Password crackers
Netware hacking tools - Chknull, NOVELBFH, NWPCRACK, Bindery, BlnCrack, SETPWD.NLM, Kock, userdump, Burglar, Getit, Spooflog, Gobbler, Novelffs, Pandora
Object Model
Access Control Lists
Rights
Levels of Access
Packet Signature
Before we discuss about attack methodologies, we will briefly visit Netware Architecture. It must be remembered that the NetWare directory services was the "inspiration" behind Microsoft's Active Directory Services. We will give a simplified view of the object model; explain trustees and rights discuss items such as Packet Signature, and the levels of access.
Note | Object Model: All parts of the overall NetWare system are objects. Each of these objects can be treated as an individual item, and objects can be grouped together for easier administration. |
Note | Access Control List: Each object in the security model has an Access Control List, or ACL. This defines what level of access is required to access the object. Objects can have rights assigned to help determine what other objects they can access. The rights assigned to each object are fairly granular, and can allow various levels of reading and modification. |
Note | Rights: Objects are clustered together in an overall hierarchy. There are parent and child relationships between objects. When a new object is created, it receives a "default" set of access controls. These are inherited from the parent. To prevent excessive rights from being inherited farther down the chain, there are "inherited rights filters" which help control the flow of inherited rights. At the file system level are trustee rights. These are rights assigned which determine an object's ability to access a file or directory. |
Note | Access Levels There are a total of five different levels of access that can be logically defined from the security model - not logged in, logged in, supervisory access, administrative access, and console access.
|
Note | Packet Signature Another feature of Netware is the packet signature. Packet Signature is an interesting idea in itself, as it suggests that all packets moving in and out of the server are cryptographically signed to prevent forgery. It should be noted that Packet Signature does not encrypt any data; it also adds security by using a digital signature. |
There are 4 levels of Packet Signature: 0 - No packet signature; 1 - No packet signature unless explicitly asked; 2 - Packet signature present unless explicitly asked not to; and 3 - Communication using packet signature only.
Now that we have covered the basics of Novell Netware, we can go into the details of security and hacking.
Server Settings
Supervisor Account
Default Rights
RCONSOLE security concerns
Server Commands and Settings
First and foremost, Netware raises security concerns if it has been installed using the default settings. The first concern is physical security. This is because NetWare server, by design, does not offer much in the way of protection as there is no means of auditing events done at the console. Moreover, NetWare servers start and run without accounts. Therefore it is appropriate to state that NetWare server security depends on physical security of the server. Obviously the server itself should be locked up, but in the event of someone gaining access to the console it is advisable to severely limit access to what they can do once at the console. The screen saver in NetWare 5 provides some measure of protection since it requires NDS authentication.
Note | Supervisor Account: On the server, the default setting will include the Supervisor account. Since Netware 3.x, the supervisor account has been allowed as a default account on Netware for legacy support or backward compatibility. The supervisor account is a special user designed for programs and clients that need bindery-based complete access to all the volumes , directories, and files on the file server. This account is a fully privileged user in NetWare 2.x or 3.x. However, NetWare 4.x and later it is limited in its privileges. |
Threat | The security concern arises out of the fact that the supervisor account password is the same as the first password for the Admin user until it is changed using a bindery administration utility. The password holds good even after the Admin password has been changed causing many administrators to falsely believe that the default password has been changed. On some systems, the supervisor user may have a "default" initial password used for the Admin account such as "netware." |
As we have seen, in Netware, all components are objects and the supervisor object in the NetWare tree is invisible to the standard NDS (non-bindery) utilities. Therefore if this account is searched for using the NDS utilities such as NWADMIN.EXE or NLIST.EXE, it does not appear. However if a binder-based utility such as SYSCON.EXE is used, the account is detected .
Attack Methods | If an attacker has access to the system, he can try SUPE.EXE, KNOCK.EXE or other NetWare Supervisor password cracking utilities to extract the supervisor password. On retrieving the password, the attacker can launch as denial of service attack by running an old Netware bindery utility such as FCONSOLE.EXE and use the "Down File Server Request" to down any server, including remote servers. |
Countermeasure is to disable the account if it is not needed. If it is required, ensure that the password is changed by logging in as supervisor and using the SETPASS.EXE DOS command or using the bindery-based SYSCON.EXE to set the password.
Note | RCONSOLE: Another security concern is the default setting when it comes to using the DOS utility RCONSOLE (remote console). NetWare servers come with REMOTE.NLM, which can be loaded with a password at the server console, or from a start-up file, allowing remote access to the server from client workstations. REMOTE.NLM enables the use of RCONSOLE to remotely access the server console from a workstation. During setup, this is given a fairly easy password. Typically, an administrator loads REMOTE .NLM at the server console and enters a password, as required by REMOTE.NLM. |
When RCONSOLE is launched from the client side, it prompts for a password and then sends a hash of that password to the server for authentication. For RCONSOLE to be enabled, the RCONSOLE password hash must match the REMOTE password hash stored in memory at the server.
Threat | The security concern arises from the nature of RCONSOLE, which like the server console, does not use NDS accounts for accountability. Due to this flaw in design, RCONSOLE cannot enforce access level control or limit console level commands or applications. Therefore, it becomes difficult to monitor remote server activity. |
Attack Methods | MITM and Brute Force Cracking: An attacker who has access to the network can sniff a valid RCONSOLE session and initiate a man-in-the-middle attack by sending a packet(s) with the correct hash, host IPX address and also the correct NCP sequence number. This may have been patched in versions later than 5.x. It goes without saying that possession of the RCONSOLE password grants the attacker complete control of the given server - similar to that of being physically present at the server console. Protecting the RCONSOLE password, therefore, is vital in securing NetWare. The attacker has a greater chance of sniffing the password as RCONSOLE has no lockout. Moreover, there are predictable delays in remote console authentication, which makes it easier for the attacker to launch a brute force attack. While failed RCONSOLE attempts are logged, other approaches such as using XCONSOLE, avoid effective logging. The attacker thus takes advantage of the intrusion detection gap. |
Note | Rights: There are eight Rights on Netware. Let us briefly take a look at these.
|
By default, NetWare users receive the following file system rights: All users have RWCEMFA (all possible rights except Supervisor) to their own home directories, which are created along with the NDS User objects. Users in the same container as the SYS Volume object receive RF (Read and File Scan) rights to volume SYS so they can log in.
Note | Server SET COMMAND and Default Settings: Netware servers come with default settings that must be configured to ensure adequate security. Let us take a look at some of these settings. Typing SET at the NetWare console prompt gives a list of the various categories of SET commands available. |
Note | Communications SET Commands
|
Note | Memory SET Commands
|
Note | File System SET Commands
|
Note | NCP SET Commands
|
Note | Miscellaneous SET Commands
|
Any limited account should have enough access to allow you to run SYSCON, located in SYS: PUBLIC directory.
If you get in, type SYSCON and enter. Now go to User Information and you will see all defined accounts.
You will not get much info with a limited account, but you can get the account and the user's full name.
If you are IN with any valid account, you can run USETLST.EXE and get a list of all valid account names on the server.
By default NetWare keeps rights to certain areas away from the general user/group. However, there are two default users, anonymous and guest, that have rights automatically to the \public and \etc system directories. These users are created without a password so the first security setting with regard to users is to assign a password to both users; disable the accounts; strip them of all rights to the \etc directory; or all of the above.
Threat | In Netware 4.x, any limited account can give access to an attacker to run SYSCON, located in the SYS: PUBLIC directory. Once he is able to get in, he can go to User Information and list all defined accounts - the account and the user's full name. However, if he has a valid account, he can run USERLST.EXE and get a list of all valid account names on the server. |
Another possibility is to use a local copy of MAP.EXE and try to map a drive using the server name and volume SYS: Password guessing can be done to uncover a valid account. The same can be done with ATTACH.EXE as well.
CHKNULL shows you every account with no password and you do not have to be logged in. For this to work bindery emulation must be on.
Attack Methods | Typically, before an attacker gets to use CHKNULL, he will try his hand at other options, especially if he has command line access to the server (maybe through a backdoor). He will use the CX and NDIR commands without logging in to retrieve valuable information. Both CX and NDIR are Novell utilities that will take advantage of the default NDS settings on the tree. |
Used with the CX /T /A /R options the query will dump the complete tree if the default rights are still set. This will give a complete list of account names, as well as the tree hierarchy. Similarly, the attacker can also use NLIST to obtain valuable information.
NLIST USER /D will dump a lot of account information; NLIST GROUPS / D will list group names, their members , and the description field for the group; NLIST SERVER /D will list the servers along with version information, and if he is attached to that server it will tell if accounting is active. NLIST with /OT will list detailed information regarding NDS objects. Using NLIST /OT=* /DYN /D will list everything in NDS that is by readable by default.
Tools | CHKNULL is usually run after CX and NLIST since the attacker has now gained a fair assessment as to which accounts or which sections of the tree are good target areas. CHKNULL is a good example of a hacker tool that uses bindery calls against an NDS server. Running CHKNULL with no options will list all accounts in the current context that have no password, and it can also check all accounts in the current context with a single password (such as "password"). |
Typically this will yield at least one account that can be used to log in, especially in larger organizations. Once logged in with the account, running the CX and NLIST commands a gain will help retrieve even more information.
In Windows environments, using Network Neighborhood and the Novell-supplied Onsite will yield valuable information. Onsite is capable of providing as much information and more as CX and NLIST, including detailed information on volumes, free space, etc. Using Onsite and CHKNULL together will help uncover a weakly protected account.
Written by Itsme, CHKNULL has several parameters which can be used to extend its functionality:
Usage: chknull [-p] [-n] [-v] [ wordlist ]
-p = check username as password
-n = don't check null password
-v = verbose output
It can also check specified words on the command line as passwords.
In 4.1 CHKNULL shows every account with no password and the attacker does not have to be logged in. For this to work bindery emulation must be on.
Access to the password file in the Netware is not like Unix - the password file is not in the open. All objects and their properties are kept in the bindery files on the 3.x, and kept in the NDS database in the 4.x.
The bindery file attributes (or Flags) in 3.x are hidden and System, and these files are located on the SYS: volume in the SYSTEM subdirectory.
3.x - NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS
The NET$BVAL.SYS and NET$VAL.SYS are where the passwords are actually located in 3.x and 4.x respectively.
In Netware 4.x. the files are physically located in different location than on SYS:volume.
By using the RCONSOLE utility and using the Scan Directory option, you can see the files in SYS: NETWARE:
There is another way to view these files and potentially edit them. After installing NW4 on a NW3 volume, reboot the server with 3.x SERVER.EXE
On a volume SYS will be on the _NETWARE directory. SYS:_NETWARE is hidden better on 4.1 that 4.ox. But in 4.1 you can still see the files by scanning the directory entry numbers using NCP calls (you need the APIs for this) using the function 0x17 sub function oxF3.
All objects and their properties are kept in the bindery files on 2.x and 3.x, and kept in the NDS database in 4.x. An example of an object might be a printer, a group, an individual's account etc. An example of an object's properties might include an account's password or full user name, or a group's member list or full name. The bindery files attributes (or flags) in 2.x and 3.x are Hidden and System, and these files are located on the SYS: volume in the SYSTEM subdirectory. Their names are as follows :
The NET$BVAL.SYS and NET$VAL.SYS are where the passwords are actually located in 2.x and 3.x respectively.
Netware version | File Names |
---|---|
2.x | NET$BIND.SYS NET$BVAL.SYS |
3.x | NET$OBJ.SYS NET$PROP.SYS NET$VAL.SYS |
In NetWare 4.x, the files are located in a different location on the sys: volume. It is a hidden directory called _netware. In this directory are located the nds files, license files, and a number of other system- related files such as login scripts and auditing files.
The _netware directory will be on volume sys. Sys:_netware is hidden better on 4.1 than 4.ox, but in pre-410pt3 patched 4.1 one can still see the files by scanning directory entry numbers using ncp calls. Using jcmd.nlm, it is possible to access sys: _netware. To access this directory an attacker can try using netbasic.nlm and if they succeed, they can actually copy nds files to a directory they can access such as sys: public.
With regard to password, a Novell proprietary algorithm takes the password, and produces a 16 byte hash. This algorithm is the same for versions 3.x and 4.x of netware. The algorithm is also inside the login.exe file used by the client when logging in. The 16 byte hash is stored within the bindery files in Netware 3.x and NDS in Netware 4.x. Since the object ID is used in the algorithm, it adds the equivalent of a salt.
Threat | However, these security settings can be easily compromised as both the object ID and the password length are stored with the hash, along with that fact that lower case letters are converted to upper case before generating the hash does simplify the process slightly. Password crackers can brute force a little easier since they can eliminate trying lower case letters and concentrate on a particular password length. |
Because of the complexity of the algorithm, using it the way it was designed makes it slow for cracking, especially by brute force.
Novelbfh is brute force password cracker which works on Netware 3.x versions.
NWPCRACK is a password cracker that works against a single account and uses a dictionary wordlist.
Tools | NOVELBFH, Novell Brute Force Hacker, is a program written by DGE Alofs in Holland. It is a menu driven program that attempts to crack accounts by using the verify password function and trying various guesses for password. |
The password checking is done using the unencrypted password call, so this program can be rendered useless on NetWare 3 by disabling the unencrypted password call at the server (this is the default).
Tools | NWPCRACK is a brute-force password cracker for cracking passwords on the Novell platform. This utility is best used from a remote location, working on passwords over long periods of time. As the author points out, there is a period of delay between password attempts and thus, brute forcing could take some time. This utility would probably work best if the cracker were attacking a network that he knew something about. |
Countermeasure | Countermeasure Use strong passwords. If the server has been upgraded, check the AUTOEXEC.NCF file for encrypted passwords setting. If this setting is OFF, it will permit passwords to be sent over the wire in clear text for legacy support. To ensure that this setting is off, use the SET command at the server console: SET allow unencrypted passwords = OFF |
Bindery.exe is a password cracker that works directly against the .OLD bindery files.
This tool extracts user information out of bindery files into a Unix-style password text file.
Then you can use BINCRACK.EXE to "crack" the extracted text file.
Tools | BINDERY.EXE accesses the bindery and extracts the cipher resulting from the NetWare oneway encryption feature. BINDERY.EXE outputs a text file containing the encrypted password and the USER ID. This text file can be cracked by a function of BINDERY.EXE, BINCRACK.EXE, through a dictionary file. |
With powerful CPUs, multiple CPUs, and distributed processing networks, BINCRACK.EXE can make short work of the task of delivering passwords.
An intruder must have first gained supervisor equivalency in order to attack the bindery files. There is a way around this. A clever hacker might copy the old files produced every time BINDFIX runs. As system administrator you must guard against this by ensuring that the proper rights are set for the SYS: SYSTEM directory.
Countermeasure | Countermeasure: A bindery context setting is used to emulate the bindery database of the earlier NetWare versions. This bindery emulation makes the server vulnerable and should be removed. In the AUTOEXEC.NCF file check the status of the SET BINDERY CONTEXT command line. |
If you have access to the console, either by standing in front of it or by RCONSOLE, you can use SETSPASS.NLM, SETSPWD.NLM or SETP WD.NLM to reset passwords.
Just load the NLM and pass it command line parameters:
How to Use SETPWD.NLM
You can load SETPWD at the console or via RCONSOLE . If you use RCONSOLE , use the Transfer File To Server option and put the file in SYS:SYSTEM .
For 3.x:
LOAD { path if not in SYS: SYSTEM ] SETPWD [username] [newpassword]
For 4.x:
set bindery context = [context, e.g. hack.Corp.us]
Load [path if not in SYS: SYSTEM ] SETPWD [username] [newpassword]
Tools | SETPWD.NLM decompresses into a NLM, Netware Loadable Module. SETPWD.NLM resets any user “password, including that of supervisor. |
Note | NetWare 6 does provide some policy settings that are intended to protect passwords. The settings provided are: password required, password length, password unique, expiration and grace login limit. This version also provides for intruder detection, in the form of lockout periods. A summary of these recommended settings are:
|
Another design feature is the elimination of the additional client required by older versions for a workstation to access the server. Netware 6 comes with Native File Access Protocols (NFAP) implemented. This allows Macintosh, Windows and UNIX clients to access Netware server file systems without requiring additional client software. However, as Windows and Mac native protocols cannot use the NDS passwords, the clients using this software have their password stored in the NDS by NMAS (Novell Modular Authentication Services). To ensure security, both the NDS password and the simple password must be set when creating users. As long as the passwords are in a synchronized state, the user is able to change their own password.
Hacking Tool: Kock
For Netware 3.11, exploits bug in a Netware attached to log in without a password.
Hacking Tool: userdump
UserDump simply lists all users in the Bindery. Works for Netware 3.x and 4.x (in Bindery Mode)
Hacking Tool: NWL
Replacement LOGIN.EXE for Novell Netware. Run PROP. EXE from a Supervisor account to create a new property.
Replace existing LOGIN.EXE in SYS:LOGIN.
Each time a user logs in, the text is stored in the new property. Use PROP.EXE to retrieve captured logins.
Tools | KOCK For Netware 3.11, exploits bug in a Netware attach to log in without a password. |
Tools | UserDump UserDump simply lists all users in the Bindery. Works for Netware 3.x and 4.x (in Bindery Mode) |
Tools | NWL It is a replacement LOGIN.EXE for Novell Netware. Run PROP.EXE from a Supervisor account to create a new property. Replace existing LOGIN.EXE in SYS:LOGIN. The version of LOGIN.EXE that shipped with 4.0 had a flaw that under the right conditions the account and password could be written to a swap file created by LOGIN.EXE. Once this has occurred, the file can be undeleted and the account and password retrieved in plain text. Each time a user logs in, the text is stored in the new property. Use PROP.EXE to retrieve captured logins. |
Getit is a hacking tool designed to capture passwords on a Novell network.
This tool is triggered by an instance of the LOGIN.EXE application used in Novell to authenticate and begin a login session on a workstation.
It works directly at the operating system level, intercepting calls. It's probably the most well known NetWare hacking tool ever created.
Tools | Reportedly written by students at George Washington High School in Denver, Colorado, Getit is designed to capture passwords on a Novell network. The program was written in assembly language and is therefore quite small. |
This tool is triggered by any instance of the LOGIN. EXE application used in Novell to authenticate and begin a login session on a workstation. Technically, because of the way Getit works, it can be marginally qualified as a sniffer. It works directly at the operating system level by intercepting (and triggering on) calls. It's probably the most well known NetWare hacking tool ever created.
Getit is a TSR (Terminate and Stay Resident) and takes advantage of weaknesses in the security at the boot phase. Into the regular flow of action in the AUTOEXEC.BAT file, a line that executes the (hidden) program is copied onto the boot disk. The TSR remains in the background and the process continues. Visual signs of the break-in are imperceptible.
As soon as a program named LOGIN is executed, the TSR starts and records all the keystroke action into a hidden file on the boot disk. The attacker can later return to check if the hack has been successful.
Getit uses the same "hook" that the Novell shell does - by capturing the centralized portal to DOS at interrupt 21h.* Then, it intercepts all function calls. Specifically, it checks for the EXECute file function call and the "terminate" interrupt. Whenever an EXEC call is made with a filename LOGIN, the program records keystrokes until the program terminates. Note that the above technique requires the program be loaded subsequent to the Netware shell.
It can only be used where an individual has physical access to the NetWare File server.
The utility is usually stored on a floppy disk. The attacker sometimes has to reboot the server.
SetPass is a loadable module, designed to give the user, supervisor status.
This module also requires physical access to the machine.
Tools | Burglar is a somewhat dubious utility. It can only be used where an individual has physical access to the NetWare file server. It is an NLM, or a loadable module. Most of Novell NetWare's programs executed at the server are loadable modules. This includes everything from the system monitor to simple applications such as editors. |
The utility is usually stored on a floppy disk. The attacker sometimes has to reboot the server. Provided that the attacker can reach the Novell server prompt without encountering any password-protected programs along the way, the utility is then loaded into memory. This results in the establishment of an account with supervisor privileges.
Burglar.nlm is a Novell loadable Module. If it is executed on the SERVER it will create an account with supervisor privileges. The attack methodology goes like this.
The program is copied to a floppy diskette.
It is then loaded on to the server.
The attacker waits till the: prompt is obtained.
At the: prompt the load command is issued. Example "load a: \burglar.nlm super2".
The diskette is taken out and the server rebooted to erase evidence of the program. The log file is later deleted.
Another loadable module, Set pass is designed to give the user supervisor status. This module also requires physical access to the machine. Basically, it is a variation of Burglar. It will also send a broadcast message to all users, so keep this in mind when it's run.
Tools | SETPASS Purpose: Use at a workstation to change a user's password. Syntax: SYS:PUBLIC\SETPASS.EXE [ servername / ] [ username ] [/? /VER] |
Parameter | Use to |
---|---|
(noparameter) | Change your password on the network. |
servername/ | Replace with the name of the server where you want to change the user's password. |
username | Replace with the name of the user whose password you want to change. |
/? | View online help. All other parameters are ignored when /? is used. |
/VER | View the version number of the utility and the list of files it uses to execute. All other parameters are ignored when /VER is used. |
Examples
To change your password on the network, type
SETPASS
To change user John's password (if you have rights), type
SETPASS JOHN
To change user Bob's password on server PROD, type
SETPASS PROD/BOB
To change user password on server CONSOLE, type
SETPASS CONSOLE/
http://www.gregmiller.net/novell.html
Spooflog is a program, written in C, by Greg Miller, that can spoof a workstation into believing that it is communicating with the server.
This is a fairly advanced exploit.
Novelffs creates a fake file server. It was written by Donar G E Alofs
Needs rebooting after work is done.
Note | Spoofing is the act of using one machine to impersonate another by forging the other's "identity" or address. There are different forms of spoofing. We have discussed spoofing at length in the preceding modules at various points. Here, the consideration is hardware address spoofing. |
Spoofing in the NetWare environment is not impossible ; it is just difficult. In version 4.x and below, this exploit is a possibility. The NET.CFG file contains parameters that are loaded on boot and connection to the network. Options include number of buffers, what protocols are to be bound to the card, port number, MDA values, and, of course, the node address.
The popular way to spoof is by altering the address in the NODE field in the NET. CFG file. In an attack scenario, the attacker assigns the node an address belonging to another workstation. In order for this type of attack to work, many variables must be just right. For example, if there are any network interfaces between the attacker and the target, this may not work.
Tools | Spooflog is a program, written in C by Greg Miller that can spoof a workstation into believing that it is communicating with the server. This is a fairly advanced exploit. This is the classic man in the middle attack which we have discussed earlier in preceding modules. |
Tools | Written by donar ge alofs, novelffs is a program, which simulates a Novell file server. The server will be visible for about 1 to 2 minutes. On some systems the server will be visible for as long as the program is running, if the computer is rebooted it will disappear after 1 to 2 minutes. The Ethernet-address of the computer from where NOVELFFS is started is visible in the SLIST so it's traceable . |
Gobbler is a hacking tool which 'sniffs' network traffic on Novell servers.
Note | "The Gobbler" is an Ethernet troubleshooter/protocol analyzer that can be operated from a remote central network management station. It features a packet capture program with extensive filtering capabilities for catching selected Ethernet packets and writing them to disk for later examination, and a dumpfile view and protocol analyzing program for examining the captured packets. "The Gobbler" is based on an event-driven multitasking operating system called the Network Packet Dispatcher, developed by the network performance group of the Delft University of Technology. |
"The Gobbler" consists in fact of two separate programs: a local "Gobbler" to be operated from the local network management station, and a remote "Gobbler" to be operated from a remote central network management station. Both "Gobblers" run on computers with a network device that supports promiscuous mode.
The local "Gobbler" is meant for use on a local network management station. It is therefore provided with a menu-driven user interface, but lacks a SNMP interface. It features two Dispatcher Application Programs: a packet capture program with extensive filtering capabilities for catching selected Ethernet packets and writing them to disk for later examination, and a dumpfile view and protocol analyzing program for examining the captured packets.
The packet capture program writes the packets that pass the filters to disk. The user can set the name of the output dumpfile and its maximum size, the maximum runtime of the program and the maximum number of packets that may be captured. A status window keeps the user informed about the selected dumpfile name, the current and maximum number of captured packets, the current and maximum dumpfile size , the current and maximum runtime, the number of selected filters and the total received and missed packets. It is also possible to open a window displaying the source and destination address and protocol type of the captured packets. The program stops automatically on exceeding one of the limits, but can also be stopped by the user.
The remote "Gobbler" is meant to be operated from a remote central network management station using SNMP. Its variables can therefore not be set from the local network management station, nor does it display its results on the local screen. It features five Dispatcher Application Programs, a packet catcher with filtering capabilities, and four others to make the control by SNMP and the transfer of the dumpfile from the local station to the remote station possible. The dumpfile viewer in this case is a separate program to be run on the remote station itself, not on the local station.
Pandora is a set of tools for hacking, intruding and testing the security and insecurity of Novell Netware 4.x and 5.x. Pandora consists of two distinct sets of programs - an "online" version and an "offline" version.
Features
Searches for target servers and grabs user accounts without logging in.
Multiple DOS attacks and dictionary attacks against user account
Attaches to server with password hashes extracted from Offline program.
Improved spoofing and hijacking by using real-time sniffing. Silently 'read'files as they are downloaded from server to client.
Pandora is a project that was developed by Simple Nomad and sponsored by the Nomad Mobile Research Centre. The goal of Pandora is to provide the tools for the opening of Novell's Netware Directory Services.
Tools | Pandora is a set of tools for hacking, intruding, and testing the security and insecurity of Novell Netware. It works on versions 4 and 5. Pandora consists of two distinct sets of programs --an "online" version and an "offline" version. Pandora Online is intended to be used for direct attack against a live Netware 4 or 5 servers. Pandora Offline is intended to be used for password cracking after you have obtained copies of NDS. |
Attack Methods | A typical attack goes as follows:
|
The best protection against this type of attack is establishing and enforcing a strong password policy.
Control physical access to servers.
Remote management tools like RCONSOLE over SPX or RCONj or TCP/IP should not be used.
In Netware 5.x environment, the screen saver also gives good protection, because the screen saver requires an NDS username and password of a user with supervisor rights to the server to log in.
Countermeasure | Defense against Pandora includes the following measures:
|
All parts of the overall NetWare system are objects. Each object in the security model has an Access Control List, or ACL. Objects are clustered together in an overall hierarchy. There are a total of five different levels of access that can be logically defined from the security model - not logged in, logged in, supervisory access, administrative access, and console access.
NetWare server(<=4.X) by design itself does not offer much in the way of protection as there is no means of auditing events done at the console. This is a physical security concern.
There is a security concern as the supervisor account password is the same as the first password for the Admin user until it is changed using a bindery administration utility.
Similar concerns in Novell are exploited by vigilant attackers .
Novell Password cracking tools can provide the attackers with room for further actions.