Module Objectives

Object Model: All parts of the overall NetWare system are objects. Each of these objects can be treated as an individual item, and objects can be grouped together for easier administration.

Access Control List: Each object in the security model has an Access Control List, or ACL. This defines what level of access is required to access the object. Objects can have rights assigned to help determine what other objects they can access. The rights assigned to each object are fairly granular, and can allow various levels of reading and modification.

Rights: Objects are clustered together in an overall hierarchy. There are parent and child relationships between objects. When a new object is created, it receives a "default" set of access controls. These are inherited from the parent. To prevent excessive rights from being inherited farther down the chain, there are "inherited rights filters" which help control the flow of inherited rights. At the file system level are trustee rights. These are rights assigned which determine an object's ability to access a file or directory.

Access Levels

There are a total of five different levels of access that can be logically defined from the security model - not logged in, logged in, supervisory access, administrative access, and console access.

• Not logged in - If an object has Public read access, then the object can be read without authentication, assuming the object can be accessed.

• Logged in - If a user has authenticated, they will have additional access to objects. This additional access is typically basic minimal access to allow the user to use the system.

• Supervisory rights - If a user can administer another object, control and manipulate the object's properties, and/or assign rights to others for this object.

• Administrative rights - Overall control of the security model is considered administrative access. While it is possible to hide portions of the model, typically this level of access allows almost complete control.

• Console access - Access to the NetWare server's console is the highest level of access possible. While the controls are not as easy to use, console access can override all other access levels imposed by the administrators.

Packet Signature

Another feature of Netware is the packet signature. Packet Signature is an interesting idea in itself, as it suggests that all packets moving in and out of the server are cryptographically signed to prevent forgery. It should be noted that Packet Signature does not encrypt any data; it also adds security by using a digital signature.

Supervisor Account: On the server, the default setting will include the Supervisor account. Since Netware 3.x, the supervisor account has been allowed as a default account on Netware for legacy support or backward compatibility. The supervisor account is a special user designed for programs and clients that need bindery-based complete access to all the volumes , directories, and files on the file server. This account is a fully privileged user in NetWare 2.x or 3.x. However, NetWare 4.x and later it is limited in its privileges.

The security concern arises out of the fact that the supervisor account password is the same as the first password for the Admin user until it is changed using a bindery administration utility. The password holds good even after the Admin password has been changed causing many administrators to falsely believe that the default password has been changed. On some systems, the supervisor user may have a "default" initial password used for the Admin account such as "netware."

If an attacker has access to the system, he can try SUPE.EXE, KNOCK.EXE or other NetWare Supervisor password cracking utilities to extract the supervisor password. On retrieving the password, the attacker can launch as denial of service attack by running an old Netware bindery utility such as FCONSOLE.EXE and use the "Down File Server Request" to down any server, including remote servers.

RCONSOLE: Another security concern is the default setting when it comes to using the DOS utility RCONSOLE (remote console). NetWare servers come with REMOTE.NLM, which can be loaded with a password at the server console, or from a start-up file, allowing remote access to the server from client workstations. REMOTE.NLM enables the use of RCONSOLE to remotely access the server console from a workstation. During setup, this is given a fairly easy password. Typically, an administrator loads REMOTE .NLM at the server console and enters a password, as required by REMOTE.NLM.

The security concern arises from the nature of RCONSOLE, which like the server console, does not use NDS accounts for accountability. Due to this flaw in design, RCONSOLE cannot enforce access level control or limit console level commands or applications. Therefore, it becomes difficult to monitor remote server activity.

MITM and Brute Force Cracking: An attacker who has access to the network can sniff a valid RCONSOLE session and initiate a man-in-the-middle attack by sending a packet(s) with the correct hash, host IPX address and also the correct NCP sequence number. This may have been patched in versions later than 5.x. It goes without saying that possession of the RCONSOLE password grants the attacker complete control of the given server - similar to that of being physically present at the server console. Protecting the RCONSOLE password, therefore, is vital in securing NetWare. The attacker has a greater chance of sniffing the password as RCONSOLE has no lockout. Moreover, there are predictable delays in remote console authentication, which makes it easier for the attacker to launch a brute force attack. While failed RCONSOLE attempts are logged, other approaches such as using XCONSOLE, avoid effective logging. The attacker thus takes advantage of the intrusion detection gap.

Rights: There are eight Rights on Netware. Let us briefly take a look at these.

• S Supervisory : Once granted to a user or group on a specific directory, this right gives the trustee holding it all rights, as well as the ability to grant all rights to other users or user groups on that directory and its subdirectories. The supervisory right itself is automatically propagated for the trustee holding it to all subdirectories below the one where it was granted, and it cannot be revoked for the trustee from subdirectories below the original assignment. It also overrides any restrictions put in place by the Netware Inherited Rights Mask. At the file level, it allows a user all rights to the file - and the ability to grant or modify any right to any file for any user or group in any directory at or below the directory where the supervisory rights were assigned.

• R Read : This right allows a user or group to open a file for reading or to run an executable program.

• W Write : Allows a user or group to open and modify a file's contents.

• C Create : At the directory level, Create allows a user or group to make subdirectories and files within them. If this right is the only one granted at the directory level, it allows the trustee holding it to create subdirectories and files. But once a file is closed, it cannot be seen using standard DOS or Netware commands (for example DIR or NDIR).

• E Erase : Controls whether or not a directory, its subdirectories and the files within the directory and subdirectories can be deleted.

• M Modify : Users or groups with this right have the ability to set and change file or directory attributes. This includes renaming directories or files within directories. This trustee right has no effect on the ability to modify the contents of a file.

• F File Scan : Users or groups must have this trustee right to see that directories or files within directories exist.

• An Access Control : This right allows a user to modify the trustee assignments or the Inherited Rights Mask of a directory or file. It does not allow a user to grant the supervisory trustee right, but it does allow them to grant trustee rights to others that they themselves do not have.

Server SET COMMAND and Default Settings: Netware servers come with default settings that must be configured to ensure adequate security. Let us take a look at some of these settings. Typing SET at the NetWare console prompt gives a list of the various categories of SET commands available.

Communications SET Commands

• Local Clients IP NetNumber List - Example usage: SET LOCAL CLIENTS IP NETNUMBER LIST = 192.168.20.0; 192.168.41.0

• NAT Realm Name - If NAT is not used, it is not required. Example usage: SET NAT REALM NAME = BVEW

• Maximum Pending TCP Connection Requests - The default value is 128. For high risk servers such as public servers, this may be raised up to the maximum of 4096. Example usage: SET MAXIMUM PENDING TCP CONNECTION REQUESTS = 2500

• TCP Defend Land Attacks - The default is ON and this is the preferred setting. Example usage: SET TCP DEFEND LAND ATTACKS = ON

• TCP Defend SYN Attacks - The default is OFF. The ON setting is preferred. Example usage: SET TCP DEFEND SYN ATTACKS = ON

• IP WAN Client Validation - The default is OFF, and this is the preferred setting unless there are remote clients to attend . Example usage: SET IP WAN CLIENT VALIDATION = OFF

• Allow IP Address Duplicates - The default is OFF, and this is the preferred setting. Example usage: SET ALLOW IP ADDRESS DUPLICATES = OFF

• Maximum Packet Receive Buffers - The default value is 500, although on high volume servers this should be increased. Example usage: SET MAXIMUM PACKET RECEIVE BUFFERS = 1000

Memory SET Commands

• Memory Protection Fault Cleanup - The default is ON, and this is the preferred setting. Example usage: SET MEMORY PROTECTION FAULT CLEANUP = ON

File System SET Commands

• Immediate Purge Of Deleted Files - The default is OFF and this is the preferred setting to recover files that are deleted accidentally . Example usage: SET IMMEDIATE PURGE OF DELETED FILES = ON

NCP SET Commands

• NCP Packet Signature Option - The default is 1. This should be increased to 3 to help prevent packet spoofing. It should be issued from AUTOEXEC.NCF before the protocols are bound to the network card, to prevent an odd sort of spoofing attack that allows a user to masquerade as the server object itself and forge administrative commands that could lead to complete system compromise. Example usage: SET NCP PACKET SIGNATURE OPTION = 3

• Enable IPX Checksums - The default is 1. This should be increased to 2, which will force IPX checksums. Example usage: SET ENABLE IPX CHECKSUMS = 2

• Enable UDP Checksums on NCP packets - The default is 1. It is recommended to set it to 2, if UDP and NCP protocol are used. Example usage: SET ENABLE UDP CHECKSUMS = 2

• NCP Protocol Preferences - This will typically be set to TCP and IPX. Change to TCP (version 6 uses TCP alone) Example usage: SET NCP PROTOCOL PREFERENCES = TCP

• Display NCP Bad {Component\Length} Warnings - The default is OFF. To monitor bad warnings this can be set ON. Example usage: SET DISPLAY NCP BAD COMPONENT WARNINGS = ON

• Reject NCP Packets with Bad {Components\Lengths} - The default OFF is the preferred setting. Example usage: SET REJECT NCP PACKETS WITH BAD COMPONENTS = OFF, Example usage: SET REJECT NCP PACKETS WITH BAD LENGTHS = OFF

• Allow Change To Client Rights - The default is ON. Unless the server is a print server or a job server, this should be set to OFF. Example usage: SET ALLOW CHANGE TO CLIENT RIGHTS = OFF

Miscellaneous SET Commands

• Display Incomplete IPX Packet Alerts -The default is ON. Example usage: SET DISPLAY INCOMPLETE IPX PACKET ALERTS = ON

• Enable SECURE.NCF - The default is OFF. If used to house the majority of security settings, then this should be set to ON in the STARTUP.NCF. Example usage: SET ENABLE SECURE.NCF

• Allow Audit Passwords - The default is OFF. Example usage: SET ALLOW AUDIT PASSWORDS = OFF

• Display Old API Names - The default is OFF, but it is recommended that it be turned ON. Example usage: SET DISPLAY OLD API NAMES = ON

• CPU Hog Timeout Amount - The default is 1 minute. On high-usage servers this may be set a little lower. Example usage: SET CPU HOG TIMEOUT AMOUNT = 1 MINUTE

• Allow Unencrypted Passwords - Originally in place to ensure that older clients the default OFF should always be used. Example usage: SET ALLOW UNENCRYPTED PASSWORDS = ON

In Netware 4.x, any limited account can give access to an attacker to run SYSCON, located in the SYS: PUBLIC directory. Once he is able to get in, he can go to User Information and list all defined accounts - the account and the user's full name. However, if he has a valid account, he can run USERLST.EXE and get a list of all valid account names on the server.

Typically, before an attacker gets to use CHKNULL, he will try his hand at other options, especially if he has command line access to the server (maybe through a backdoor). He will use the CX and NDIR commands without logging in to retrieve valuable information. Both CX and NDIR are Novell utilities that will take advantage of the default NDS settings on the tree.

CHKNULL is usually run after CX and NLIST since the attacker has now gained a fair assessment as to which accounts or which sections of the tree are good target areas. CHKNULL is a good example of a hacker tool that uses bindery calls against an NDS server. Running CHKNULL with no options will list all accounts in the current context that have no password, and it can also check all accounts in the current context with a single password (such as "password").

However, these security settings can be easily compromised as both the object ID and the password length are stored with the hash, along with that fact that lower case letters are converted to upper case before generating the hash does simplify the process slightly. Password crackers can brute force a little easier since they can eliminate trying lower case letters and concentrate on a particular password length.

NOVELBFH, Novell Brute Force Hacker, is a program written by DGE Alofs in Holland. It is a menu driven program that attempts to crack accounts by using the verify password function and trying various guesses for password.

NWPCRACK is a brute-force password cracker for cracking passwords on the Novell platform. This utility is best used from a remote location, working on passwords over long periods of time. As the author points out, there is a period of delay between password attempts and thus, brute forcing could take some time. This utility would probably work best if the cracker were attacking a network that he knew something about.

Countermeasure

Use strong passwords. If the server has been upgraded, check the AUTOEXEC.NCF file for encrypted passwords setting. If this setting is OFF, it will permit passwords to be sent over the wire in clear text for legacy support. To ensure that this setting is off, use the SET command at the server console:

 SET allow unencrypted passwords = OFF 

BINDERY.EXE accesses the bindery and extracts the cipher resulting from the NetWare oneway encryption feature. BINDERY.EXE outputs a text file containing the encrypted password and the USER ID. This text file can be cracked by a function of BINDERY.EXE, BINCRACK.EXE, through a dictionary file.

Countermeasure:

A bindery context setting is used to emulate the bindery database of the earlier NetWare versions. This bindery emulation makes the server vulnerable and should be removed. In the AUTOEXEC.NCF file check the status of the SET BINDERY CONTEXT command line.

SETPWD.NLM decompresses into a NLM, Netware Loadable Module. SETPWD.NLM resets any user “password, including that of supervisor.

NetWare 6 does provide some policy settings that are intended to protect passwords. The settings provided are: password required, password length, password unique, expiration and grace login limit. This version also provides for intruder detection, in the form of lockout periods. A summary of these recommended settings are:

• Enable intruder detection at the OU level.

• Set incorrect login attempts to 3.

• Make and use a User Template object to apply password policies to new users.

• Require users to have passwords with a minimum length.

• Require users to have unique passwords. Netware remembers the last 8 passwords used.

• Set grace login to 3.

KOCK

For Netware 3.11, exploits bug in a Netware attach to log in without a password.

UserDump

UserDump simply lists all users in the Bindery. Works for Netware 3.x and 4.x (in Bindery Mode)

NWL

It is a replacement LOGIN.EXE for Novell Netware. Run PROP.EXE from a Supervisor account to create a new property. Replace existing LOGIN.EXE in SYS:LOGIN. The version of LOGIN.EXE that shipped with 4.0 had a flaw that under the right conditions the account and password could be written to a swap file created by LOGIN.EXE. Once this has occurred, the file can be undeleted and the account and password retrieved in plain text. Each time a user logs in, the text is stored in the new property. Use PROP.EXE to retrieve captured logins.

Reportedly written by students at George Washington High School in Denver, Colorado, Getit is designed to capture passwords on a Novell network. The program was written in assembly language and is therefore quite small.

Burglar is a somewhat dubious utility. It can only be used where an individual has physical access to the NetWare file server. It is an NLM, or a loadable module. Most of Novell NetWare's programs executed at the server are loadable modules. This includes everything from the system monitor to simple applications such as editors.

SETPASS

Purpose: Use at a workstation to change a user's password.

Syntax: SYS:PUBLIC\SETPASS.EXE [ servername / ] [ username ] [/? /VER]

Spoofing is the act of using one machine to impersonate another by forging the other's "identity" or address. There are different forms of spoofing. We have discussed spoofing at length in the preceding modules at various points. Here, the consideration is hardware address spoofing.

Spooflog is a program, written in C by Greg Miller that can spoof a workstation into believing that it is communicating with the server. This is a fairly advanced exploit. This is the classic man in the middle attack which we have discussed earlier in preceding modules.

Written by donar ge alofs, novelffs is a program, which simulates a Novell file server. The server will be visible for about 1 to 2 minutes. On some systems the server will be visible for as long as the program is running, if the computer is rebooted it will disappear after 1 to 2 minutes. The Ethernet-address of the computer from where NOVELFFS is started is visible in the SLIST so it's traceable .

"The Gobbler" is an Ethernet troubleshooter/protocol analyzer that can be operated from a remote central network management station. It features a packet capture program with extensive filtering capabilities for catching selected Ethernet packets and writing them to disk for later examination, and a dumpfile view and protocol analyzing program for examining the captured packets. "The Gobbler" is based on an event-driven multitasking operating system called the Network Packet Dispatcher, developed by the network performance group of the Delft University of Technology.

Pandora is a set of tools for hacking, intruding, and testing the security and insecurity of Novell Netware. It works on versions 4 and 5. Pandora consists of two distinct sets of programs --an "online" version and an "offline" version. Pandora Online is intended to be used for direct attack against a live Netware 4 or 5 servers. Pandora Offline is intended to be used for password cracking after you have obtained copies of NDS.

A typical attack goes as follows:

• Use Pandora online version to determine common user accounts passwords.

• Pandora Online can be used to determine the password to the special Supervisor Object.

• By exploiting the information collected from Pandora Online, try to access SYS: SYSTEM. If BACKUPS and/or DSREPAIR>DIB exist, they can be copied off the server. By exploring the NCF files, it should be possible to determine the remote console password.

• After gaining control access, using Novell's DSMAINT a fresh BACKUP. DS can be created and copied down. BACKUP.DS can be converted into the original NDS file using Pandora Offline.

• The NDS files can have Pandora Offline run against them to create the PASSWORD.NDS file. Pandora Offline can be run against PASSWORD.NDS to do either a brute force attack or a dictionary attack to obtain additional passwords.

Defense against Pandora includes the following measures:

• Removing the ability for anyone to read the NDS tree. The rights for [Root] should not be public.

• Isolating admin servers from end users on an Ethernet segment, or adopting a switched Ethernet.

• Using Packet Signature at the highest settings on servers and workstations at all times.

• Using the latest patches on servers and workstations.

• The SET PACKET SIGNATURE line should be in the STARTUP.NCF, not the AUTOEXEC.NCF.

• Building a dummy NDS account named SUPERVISOR attributing it no rights and disabling it.

• Giving the bindery Supervisor account a complex password.

• Ensuring that the server object is not in the same container as the Admin account.

• Using Intrusion Detection on every container.

• Enforcing a minimum password length of 8 for normal users, LAN administrators should have an even longer password.