Hacking NetWare

by Trap

Reading through the book on Novell NetWare 3.11 System Administration, a task I find neither fun nor exciting, I decided it would be worth much more of an experience for me to get into the system myself so I would know the system (and its leaks) before the LAN Supervisor job passed on to me in the coming weeks.

Armed with only feeble knowledge from what I had so far read, I contemplated how I would go about getting the SUPERVISOR password and have the entire system open at my feet.  Knowledge is power, ya know.

Let's see, what to do, what to do.  I work for a government contractor in the health sciences so we manage a lot of info databases on military and private eco-disasters, places where people can't safely live, the names and life histories of those exposed or tested or even just on state registries, who their friends are, and where to contact them.  It's safe to say, it's a lot of privileged info, especially when you figure how sensitive someone's complete medical history can be (including visits to the clinic).  So I thought I'd see just how secure it all is, and since I'm next in line to control that info, I figured it couldn't hurt.

First I figured if I really wanted to get at someone's files, I could break into the file room and jimmy open the file cabinet.  But since that's not my style, I figured I could always steal the tape backups which are kept out in the open overnight along with the tape machine to copy down the type and configuration (or even just swipe the bastard).  Then there's key capturing and undeleting files in the temp directory, usually transferred because the LAN works a whole lot slower than the individual PCs.

Should that not be feasible, the backup runs every night and in order to run, it needs to have SUPERVISOR access to the LAN.  All I would have to do is go in after hours, after the backup is complete, and under that login, enter SYSCON and grant my ID equivalent access.  Then, unless security occasionally checks login IDs, which they don't, I could peruse the system sans suspicion until I merrily extract all the info I need.

However, should either of these two options be unavailable to me, I could call in from my modem at home using a copy of cc:Remote that I downloaded off the LAN.  Since copying and reading are the same function to Novell, the most Security could see is that I perused the file.

From home, I could call into the other contractors with whom we work, especially the one which has an 800 number and lets me stay on no matter how many passwords I get wrong.  Then, armed with my quarterly telephone book on the U.S. Government Health Agencies, I could find the names of people who may need that info and attempt to hack the password.  Since government, non-computer types are setup with three initials and the optional single digit number as a login ID and always use lame passwords (new accounts use the last name of the person receiving the account and those seldom get changed) I can stay on all day on their dollar to figure it out.

Okay, now we get to the real LAN stuff.  Since my original intent was to search the LAN for leaks, I decided to stay at my desk.  First, I knew that the passwords to SUPERVISOR had to be kept in a common (everyone) location, I wrote code to search and list anything that might be a protected file or directory.  Since Novell can make a directory and files invisible yet not locked, I found that to be my main option.  Novell will let you enter the directory and retrieve the file if you know what it's called.

If you don't, you get the same old DOS "File not found" message.  So I wrote code to try going into a directory trying all combinations in ASCII for 8-characters and an extension, list those found and any files found.  Of course, time is something I did have, as would any employee.

I didn't even get very far when I found a WordPerfect 5.1 password protected file which was not even disguised.  So it took me all of 10 seconds to open that file with WPCRACK.EXE and, lo and behold, all the passwords for the different administrators, including SUPERVISOR.  Dumb, dumb, dumb.  I'm going to have to make some changes around here.

A few notes about Novell NetWare 3.11.  A password may be up to 47-characters in length.  Passwords have to be memorized by all the administrators which leads to a password which is an actual, easy-to-remember word or phrase.  All information about where and when a specific login ID has logged in is recorded in the Bindaries which is most likely extractable, somehow,  I know not how.

Security can determine how many times and what passwords were tried during a login attempt.  Security can also determine the few seconds it took someone to logout just before the login crime began thereby raising suspicions.  You can use SYSCON to find what the alternates are.  Every system has a backup with equivalent power to SUPERVISOR.  You'll know you found one because if you check the full name, there won't be one.

If you call Novell and tell them you are locked out and can't remember the SUPERVISOR password, they will need to speak directly to the person who registered the NetWare.  If you are that person, they can give you the backdoor pass.  If you are not, they will call that person and tell them who called and when.

Most importantly, however, is that no matter what you do, Security has to make an effort out of figuring it all out.  That means, all those NetWare protection devices are good, if someone uses them, and using them is a full time job in itself.

Keep that in mind and keep watching for "Novell Hack II," coming soon.