I don't encourage illegal activities, I really mean this! And if you really want
to try something against the law, and you get caught I have warned you, hehe :p
This is the first tutorial I have wrote. It was intensely only written for BSRF
(Black Sun Research Facility), and it will be properly not the last one :)
though. So if you discover some errors, please let me remind you this was my
first one. Last note before I will begin writing about "Cracking Netware", at
the moment you can't contact me by e-mail or whatsoever... I rather remain
'hidden', for the moment.
Index Novell Netware tutorials:
Novell Netware - Cracking Netware
Maybe I'll write an advisory for system administrators or even my own found
vulnerabilities in Netware, but remember I can't guarantee anything!
It's possible that I'll write some other tutorials about different topics as
Well this one will be about:
Novell Netware - Cracking Netware (v 1.04)
Like many other Operating Systems Netware original (before 5.xx) doesn't work
with the TCP protocol, it uses it's own protocol called Internet Packet eXchange
(IPX). This protocol isn't vulnerable at the moment to any kind of Denial of
Service (DoS) attacks like SYN-flood, while the TCP protocol is. Because Netware
didn't get much attention from crackers they thought there system was
impenetrable, and so they didn't much about security updates. Now many of you
guys think this is really cool, and think they can crack any Netware server with
some help from the many tools that are available online. Well, I can tell you
that's not that easy.
The most important reason; Which Netware version they run, if running version
4.1 or higher the change you will sneak in unnoticed will be really small.
Unless you have to deal with some really lame most times lazy system
If the system administrators patch the Netware server(s) on regular base...
Also if you have some kind of permanent account with standard Netware rights,
not one who's adjusted.
You will need much time and don't be disturbed. Especially in classrooms this
will be difficult to get, so you have to find a way with Social Engineering to
accomplish this :(
Before I continue with Netware security and how to bypass it, first I'm going to
tell you something about Servers & Clients.
After a Netware client in Windows 9x has been installed it's possible to access
the Netware server. When you arrive in Windows you'll see a login screen. Before
you have logged into the network the "client <--> server" has already
established a connection with each other, only this connection isn't validated
by the user who created the connection! You can see this connection on the
console when monitor.nlm is loaded. You people don't know what the console
means? Ok, I'll explain. The server is nothing less but a computer, not a normal
one like a desktop or tower. No call it a very big tower. On this machine the
Netware server software is installed, when you turn on this machine first dos
(6.22 or lower) will be loaded. After this you can boot Netware by executing
file "server.exe", now many files will be loaded and you'll get a lot of
messages. It looks like when you're booting a Linux machine. After the boot
process you look at a sort of dos screen, this is called the console. At the
console you have the highest rights on the particularly Netware server. You can
down the server any time you want with just one simple command. So the main
group of crackers tries to get this access. But there are many different ways to
crack a Netware server. It just depends on what you want to do at the Netware
By default you have the following rights on a Netware server:
User: Normal user who can access some files in //public, //login and //mail.
Mostly they have some print rights too, also have a home directory.
SuperUser: At school's this right has been given to teachers. They can view
students accounts and delete files if necessary. They cannot create,
delete or change accounts from the NDS.
SuperVisor: Only the system administrators are permitted to control everything
on the file system and the NDS. When they want to down the server they have to
walk to the console, or do it remote by starting a program called rconsole which
stands for "Remote Console". The word explains itself. For security reasons they
first have to load "remote.nlm" and "rspx.nlm" at the console. So by default
these NLM's aren't loaded.
Console: This is the highest right on a Netware server, once you have gained
this rights illegal nothing can stop you at the moment but a power failure. Also
be aware of the log files! Many crackers who have gained console right have been
snapped by them, and if you are dealing with very smart system administrators,
they have some program that automatically sends the logs to an off-line
location. And once they have arrived overthere you have a serious problem...
When you want to gain some high level access on a Netware server, remember
that this can be done in many ways I explain two differents ways.
A note before trying one of the two ways. Way one will require a lot of luck,
some skills of cracking and also some tools. Way two will require a lot of time
(two weeks maybe a month). You have to see for yourself what's the best way. O
by the way, if you want to get some high level access while trying way one...
remember it's critically you don't make any mistakes, because the properbility
you'll be caught is high (log files and some other things)!
Please first read the tutorial, before trying one way or another. I really
If you are very, and I mean very lucky the system administrators could have
loaded "remote.nlm & rspx.nlm" on the Netware console. Try to find a program
called "rconsole.exe", normally you can find this program in the following
directory on the Netware server "//public". If you haven't file scan or read
rights on this directory, you have to get this program at another way. The
program needs alot of other files before you can execute it, so download these
too! To make it a little harder for our 'beloved' system administrators to trace
you (and give you more time), don't verify yourself to the server while trying
access the console by remote! Before they know who's trying to establish a
connection to the Netware server, they have to walk to the server and load
monitor.nlm. Now they can see the attackers ethernet address, from at this
moment they can close your connection to the server any time they feel fit. But
mostly they want to collect some evidence against you, so they just let you
the server'. In meantime you have already spend some minutes guessing the
correct console password, and every attempt has been written automatically to a
logfile. Or even worse, every attempt has also been written to their monitor
including (again) your ethernet address, and if you guessed the password right
or not. This sucks, doesn't it? Well we can combine these two problems into one
solution. But again you'll need some luck! Here we go:
The most difficult problem will be getting the password, because you don't have
enough time to guess the password, even with some kind of bruteforce-crack
program you haven't, we need to approach this problem from another way. Now
you'll need some luck because for this trick the following nlm's have to be
loaded: "remote & rspx" at the console! The system administrators will only
load these if they want to check the console (remote) regularly, as I explained
before. Just try to access the console with "rconsole.exe" to verify if those
nlm's are loaded, note only try this once! If you get a blue empty window, well
skip to part two! Well when you are sure those two nlm's are loaded, continue
reading, if not skip to the second way to crack Novell Netware.
When the system administrators are accessing the console they also have to enter
a password. This password is being send in plain text over the network ( plain
text means: unencrypted). If you're dealing with Netware version 4.11 or higher,
skip to way two because the transmitted console password is encrypted!
When you have the same node address as the system administrators have, it's
possible to intercept (sniffing) the packets from the system administrators to
the console. You are questioning yourself "How do I know?", the answer: If
you're on a small network with approximately 10-50 users you are on the same
node address. Unless you're dealing with some paranoid system administrator. If
you're dealing with some bigger kind of network you have to get yourself a copy
of a program called "getconn.exe" that reveals the node address of the Netware
server. Again you do need some luck, if you're not on the same node address as
they are, skip to way two.
Dont's make the following mistake: When an user or the system administrator is
logging into netware, it's completely senceless to 'sniff' this password.
Because this password is encrypted with RSA encryption. The next time the person
will (re-)login the encryption will be changed.
We now arrive at properly the most difficult part of all.
What we now need is a packetsniffer that supports IPX sniffing, I recommend
"SpyNet" for the job. Install and execute SpyNet. Configure SpyNet so it will
write all captured packets to one file. Let the program run a couple of hours,
because the system administrators have to access the console remote. You can use
your social engineering skills to speed up this process. One way to do this is
to call them and say you think someone is trying to crack their network. Don't
sound to professional because they could suspect you're the one doing something
illegal! Remember when you're sniffing, and write the packets to disk:
First: This will take really some network occupence, so if you'll run the
program to long (a day or more) the system administrator will detect an
intruder... Oohw by the way, if the network is protected by some intrusion
Detection Programs your sniff attemps will automaticly reported to the system
administrator's. There are (as usually) some anti-anti-sniffers. But this is a
whole other story, so I decided NOT to mention it any further.
Second: It's almost impossible to write all sniffed packets(frames) to disk,
especially not when the network is overloaded... also remember your ethernet
card is 10/100 mbit/s, and almost all times the network traffic does exceed
above this value.
Almost all sniffers does have an option to only write packets from a specified
address to disk. This has ofcourse some advantages... (more stealthy and less
disk space is needed).
Once you've the packets which contain the password, you have to find a way
yourself to extract the password from Spynet's logfile. Note, the password is
separated into many packets. Example: If the password would be "Netware" you'll
could find the password in this order:
packet 34643: j
packet 34644: 6
packet 34645: n
packet 34647: 8
packet 34648: e
packet 34649: f
packet 34650: t
packet 34654: l
packet 34656: d
packet 34657: 4
packet 34659: v
As you see, this could take some time before you find it, note netware is not
case sencetive! When you get the password, access the console remote as soon as
possible and create a supervisor account. If you don't know how to create one,
just download burglar.nlm from (blacksun.box.sk) and before trying anything with
the program, first take a good look at the readme.
When you're finished with anything you want to do at the Netware server,
remember to erase the logfile! You'll find the file in the /etc/console.log, you
can delete this file at the console. Just unload "conlog.nlm" and then load it
again! Now the old logfile is being overwritten by the new one, if you terminate
the connection between you and the server your ethernet address will be written
to the new logfile! So before quitting I suggest to unload once more the
"conlog.nlm". Now you can quit the remote session with ALT-F1.
If you really want to do some damage you have to delete the files where the NDS
(Netware Directory Structure) is being stored. These four files are located in
an hidden directory named "/_netware". You can only access this directory from
the console with the program "monitor.nlm". Remember: If the system
administrator's doesn't have backup's of these files, they have a really big
Some problems i'm aware of:
Nobody can log into Netware anymore, even the admin can't!
All information about the users, containers, scripts, printers, bordermanager
are permently lost!
If there are multiple Netware servers (almost always) connected to eachother,
who are sharing one NDS... well they have to install the Netware Server software
again on all servers.
And the system administrator's have an hell of a job to backup all data from
I really recommend and I seriously do, to backup these four files to a
floppydisk, in case you'll get caught. And if you have a little respect for them
please send them the disk with those four files anonymously. Because it will
take weeks to restore everything. I do really mean this!
The primairy goal here is to gain access to all files and folders at a Netware
server. This is NOT the same as console access! Note: This way takes very lot of
time and patience.
When you have a normal user account on any particularly Netware server, you only
have read&write&remove rights at your homedirectory. But what you proberly don't
know is that you also have some read rights at: //public, //login and //mail.
But you cannot 'see' these directory's because they aren't mapped to a logically
drive. I explain... Whenever you have typed in your username and password, the
Netware server will granted you the rights to all directory's and files the
system administrators have allowed you. If your homedirectory is at
//home/yourhomedir you have to browse to //home/yourhomedir to view files over
there.. But if your homedirectory is located somewhere 'deeper' in the
directorystructure , like //home//school/it/it2/class2c/yourhomedir then it
takes some time to get to your own directory. So here's where drivemapping comes
along. When you have created a drivemapping to
//home/school/it/it2/class2c/yourhomedir, just click onto the specific station
(by default "z:\") and now you are directly transmitted to yourhomedir. The
local system administrators have created a login script that will do this task
for you every time when you're logging into the network. Now you know what drive
mapping means... So as I told before, by default all users (including normal
users) have only read access to //public, //login and //mail.To access these
directory's you'll have to create a drivemapping to them. The most important one
is //public. In this directory you'll find all sorts of binary files and some
clients like "rconsole.exe". So, map this directory to a logically drive for
It will really come in handy if we have some 'other' accounts for the following
part. Otherwise you'll have to explain to the system administrators what you
were doing last week in the late afterhours at school or work. In other words we
need a few other accounts at the netware server. It's really not advisible to
use an account from a student or college at work, if you know his/her password
ofcourse! The best accounts for the crack job is one of the printer or backup,
and most times it has a NULL password! Sounds good, doesn't it? Well I can make
it even better, remember I told you that ALL users have (by default) read rights
to //public, //login and //mail? So does these accounts have them too... The
only problem is to guess the correct usernames. Many Novell Netware tutorials
will give you some default printer accounts, but many times these accounts
doesn't exists anymore. So I'm going to explain how to get existing usernames at
your local Netware server. Here weg go:
First you'll need to run a binary file at //public/win95/nwclnt95.exe, when all
the loading work is done you'll see a window like 'explorer' from Windows.
You're now viewing at the NDS (Netware Directory Structure). Inhere all
information (containers, scripts, printers & accounts) about the netware server
is being strored. Search inhere for a name with the word(s) print, printer, ps
or pservice. It's possible you find multiple printer accounts like printerti,
printersys or psserv. If you didn't find anything you have to try to get some
accounts a different way, grab a program called "chknull.exe" made by NOMAD (The
Noturious Netherlands Hacker). This program will check all existing netware
account for NULL passwords. If this program didn't find anything, you really
have a bad day and it's advisible to stop reading this tutorial right here :'(.
If you did found something, always doublecheck before you are doing anything
(wrong) with it. You really have to be sure if it's really a printer or
Now you have some Netware accounts with NULL passwords we can continue.
Note: Never change passwords from hijacked accounts, the properbility the system
administrator will discover it, is way to riscy. And if you change the password
from a printer, nobody can print anything anymore! You can guess that it only
take a few hours before the system administrator's will discover the leak. Now
log into the Netware network with the 'stolen' accountinformation, and if you
are lucky the system administrator's have granted some dir&filerights. By the
way if the system administrators are using Netware Bordermanager as Firewall and
/ or HTTP Gateway you can't surf the web without suffients rights. But most
proberly you can surf the web when you are logged in as printer (i could)! This
could come in handy when you need to reach the database from packetstorm for
some kind of exploit. Nevertheless use HTTP only when it's really necessary!
Because the firewall will log all requests to the outside world. And we don't
want to make the job to easy for the system administrator's!
Again I hadn't enough time to complete this tutorial so I will continue this
subject in Version 1.04. My problem is always the goddamn time.
Copyright (C) 2001, Data Wizard, The Netherlands.