HostedDB - Dedicated UNIX Servers

Netware Hack FAQ v6

Netware Hack FAQ

Beta Version 6

Compiled by Simple Nomad
May 1, 1997

Contributions (and thanks to):

The LAN God
Fauzan Mirza
David A Wagner daw@lagos.CS.Berkeley.EDU
Einar Blaberg
SIC            Hardware, Cyberius, and Jungman

Tech Support (and special thanks to):

itsme       - infamous Netware Netherlands hack fame
Greg Miller - Programmer/Analyst (home page in the Resources section)

Contents - U means update from last FAQ, N means new.

Section 00

General Info

  00-1. What is this "FAQ" for?
U 00-2. What is the origin of this FAQ and how do I add to it?
U 00-3. Is this FAQ available by anonymous FTP or WWW?

Section 01

Access to Accounts

  01-1. What are common accounts and passwords in Novell Netware?
  01-2. How can I figure out valid account names on Novell Netware?
  01-3. What is the "secret" method to gain Supervisor access Novell used to teach in CNE classes?
  01-4. What is the cheesy way to get Supervisor access?
  01-5. How do I leave a backdoor?
  01-6. I don't have SETPWD.NLM or a disk editor. How can I get Supe access?

Section 02


  02-1. How do I access the password file in Novell Netware?
  02-2. How do I crack Novell Netware passwords?
  02-3. What is a "brute force" password cracker?
U 02-4. What is a "dictionary" password cracker?
  02-5. How do I use SETPWD.NLM? 
  02-6. What's the "debug" way to disable passwords?
  02-7. Exactly how do passwords get encrypted?
  02-8. What are the dangers of "storing" captured passwords?

Section 03

Accounting and Account Security

  03-1. What is Accounting?
  03-2. How do I defeat Accounting?
  03-3. What is Intruder Detection?
  03-4. How do I check for Intruder Detection?
  03-5. What are station/time restrictions?
U 03-6. How do I spoof my node or IP address?

Section 04

The Console

  04-1. How do I defeat console logging?
  04-2. Can I set the RCONSOLE password to work for just Supervisor?
  04-3. How can I get around a locked MONITOR?

Section 05

File and Directory Access

  05-1. How can I see hidden files and directories?
  05-2. How do I defeat the execute-only flag?
  05-3. How can I hide my presence after altering files?
  05-4. What is a Netware-aware trojan?
U 05-5. What are Trustee Directory Assignments?
  05-6. Are there any default Trustee Assignments that can be exploited?
  05-7. What are some general ways to exploit Trustee Rights?
  05-8. Can access to .NCF files help me?
  05-9. Can someone think they've logged out and I walk up and take over?
U 05-10. What other Novell and third party programs have holes that give 
         "too much access"?
  05-11. How can I get around disk space requirements?

Section 06

Fun with Netware 4.1

  06-1. What is interesting about Netware 4.x's licensing?
  06-2. How can I tell if something is being Audited?
  06-3. Where are the Login Scripts stored and can I edit them?
  06-4. What is the rumored "backdoor" in NDS?
  06-5. How can I remove NDS?
  06-6. How can I remove Auditing if I lost the Audit password?
  06-7. Does 4.x store the LOGIN password to a temporary file?
  06-8. Everyone can make themselves equivalent to anyone including Admin.
  06-9. Can I reset an NDS password with just limited rights?
  06-10. What is OS2NT.NLM?
U 06-11. Do you have to be Admin equivalent to reset a password?
U 06-12. What if I can't see SYS:_NETWARE?
  06-13. What are security considerations regarding partitions of the tree?
  06-14. Can a department "Supe" become a regular Admin to the entire tree?
N 06-15. What's the new way to get to SYS:_NETWARE?

Section 07

Miscellaneous Info on Netware

  07-1. Why can't I get through the 3.x server to another network via TCP/IP?
  07-2. How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF?
  07-3. How can I login without running the System Login Script?
  07-4. How do I remotely reboot a Netware 3.x file server?
  07-5. How can I abend a Netware server? And why?
  07-6. What is Netware NFS and is it secure?
  07-7. Can sniffing packets help me break in?
U 07-8. What else can sniffing get me?
  07-9. How does password encryption work?
U 07-10. Are there products to help improve Netware's security?
  07-11. What is Packet Signature and how do I get around it?
  07-12. Do any Netware utilities have holes like Unix utilities?
N 07-13. Can I "install" a bindery backdoor that's invisible to BINDFIX,
         SYSCON, and even the SECURITY utility?

Section 08

Netware and Windows 95

  08-1. Will Windows 95 cause server problems for Netware?
  08-2. Will Windows 95 cause network problems for Netware?
U 08-3. What's with Windows 95 and Netware passwords?
  08-4. Can Windows 95 bypass NetWare user security?

Section 09


U 09-1. What are some Netware FTP locations?
U 09-2. What are some Netware WWW locations?
  09-3. What are some Netware USENET groups?
U 09-4. What are some Netware mailing lists?
  09-5. Where are some other Netware FAQs?
U 09-6. Where can I get the files mentioned in this FAQ?

Section 10

Netware APIs

  10-1. Where can I get the Netware APIs?
U 10-2. Are there alternatives to Netware's APIs?

Section 11


  11-1. How does the whole password/login/encryption thing work?
  11-2. Are "man in the middle" attacks possible?
  11-3. Are Netware-aware viruses possible?
  11-4. Can a trojaned LOGIN.EXE be inserted during the login process?
N 11-5. Is anything "vulnerable" during a password change?
N 11-6. Is "data diddling" possible?

Section 12

IntraNetware and the Internet

U 12-1. Is Netware's Web server secure?
N 12-2. What's the story with Netware's FTP NLM?
N 12-3. Can an InterNetware server be compromised from the Internet?
N 12-4. Can I grab password files like in Windows NT or Unix?

Section 13

For Administrators Only

U 13-1. How do I secure my server?
U 13-2. I'm an idiot. Exactly how do hackers get in?

Section 14

Appendix Section - Source Code and Other Documentation

  A-01. RCONSOLE Hacking Article
  A-02. Source code for SPOOFKEY
  A-03. Source code to NOCRYPT
  A-04. Documentation for NOCRYPT and the Attack Explanation
  A-05. Source code for SETPWD.NLM and BURGLAR.NLM
N A-06. Source code to SPOOFLOG
N A-07. Source code to FASTHASH
N A-08. Source code to BACKDOOR.EXE and B_LOGIN.EXE