Compiled by Simple Nomad
May 1, 1997
Contributions (and thanks to):
The LAN God Teiwaz firstname.lastname@example.org Fauzan Mirza email@example.com David A Wagner daw@lagos.CS.Berkeley.EDU Diceman firstname.lastname@example.org PEME_Inc Craig email@example.com Einar Blaberg firstname.lastname@example.org SIC Hardware, Cyberius, and Jungman Rx2 Rx2@usa.net
Tech Support (and special thanks to):
itsme - infamous Netware Netherlands hack fame Greg Miller - Programmer/Analyst (home page in the Resources section)
Contents - U means update from last FAQ, N means new.
General Info 00-1. What is this "FAQ" for? U 00-2. What is the origin of this FAQ and how do I add to it? U 00-3. Is this FAQ available by anonymous FTP or WWW?
Access to Accounts 01-1. What are common accounts and passwords in Novell Netware? 01-2. How can I figure out valid account names on Novell Netware? 01-3. What is the "secret" method to gain Supervisor access Novell used to teach in CNE classes? 01-4. What is the cheesy way to get Supervisor access? 01-5. How do I leave a backdoor? 01-6. I don't have SETPWD.NLM or a disk editor. How can I get Supe access?
Passwords 02-1. How do I access the password file in Novell Netware? 02-2. How do I crack Novell Netware passwords? 02-3. What is a "brute force" password cracker? U 02-4. What is a "dictionary" password cracker? 02-5. How do I use SETPWD.NLM? 02-6. What's the "debug" way to disable passwords? 02-7. Exactly how do passwords get encrypted? 02-8. What are the dangers of "storing" captured passwords?
Accounting and Account Security 03-1. What is Accounting? 03-2. How do I defeat Accounting? 03-3. What is Intruder Detection? 03-4. How do I check for Intruder Detection? 03-5. What are station/time restrictions? U 03-6. How do I spoof my node or IP address?
The Console 04-1. How do I defeat console logging? 04-2. Can I set the RCONSOLE password to work for just Supervisor? 04-3. How can I get around a locked MONITOR?
File and Directory Access 05-1. How can I see hidden files and directories? 05-2. How do I defeat the execute-only flag? 05-3. How can I hide my presence after altering files? 05-4. What is a Netware-aware trojan? U 05-5. What are Trustee Directory Assignments? 05-6. Are there any default Trustee Assignments that can be exploited? 05-7. What are some general ways to exploit Trustee Rights? 05-8. Can access to .NCF files help me? 05-9. Can someone think they've logged out and I walk up and take over? U 05-10. What other Novell and third party programs have holes that give "too much access"? 05-11. How can I get around disk space requirements?
Fun with Netware 4.1 06-1. What is interesting about Netware 4.x's licensing? 06-2. How can I tell if something is being Audited? 06-3. Where are the Login Scripts stored and can I edit them? 06-4. What is the rumored "backdoor" in NDS? 06-5. How can I remove NDS? 06-6. How can I remove Auditing if I lost the Audit password? 06-7. Does 4.x store the LOGIN password to a temporary file? 06-8. Everyone can make themselves equivalent to anyone including Admin. How? 06-9. Can I reset an NDS password with just limited rights? 06-10. What is OS2NT.NLM? U 06-11. Do you have to be Admin equivalent to reset a password? U 06-12. What if I can't see SYS:_NETWARE? 06-13. What are security considerations regarding partitions of the tree? 06-14. Can a department "Supe" become a regular Admin to the entire tree? N 06-15. What's the new way to get to SYS:_NETWARE?
Miscellaneous Info on Netware 07-1. Why can't I get through the 3.x server to another network via TCP/IP? 07-2. How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF? 07-3. How can I login without running the System Login Script? 07-4. How do I remotely reboot a Netware 3.x file server? 07-5. How can I abend a Netware server? And why? 07-6. What is Netware NFS and is it secure? 07-7. Can sniffing packets help me break in? U 07-8. What else can sniffing get me? 07-9. How does password encryption work? U 07-10. Are there products to help improve Netware's security? 07-11. What is Packet Signature and how do I get around it? 07-12. Do any Netware utilities have holes like Unix utilities? N 07-13. Can I "install" a bindery backdoor that's invisible to BINDFIX, SYSCON, and even the SECURITY utility?
Netware and Windows 95 08-1. Will Windows 95 cause server problems for Netware? 08-2. Will Windows 95 cause network problems for Netware? U 08-3. What's with Windows 95 and Netware passwords? 08-4. Can Windows 95 bypass NetWare user security?
Resources U 09-1. What are some Netware FTP locations? U 09-2. What are some Netware WWW locations? 09-3. What are some Netware USENET groups? U 09-4. What are some Netware mailing lists? 09-5. Where are some other Netware FAQs? U 09-6. Where can I get the files mentioned in this FAQ?
Netware APIs 10-1. Where can I get the Netware APIs? U 10-2. Are there alternatives to Netware's APIs?
Mathematical/Theoretical 11-1. How does the whole password/login/encryption thing work? 11-2. Are "man in the middle" attacks possible? 11-3. Are Netware-aware viruses possible? 11-4. Can a trojaned LOGIN.EXE be inserted during the login process? N 11-5. Is anything "vulnerable" during a password change? N 11-6. Is "data diddling" possible?
IntraNetware and the Internet U 12-1. Is Netware's Web server secure? N 12-2. What's the story with Netware's FTP NLM? N 12-3. Can an InterNetware server be compromised from the Internet? N 12-4. Can I grab password files like in Windows NT or Unix?
For Administrators Only U 13-1. How do I secure my server? U 13-2. I'm an idiot. Exactly how do hackers get in?
Appendix Section - Source Code and Other Documentation A-01. RCONSOLE Hacking Article A-02. Source code for SPOOFKEY A-03. Source code to NOCRYPT A-04. Documentation for NOCRYPT and the Attack Explanation A-05. Source code for SETPWD.NLM and BURGLAR.NLM N A-06. Source code to SPOOFLOG N A-07. Source code to FASTHASH N A-08. Source code to BACKDOOR.EXE and B_LOGIN.EXE