HostedDB - Dedicated UNIX Servers

NetWare Information

                    \                             /
                    -$- Having Phun With Novell -$-
                    /                             \

              Brought 2 U by: Lord Foul/Decay 13th July, 1991

Ok, so you have a Novell network at skool or at work, and you
would like the supervisor account? But shit you say, Novell's
security is as water tight as a frog's arse. We'll my friend,
just read on and you will soon be logging on with the supervisor

I will briefly explain some Netware concepts in regard to
security so if your an experienced Novell user or supervisor
then just skip this bit and stop complaining ok?

Netware (In this text I refer mainly to V3.11) has some very 
advanced security features such as intruder lockout, which 
causes some problems when you run sequential password hackers
namely after x attempts at the password the user is locked out
for a specified period, or the workstation locks up [which kinda
fucks up remote dial-ups]

Netware security consists mainly of a user or group being
assigned "trustee rights" to a given sub directory or file.

These rights consist of 8 attributes, in 3.11 these are:

Directory Rights: control general access to the directory, its
files and subdirectories. When granted at the directory level,
the rights apply to all the files and subdirectories in that
directory unless redefined at the file or subdirectory level.

When assigned to a directory, the rights have the following 

S - Supervisory: Grants all rights, its files, and its
		 subdirectories. The supervisory right overrides
		 any restrictions placed on subdirectories or
		 files with an Inherited Rights Mask
    		 Users who have this right in a directory can
		 grant other users the Supervisory rights to
		 the directory, its files, and its subdirectories
		 Once the Supervisory right has been granted, it
		 can only be revoked from the directory to which
		 it was granted. It cannot be revoked in a file
		 or subdirectory.

R - Read: Grants the right to open files in a directory and read
	  their contents or run the programs.

W - Write: Grants the right to open and modify files.

C - Create: Grants the right to create files and subdirectories
  	    in the directory.

E - Erase: Grants the right to delete a directory, its files,
	   its subdirectories and its subdirectory files.

M - Modify: Grants the right to change directory and file
	    attributes. Also grants the rights to rename files,
	    the directory and its sub directories. This right
 	    does not grant the right to modify the contents of
	    a file.

F - File Scan: Grants the right to see directory files.

A - Access Control: Grants the right to modify a directory's
		    or a file's trustee assignments and Inherited
		    rights mask. Users can also modify file 
		    trustee assignments and Inherited Rights Masks.
		    Users can grant any right (except Supervisory)
		    to any other user, including rights that they
		    themselves have not been granted.

Commands used to grant or modify a directory trustee assignment

To view your current effective rights in your current directory

Some other useful commands:

SLIST: Display list of servers currently attached
USERLIST: Display list of users currently logged in

For the purposes of brievity I am not going to go any further
than this on security concepts, if you require any further
info then read the netware reference manuals [yes all 20 or so
of them hahaha], If there is enough people who want it I might
write a more detailed explanation of Netware security and how
to use and abuse it etc. Kinda like a Netware bible. If you
want to see something like this then drop me a line.

Obtaining the supervisor password:

Ok now this method will work on EVERY Novell Network, any
version, but there is a small problem: You need to get physical
access to the file server(s) you wish to gain supervisor access
on. This should not be too hard as most places do not lock their
file server up. This process could take a while and will require
the file server to be down, so make sure that you are doing it
when no one else will be logging on, and that you won't get caught

(I'm sure if your elite enough to be wanting to do this then
you'll figure out some ways of doing this, one possibility is make
an exact copy of the file server you are going to work with and
hang the copy on the network and down the target, what? you
can't do this? sheeez).

Probably the best thing to do is if your target site is a multi
server site, select a server that is the least used and easiest
to get to, because the supervisor is likely to use the same
password on all file servers.

Before you down the server (type "DOWN" from the console) format
a bootable dos disk in whatever disk type the target server has
and copy the DISKED.EXE file included with this archive onto
the bootable dos disk.

Bring the server down and boot off the dos disk. After dos loads,

We are looking for the files NET$BIND.SYS and NET$BVAL.SYS.

Type r32 at the ">" prompt to read sector 32, then type d to
display the sector. Keep viewing each sector in sequence, ie
33, 34 etc alternating the read and display commands until you
see one or both of these two files.

Keep track of the number of the current sector you are displaying
It is possible, although unlikely that these files are not in
the same sector.

Assuming they are in the same sector, once you find the files,
identify the starting offset address of the first letter of the
NET$BIND.SYS file (the letter "N")

Using the Change command, change it from 4E to 4F. Its character
representation is now the letter "O" (Use H or ? or whatever it
is in DISKED for help on its internal commands)

Repeat these steps for the NET$BVAL.SYS file if it exists in the
same sector as NET$BIND.SYS, Otherwise continue.

Next you will change the file attribute for each file. Eg lets
say the 4E you changed was the third character in the sample
line below:

00E0   00 02 4E etc etc

Directly under it will be a line similar to the following:

00f0   26 00 00 etc etc

Use the change command to change the attribute from "26" to "20"
Change this byte for both files. When you are done, be sure to 
enter a "." to indicate you have no more changes.

When you are finished changing the sector, use the Write command
to write the changes to the drive eg:


WARNING: Writing to the wrong sector can really fuck things up,
so make sure you get this right!

if NET$BVAL is in a different sector, repeat the above steps
for this file, then when your finished, type "q" to exit to dos.

Now, reboot the file server. NET$OS looks for the binderies and
doesn't find them, it will then create some new ones. Now go to
a workstation and logon as Supervisor and as its a new Bindery
there will be no supervisor password.

Change to the SYS:SYSTEM directory.

type SHOWFILE oet$b*.* to make the old bindery visible.

type DEL *.OLD

then rename the oet$b*.* files to net$b*.OLD ie you should now
have NET$BIND.SYS and NET$BVAL.SYS which are your new, empty
binderies, and NET$BIND.OLD and NET$BVAL.OLD which are your
original binderies.

type BINDREST, this restores the bindery files you renamed in 
disked to their original status and all prior users will be

So now you don't know the supervisor password because you just
restored the system to the way it was.

BUT: you are currently logged on as supervisor, so type SYSCON
and either change the supervisor password [this will cause a stir]
or if you want to remain unseen, create a user and give him
security equivalence to SUPERVISOR [just hit INS on the list of
users in syscon to create a user, then select security equivelance,
and hit INS and select SUPERVISOR]

The best account to give SUPERVISOR rights to is GUEST, but
make sure you assign a password to the GUEST!

Thats it, repeat for further file servers if desired.

If you want any further info on Novell shit or know any cool
shit about Novell or want to ask me about something then
I can be contacted on Zer0 City:

Zer0 City
Decay WHQ
2400: +61-2-361-4748
HST:  +61-2-361-4750
Sysop: Lord Foul/Decay
Co:    RokStar/Decay

NOTE: I take NO RESPONSIBILITY for the contents of this file,
I suggest you do not try this unless you have a good understanding
of Netware, as your boss will hit the roof if you destroy a file
server. If you do this then its your bad luck!

I suggest setting up a V3.11 Server at home and trying it on
that first.


This has been a DECAY production 1991. All rights reserved.