■ Use the new tools like Group Policy (gpedit.msc) and the Security Configuration and Analysis tool with additional templates to help create and distribute secure configurations throughout your Win 2000 environment. ■ Enforce a strong policy of physical security to protect against offline attacks against the SAM and EFS demonstrated in this chapter. Implement SYSKEY in password- or floppy-protected mode to make these attacks more difficult. Keep sensitive servers physically secure, set BIOS passwords to protect the boot sequence, and remove or disable floppy disk drives and other removable media devices that can be used to boot systems to alternative OSes. ■ Follow the “Best Practices for using EFS,” found in the Win 2000 help files, to implement transparent folder-level encryption for as much user data as possible, especially for mobile laptop users. Make sure to export and then delete the local copy of the recovery agent key so that EFS-encrypted items are not vulnerable to offline attacks that compromise the Administrator recovery certificate. ■ Subscribe to the NTBugtraq mailing list (http://www.ntbugtraq.com) to keep up with current discussions on the state of NT/2000 security. If the volume of traffic on the list becomes too burdensome to track, change your subscription to the digest form, in which a digest of all the important messages from a given period are forwarded. To receive the NTSecurity mailing list in digest form, send a message to listserv@listserv.ntbugtraq.com with “set NTSecurity digest” in the message body (you do not need a subject line). ▲ The Win2KsecAdvice mailing list at http://www.ntsecurity.net, which largely duplicates NTBugtraq, occasionally has content that the NTBugtraq list misses. It also has a convenient digest version. Chapter 6: Hacking Windows 2000 263 This page intentionally left blank. CHAPTER 7 Novell NetWare Hacking 265 Copyright 2001 The McGraw Hill Companies, Inc. Click Here for Terms of Use. 266 Hacking Exposed: Network Security Secrets and Solutions A common misconception about Novell is that their products have outgrown their usefulness (at least that’s what Microsoft and the UNIX community would have you believe). While Novell’s market share has not flourished in recent years, they are far from dead and buried. With over 40 million NetWare users worldwide (source: In - ternational Data Corporation), the risk to sensitive corporate data is as high as it’s ever been. In this book we will cover a variety of NetWare versions, but we spend most of our attention on NetWare 4.x using Client32—the most popular version to date. But if you’re a NetWare 5 shop, don’t worry, you’ll find many of these attacks and countermeasures still work. For more than 17 years, Novell servers have housed organizations’ most critically im - portant and sensitive data—payroll, future deal information, human resources records, and financial records, to name but a few. You’d be surprised at how many companies can’t, or don’t want to, move away from Novell, leaving these systems unmaintained and unsecured. But isn’t NetWare secure? Novell’s had over 16 years to secure their products—why are we bothering to break into Fort Knox, right? Well that’s the answer you’ll get if you ask Novell, but not if you ask the security experts. True, you can make NetWare fairly se- cure, but out of the box, the product leaves much to be desired. NetWare 4.x has very little security enabled. For example, by default everyone can browse your Novell Directory Services (NDS) trees without authenticating. Even more damaging, Novell users are not required to have a password, and at account-creation, administrators do not need to spec- ify a password. If NetWare hacking sounds too easy to be true, just try it yourself. Most NetWare ad- ministrators don’t understand the implications of a default server and consequently, don’t try to tighten its security. Your jaw will most likely drop once you have a chance to poke, prod, and bang on your NetWare doors, testing their security readiness. In Chapter 3, we discussed how attackers can tiptoe around your networks and sys - tems looking for information to get them connected to your Novell boxes. In this chap - ter, we’ll walk you through the next and final steps an attacker might take to gain administrative privilege on your Novell servers and eventually your NDS trees. This ex - ample is one we’ve come across time and again and is surprisingly common. Granted, most of the attacks detailed in this chapter depend on a legacy NetWare setting that is default on all NetWare 4.x servers but may not be present on yours: bindery context. Chapter 7: Novell NetWare Hacking 267 ATTACHING BUT NOT TOUCHING Popularity: 10 Simplicity: 9 Impact: 1 Risk Rating: 7 The first step for attackers is to create an anonymous attachment to a Novell server. To understand what an attachment is, you must understand the NetWare login process. Novell designed NetWare logins so that to authenticate to a server, you had to first “at - tach” to it. The attachment and login are not interdependent. In other words, when a login fails, the attachment remains. So you don’t need a valid username and password to gain the attachment. As we’ll show you, through the attachment alone, much of what crackers need to hack your NetWare boxes is available. We showed you how to browse the network, in particular all the NetWare servers and trees, in Chapter 3. Now all you need to do is attach to a server, and there are plenty of ways to do that. Three main tools will be discussed here for attaching to a server: On-Site Admin from Novell, snlist, and nslist. You can also attach with traditional DOS login or Client32 Login programs, but you must do so by logging in (which will most likely fail without a known username and password). But attaching by failing a login is not the stealthy technique that attackers use because it can be logged at the console; consequently most attackers don’t come near this technique. ] On-Site Admin As an administrator, you simply must include On-Site in your security toolkit. This graphical NetWare management product from Novell provides information about serv - ers and trees, and enables nearly everything you’ll need to evaluate your initial security posture. The developers at Novell made a smart decision in developing this application, but it can be used against you. How ironic that it is now one of the primary tools for Novell hacking. When On-Site loads, it displays all the NetWare servers learned from the Network Neighborhood browse you performed in Chapter 3. With the servers displayed in On-Site, simply select a server with your mouse. This will automatically create an attach - ment to the server. You can verify this by looking at the Client32 NetWare Connections. One by one you can create attachments to servers you wish to study. ] snlist and nslist Both snlist and nslist attach to servers on the wire the same way On-Site does, only through the command line. Snlist tends to be much faster than nslist and is the rec - ommended tool for our purposes, but nslist is helpful in displaying the server’s com - plete address, which will help us down the road. Both products can be used without parameters to attach to all servers on the wire, or with a server name as a parameter to at - tach to a particular server. Attaching in this manner lays the foundation for the juicy hacking, coming up next. If you have problems attaching to Novell servers, check your “Set Primary” server. Do this by opening your NetWare Connections dialog box and looking for the server with the asterisk preceding the name. You must have at least one server attached before using these tools. If you do and you’re still having problems, select another server and choose the Set Primary button. When using command-line tools, you may need to start a new command prompt ( cmd.exe for NT or command.com for Win9 x ) whenever you make any notable connections. Otherwise you may en- counter a number of errors and spend hours troubleshooting. U Attaching Countermeasure We are not aware of any mechanism to disable the ability to attach to a NetWare server. This feature appears to be here to stay, as it is also in NetWare 5. ENUMERATE BINDERY AND TREES Popularity: 9 Simplicity: 10 Impact: 3 Risk Rating: 9 In this zombie state of attaching but not authenticating, a great deal of information can be revealed—more than should really be possible. Tools like userinfo, userdump, finger, bindery, bindin, nlist, and cx provide bindery information. Tools like 268 Hacking Exposed: Network Security Secrets and Solutions On-Site offer NDS tree enumeration. Together they provide most of the information nec - essary for a cracker to get access to your servers. Remember, all this information is avail - able with a single attachment to a Novell server. ] userinfo We use v1.04 of userinfo, formally called the NetWare User Information Listing pro - gram. Written by Tim Schwab, the product gives a quick dump of all users in the bindery of a server. Userinfo allows you to search for a single username as well; just pass it a username as a parameter. As shown in the following illustration, you can pull all usernames on the system, including each user’s object ID, by attaching to the server SECRET and running userinfo. ] userdump Userdump v1.3 by Roy Coates is similar to userinfo in that it displays every username on an attached server, but it also gives you the user’s full name, as shown in the following illus - tration. Attackers can use this information to perform social engineering attacks—calling a company’s help desk and having them reset their password, for example. Chapter 7: Novell NetWare Hacking 269 ] finger Using finger is not necessary to enumerate users on a system, but we include it here be- cause it is helpful when looking for whether a particular user exists on a system. For ex- ample, attackers may have broken into your NT or UNIX systems and obtained a number of usernames and passwords. They know that (a) users often have accounts on other sys- tems, and (b) for simplicity, they often use the same password. Consequently, attackers will often use these discovered usernames and passwords to break into other systems, like your Novell servers. To search for users on a system, simply type finger <username>. Be careful with finger, as it can be very noisy. We’re not sure why, but when you finger a user who is currently logged in, the user’s system will sometimes receive a NetWare popup message with an empty body. ] bindery Knowing the users on a server is great, but attackers need to know a bit more information before they get cracking. For example, who belongs to the Admins groups? The NetWare Bindery Listing tool v1.16, by Manth-Brownell, Inc., can show you just about any bindery object (see Figure 7-1). Bindery also allows you to query a single user or group. For example, simply type bindery admins to discover the members of the Admins group. Also, the /B parameter can be helpful in displaying only a single line for each object—especially helpful when viewing a large number of objects at one time. ] bindin Like bindery, the bindin tool allows you to view objects such as file servers, users, and groups, but bindin has a more organized interface. Like bindery, bindin will provide 270 Hacking Exposed: Network Security Secrets and Solutions group members as well, so you can target users in key groups like MIS, IT, ADMINS, GENERALADMINS, LOCALADMINS, and so on. ▼ bindin u This displays all users on the server. ▲ bindin g This displays all the groups and their members. ] nlist Nlist is included in the NetWare SYS:PUBLIC folder and has taken the place of the NetWare 3.x utility slist, which displayed all the NetWare servers on the wire—but nlist can do much more. Nlist displays users, groups, server, queues, and volumes. The nlist utility is used primarily to display the users on a Novell server and the groups they belong to. Chapter 7: Novell NetWare Hacking 271 Figure 7-1. Bindery provides enormous amounts of NetWare information, including who belongs to what groups, such as a group called Admins 272 Hacking Exposed: Network Security Secrets and Solutions ▼ nlist user /d This displays defined users on the server in the usual format. ■ nlist groups /d This displays groups defined on the server along with members. ■ nlist server /d This displays all servers on the wire. ▲ nlist /ot=* /dyn /d This displays everything about all objects, as shown next. Nlist is particularly helpful in detailing object properties like title, surname, phone number, and others. ] cx Change Context (cx) is a diverse little tool included in the SYS:PUBLIC folder with every NetWare 4.x installation. Cx displays NDS tree information, or any small part of it. The tool can be particularly helpful in finding specific objects within the tree. For example, when attackers discover a password for user ECULP on a particular server, you can use cx to search the entire NDS tree for the other servers they may be authorized to connect to. Here’s a small sample of what you can do with cx: To change your current context to root: cx /r To change your current context to one object up the tree: cx . [...]... Exposed: Network Security Secrets and Solutions The userlist tool doesn’t work with just an attachment, so you can use a valid username and password gained with the chknull utility Userlist, shown next, is similar to the On-Site tool, but it’s in command-line format, which means it is easily scripted Userlist provides important information to the attacker, including complete network and node address, and. .. users’ passwords are Crypto and crypto2 from Pandora can be used, respectively, to brute force and dictionary crack the NDS files To get cracking, you can follow these steps: 1 Copy the backup.nds or backup.ds files in your \PANDORA\EXE directory 2 Use the extract utility to pull the four NDS files from backup.nds: extract -d 2 95 296 Hacking Exposed: Network Security Secrets and Solutions 3 Use the extract... so you’ll get this message: 281 282 Hacking Exposed: Network Security Secrets and Solutions You’ll know when you’ve been locked out when you get this message: And the system console will most likely display the following message: 4-08-99 4:29:28 pm: DS -5. 73-32 Intruder lock-out on account estein.HSS [221E6E0F:0000861CD947] 4-08-99 4: 35: 19 pm: DS -5. 73-32 Intruder lock-out on account tgoody.HSS [221E6E0F:0000861CD947]... attackers have staked out the premises (users and servers), they will begin jiggling the door handles (guessing passwords) Attackers will most likely do this by trying to log in At this point they have all the usernames; now they just need some passwords ] chknull Popularity: 9 Simplicity: 10 Impact: 5 Risk Rating: 8 2 75 276 Hacking Exposed: Network Security Secrets and Solutions Few other NetWare utilities... Pandora (http://www.nmrc.org/pandora/download.html), and the latest version available is 4.0; however, we will highlight 3.0’s capabilities here There are a couple of prerequisites, however, for Pandora to work: M You must be running a network card using its associated packet driver Only specific network cards have a packet driver available You will need to check 287 288 Hacking Exposed: Network Security. .. encrypt 4 Type in your rconsole password 5 The program will ask if you wish to add the encrypted password to the SYS:SYSTEM\ldremote.ncf file; say yes 6 Go back and remove any password entries in autoexec.ncf or netinfo.cfg 7 Be sure to add ldremote.ncf in the autoexec.ncf file to call the load remote command 291 292 Hacking Exposed: Network Security Secrets and Solutions Currently there is no fix for... Following Hardware Upgrade 2 Type load conlog 3 From your client, map a drive to SYS:SYSTEM 293 294 Hacking Exposed: Network Security Secrets and Solutions 4 Copy the backup.nds file to your local system 5 Use the extract function from Pandora to create the four NDS files (block, entry, partitio, and value) 6 Start cracking The older dsrepair.nlm also provides the ability to prepare for hardware upgrades,... specific user In our example, we discov- 283 284 Hacking Exposed: Network Security Secrets and Solutions ered a group called Admins Once you log in as a user, you have the ability to see the users who have security equivalence to Admin, or simply who is in administrative groups like Admins, MIS, and so on Doing so, we find both DEOANE and JSYMOENS in the ADMINS group—this is whom we’ll attack first... crypto, and crypto2 are NDS password-cracking utilities and are discussed in the NDS cracking section later in this chapter And havoc is an excellent denial of service attack U Pandora Countermeasure attacks are numerous and largely depend on the The countermeasures for the Pandora NetWare specifics of your site In general, the following guidelines should be followed if you wish to block Pandora hacking:... on The feature is enormously important in rejecting an attacker’s attempts to gain 279 280 Hacking Exposed: Network Security Secrets and Solutions Figure 7 -5 With the NDSsnoop utility you can view details about each object, sometimes including who is equivalent to Admin access to the server and should always be turned on When enabling intruder lockout, as shown in Figure 7-6, be sure to make the change . tool (On-Site) and new utilities (userlist and NDSsnoop). ] userlist /a Popularity: 9 Simplicity: 10 Impact: 4 Risk Rating: 7 278 Hacking Exposed: Network Security Secrets and Solutions The userlist. userinfo, userdump, finger, bindery, bindin, nlist, and cx provide bindery information. Tools like 268 Hacking Exposed: Network Security Secrets and Solutions On-Site offer NDS tree enumeration. Together. such as file servers, users, and groups, but bindin has a more organized interface. Like bindery, bindin will provide 270 Hacking Exposed: Network Security Secrets and Solutions group members as