💾 Archived View for spam.works › mirrors › textfiles › hacking › novell.txt captured on 2023-06-14 at 16:54:47.

View Raw

More Information

-=-=-=-=-=-=-

                                  HACKING NOVELL
                                LOCAL AREA NETWORKS

                             Fairfax County, Virginia

                                    Pale Rider
                                     (C) 1991


I wanted to share the information about hacking Novell networks that I
have acquired.  My knowledge comes from working for a company that
installed and maintained Novell networks and from using Novell networks
in High School.


There are two programs that I know of that are designed to get Novell
passwords:  one is a TSR password snagger, and the other is a password
hacker.

1)  The TSR password snagger is called GETIT.COM.  It is available on
Solsbury Hill in the file THIEFNOV.ZIP or GETIT.ZIP.  GETIT.COM
is a TSR that activates itself and records the keystrokes that are entered
after the Novell LOGIN.EXE program is executed.  It writes a hidden-
system attribute file to the C: hard disk.  This file can be viewed with the
Norton (or any other) hex editor.  The program works well, but only
starts recording keystrokes after "LOGIN" is executed, so the command
line parameters (which are not entered after "LOGIN" is executed) will
not be recorded.  This means that if the user specifies their username on
the command line (ie "LOGIN supervisor"<CR>), then the program will
only capture the password entered, not the name, since the name was
entered before GETIT.COM started recording the keystrokes.  If someone
just types "LOGIN" and hits return, they are prompted for a username and
then their password, so both things will be snagged by GETIT.COM and
written to the file. The source code for the program is included in
getit.zip, which is in assembly language.  There are three factors that
must be true for the program to work and be successful:

        a)     The workstation must have a local hard disk ("C:")
        b)     The workstation must boot locally and not from the fileserver
        c)     To match the password to a username, the workstation must
               either:
                       1)     Have users login with no login command line
                              parameters (by just typing "LOGIN") and then
                              entering both their username and password when
                              prompted for them
                                             -- or --
                       2)     Have users login with or without command line
                              parameters as long as you know who was
                              sitting there at the time, or if the same person
                              always uses that machine, since you will only
                              have a password in the file written to the hard
                              disk


2)  The password hacker is called NETCRACK.ZIP and it is available on
Solsbury Hill.  This program uses repeated calls to the NetWare variable
Verify_Password to try to hack out passwords.  You just run the program
and it sits there and trying to get the password for the username you
entered.  I assume that the workstation that is running this program does
not need to be logged in to the network under an account, but only needs
to have run IPX.COM and NETx.EXE so that it sees the fileserver, but
I am unsure.  In some experiments with this program, I (with the help of
a cool teacher in whose room we ran it) created an account with the one
letter password "A".  The program hacked it out in about 10 minutes. 
When the password length was increased to two letters, it took about 30
minutes.  We then tried to run the program to hack out the password of
one of my friends, whose password was 5 letters long.  We hacked for
the password on an IBM PS/2 Model 80 386/20 for an entire weekend. 
We finally had to quit after something like 65 hours of hacking, still
without the password.  This program obviously works, but requires a

	
LONG* time.  Perhaps you could whip out a pocket-Cray supercomputer


and hook it up to the network and hack out passwords, but otherwise the
program is not very ideal for subtle operation.  While the program is
attempting to hack a password, it displays a message on the screen that
"This computer is trying to find the password of <user>."  Perhaps the
message could be doctored up with a hexadecimal editor, of you may
want to turn the monitor off and put an "out o' order" sign on the
workstation...

3)  The third way to get Novell passwords is a program I wrote myself
in Turbo Pascal 5.5.  It is a fake login screen that works specifically at
my High School.  All the Novell networks have an IBM menu overlay
program running on them called ICLAS.  This ICLAS program is
apparently a universal thing throughout the High Schools in Fairfax
County (Don't now about elsewhere).  It is an education classroom
management thing that everyone uses to log in, run programs, and log out
through.  It is only an overlay however, so it still invokes the Novell
programs LOGIN.EXE, LOGOUT.EXE, and SETPASS.EXE to do its
stuff.  The snagger that I developed is run from a batch file that says to
run my program and then run the real program.  My program shows an
opening screen that looks just like the real opening screen.  When <CR>
is pressed to continue, it then shows a screen that looks just like the real
second screen that asks for the username and then a password.  After all
the information is entered, instead of logging the person in, my program
beeps and returns the exact error message that is given by Novell when
an incorrect password is entered.  My program then ends, and the real
ICLAS program is run through the batch file.   Since the error message
that my program gives the user is the same as the one that is given when
the wrong password is entered, and since the real program is loaded after
mine just as ICLAS would reset itself after the incorrect password error,
the person (or the baffled teacher) just figures that they mistyped their
password.  My program then writes the date, time, fileserver, username,
and password to a file on the local hard drive of the workstation.  I have
made it work, and have snagged about 50 accounts with usernames and
passwords, including the one for the supervisor.  Once I had the
supervisor password, I realized that my computer teacher had a backup
supervisor security level account on every single fileserver in the whole
school, since he is the only one who can handle any of the computer stuff
at school (pretty sad...).  I therefore had supervisor access (through this
back door account of his) to every file server in the school since he used
the same name and password on every one.

After attaining supervisor access, it was more of a challenge to clean up
the networky and keep it running (since the teachers can't) than to mess
things up and delete stuff.  It is uncool to delete and damage stuff, incase
anyone is tempted.  It should be seen as an excellent opportunity to learn
more about Novell.

Party on...

Pale Rider