💾 Archived View for spam.works › mirrors › textfiles › hacking › novhack.txt captured on 2023-06-14 at 16:54:48.
-=-=-=-=-=-=-
-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$- \ / -$- Having Phun With Novell -$- / \ -$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$- Brought 2 U by: Lord Foul/Decay 13th July, 1991 Ok, so you have a Novell network at skool or at work, and you would like the supervisor account? But shit you say, Novell's security is as water tight as a frog's arse. We'll my friend, just read on and you will soon be logging on with the supervisor account. I will briefly explain some Netware concepts in regard to security so if your an experienced Novell user or supervisor then just skip this bit and stop complaining ok? Netware (In this text I refer mainly to V3.11) has some very advanced security features such as intruder lockout, which causes some problems when you run sequential password hackers namely after x attempts at the password the user is locked out for a specified period, or the workstation locks up [which kinda fucks up remote dial-ups] Netware security consists mainly of a user or group being assigned "trustee rights" to a given sub directory or file. These rights consist of 8 attributes, in 3.11 these are: Directory Rights: control general access to the directory, its files and subdirectories. When granted at the directory level, the rights apply to all the files and subdirectories in that directory unless redefined at the file or subdirectory level. When assigned to a directory, the rights have the following effects: S - Supervisory: Grants all rights, its files, and its subdirectories. The supervisory right overrides any restrictions placed on subdirectories or files with an Inherited Rights Mask Users who have this right in a directory can grant other users the Supervisory rights to the directory, its files, and its subdirectories Once the Supervisory right has been granted, it can only be revoked from the directory to which it was granted. It cannot be revoked in a file or subdirectory. R - Read: Grants the right to open files in a directory and read their contents or run the programs. W - Write: Grants the right to open and modify files. C - Create: Grants the right to create files and subdirectories in the directory. E - Erase: Grants the right to delete a directory, its files, its subdirectories and its subdirectory files. M - Modify: Grants the right to change directory and file attributes. Also grants the rights to rename files, the directory and its sub directories. This right does not grant the right to modify the contents of a file. F - File Scan: Grants the right to see directory files. A - Access Control: Grants the right to modify a directory's or a file's trustee assignments and Inherited rights mask. Users can also modify file trustee assignments and Inherited Rights Masks. Users can grant any right (except Supervisory) to any other user, including rights that they themselves have not been granted. Commands used to grant or modify a directory trustee assignment are FILER, GRANT, REMOVE, REVOKE, SYSCON To view your current effective rights in your current directory use FILER, RIGHTS, WHOAMI Some other useful commands: SLIST: Display list of servers currently attached USERLIST: Display list of users currently logged in For the purposes of brievity I am not going to go any further than this on security concepts, if you require any further info then read the netware reference manuals [yes all 20 or so of them hahaha], If there is enough people who want it I might write a more detailed explanation of Netware security and how to use and abuse it etc. Kinda like a Netware bible. If you want to see something like this then drop me a line. Obtaining the supervisor password: ================================== Ok now this method will work on EVERY Novell Network, any version, but there is a small problem: You need to get physical access to the file server(s) you wish to gain supervisor access on. This should not be too hard as most places do not lock their file server up. This process could take a while and will require the file server to be down, so make sure that you are doing it when no one else will be logging on, and that you won't get caught (I'm sure if your elite enough to be wanting to do this then you'll figure out some ways of doing this, one possibility is make an exact copy of the file server you are going to work with and hang the copy on the network and down the target, what? you can't do this? sheeez). Probably the best thing to do is if your target site is a multi server site, select a server that is the least used and easiest to get to, because the supervisor is likely to use the same password on all file servers. Before you down the server (type "DOWN" from the console) format a bootable dos disk in whatever disk type the target server has and copy the DISKED.EXE file included with this archive onto the bootable dos disk. Bring the server down and boot off the dos disk. After dos loads, run DISKED. We are looking for the files NET$BIND.SYS and NET$BVAL.SYS. Type r32 at the ">" prompt to read sector 32, then type d to display the sector. Keep viewing each sector in sequence, ie 33, 34 etc alternating the read and display commands until you see one or both of these two files. Keep track of the number of the current sector you are displaying It is possible, although unlikely that these files are not in the same sector. Assuming they are in the same sector, once you find the files, identify the starting offset address of the first letter of the NET$BIND.SYS file (the letter "N") Using the Change command, change it from 4E to 4F. Its character representation is now the letter "O" (Use H or ? or whatever it is in DISKED for help on its internal commands) Repeat these steps for the NET$BVAL.SYS file if it exists in the same sector as NET$BIND.SYS, Otherwise continue. Next you will change the file attribute for each file. Eg lets say the 4E you changed was the third character in the sample line below: 00E0 00 02 4E etc etc Directly under it will be a line similar to the following: 00f0 26 00 00 etc etc Use the change command to change the attribute from "26" to "20" Change this byte for both files. When you are done, be sure to enter a "." to indicate you have no more changes. When you are finished changing the sector, use the Write command to write the changes to the drive eg: >w36 WARNING: Writing to the wrong sector can really fuck things up, so make sure you get this right! if NET$BVAL is in a different sector, repeat the above steps for this file, then when your finished, type "q" to exit to dos. Now, reboot the file server. NET$OS looks for the binderies and doesn't find them, it will then create some new ones. Now go to a workstation and logon as Supervisor and as its a new Bindery there will be no supervisor password. Change to the SYS:SYSTEM directory. type SHOWFILE oet$b*.* to make the old bindery visible. type DEL *.OLD then rename the oet$b*.* files to net$b*.OLD ie you should now have NET$BIND.SYS and NET$BVAL.SYS which are your new, empty binderies, and NET$BIND.OLD and NET$BVAL.OLD which are your original binderies. type BINDREST, this restores the bindery files you renamed in disked to their original status and all prior users will be restored. So now you don't know the supervisor password because you just restored the system to the way it was. BUT: you are currently logged on as supervisor, so type SYSCON and either change the supervisor password [this will cause a stir] or if you want to remain unseen, create a user and give him security equivalence to SUPERVISOR [just hit INS on the list of users in syscon to create a user, then select security equivelance, and hit INS and select SUPERVISOR] The best account to give SUPERVISOR rights to is GUEST, but make sure you assign a password to the GUEST! Thats it, repeat for further file servers if desired. If you want any further info on Novell shit or know any cool shit about Novell or want to ask me about something then I can be contacted on Zer0 City: Zer0 City Decay WHQ 2400: +61-2-361-4748 HST: +61-2-361-4750 Sysop: Lord Foul/Decay Co: RokStar/Decay NOTE: I take NO RESPONSIBILITY for the contents of this file, I suggest you do not try this unless you have a good understanding of Netware, as your boss will hit the roof if you destroy a file server. If you do this then its your bad luck! I suggest setting up a V3.11 Server at home and trying it on that first. Latz -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This has been a DECAY production 1991. All rights reserved.