This section deals with attacking at the Netware Console.
Before I start this section, let me recommend another solution, my God, ANY other solution is better than this! If you are running 3.x, jump to the end of this section.
The secret method is the method of using a DOS-based sector editor to edit the entry in the FAT, and reset the bindery to default upon server reboot. This gives you Supervisor and Guest with no passwords. The method was taught in case you lost Supervisor on a Netware 2.15 server and you had no supe equivalent accounts created. It also saves the server from a wipe and reboot in case the Supervisor account is corrupt, deleted, or trashed.
While you get a variety of answers from Novell about this technique, from it doesn't work to it is technically
impossible, truth be it it can be done. Here are the steps, as quoted from comp.os.netware.security, with my
comments in
But what happens if this password is lost and there's no user that is security-equivalent to the supervisor?
Fortunately, there is a very interesting way to gain complete access to a Netware server without knowing the Supervisor's (or Admin's) password. You may imagine that you would have to learn complex decryption techniques or even type in a long C program, but that's not the case. The trick is so simple and generic that it will work the same way for Netware 2.x, 3.x and 4.x.
The idea is to fool Netware to think that you have just installed the server and that no security system has been estabilished yet. Just after a Netware 2.x or 3.x server is installed, the Supervisor's password is null and you can log in with no restriction. Netware 4.x works slightly differently, but it also allows anyone to log in after the initial installation, since the installer is asked to enter a password for the Admin user.
But how can you make the server think it has just been installed without actually reinstalling the server and
losing all data on the disk? Simple. You just delete the files that contain the security system. In Netware 2.x, all
security information is stored in two files (NET$BIND.SYS and NET$BVAL.SYS). Netware 3.x stores that
information in three files (NET$OBJ.SYS, NET$VAL.SYS and NET$PROP.SYS). The all new Netware 4.x
system stores all login names and passwords in five different files (PARTITIO.NDS, BLOCK.NDS,
ENTRY.NDS, VALUE.NDS and UNINSTAL.NDS
One last question remains. How can we delete these files if we don't have access to the network, anyway? The answer is, again, simple. Altough the people from Novell did a very good job encrypting passwords, they let all directory information easy to find and change if you can access the server's disk directly, using common utilities like Norton's Disk Edit. Using this utility as an example, I'll give a step-by-step procedure to make these files vanish. All you need is a bootable DOS disk, Norton Utilities' Emergency Disk containing the DiskEdit program and some time near the server.
1. Boot the server and go to the DOS prompt. To do this, just let the network boot normally and then use the DOWN and EXIT commands. This procedure does not work on old Netware 2.x servers and in some installations where DOS has been removed from memory. In those cases, you'll have to use a DOS bootable disk.
2. Run Norton's DiskEdit utility from drive A:
3. Select "Tools" in the main menu and then select "Configuration". At the configuration window, uncheck the "Read-Only" checkbox. And be very careful with everything you type after this point.
4. Select "Object" and then "Drive". At the window, select the C: drive and make sure you check the button "physical drive". After that, you'll be looking at your physical disk and you be able to see (and change) everything on it.
5. Select "Tools" and then "Find". Here, you'll enter the name of the file you are trying to find. Use
"NET$BIND" for Netware 2, "NET$PROP.SYS" for Netware 3 and "PARTITIO.NDS" for Netware 4. It is
possible that you find these strings in a place that is not the Netware directory. If the file names are not all near
each other and proportionaly separated by some unreadable codes (at least 32 bytes between them), then you it's
not the place we are looking for. In that case, you'll have to keep searching by selecting "Tools" and then "Find
again".
6. You found the directory and you are ready to change it. Instead of deleting the files, you'll be renaming them. This will avoid problems with the directory structure (like lost FAT chains). Just type "OLD" over the existing "SYS" or "NDS" extension. Be extremely careful and don't change anything else.
7. Select "Tools" and then "Find again". Since Netware store the directory information in two different places, you have to find the other copy and change it the same way. This will again prevent directory structure problems.
8. Exit Norton Disk Edit and boot the server again. If you're running Netware 2 or 3, your server would be already accessible. Just go to any station and log in as user Supervisor. No password will be asked. If you're running Netware 4, there is one last step.
9. Load Netware 4 install utility (just type LOAD INSTALL at the console prompt) and select the options to install the Directory Services. You be prompted for the Admin password while doing this. After that, you may go to any station and log in as user Admin, using the password that you have selected.
What I did with Norton's Disk Edit could be done with any disk editing utility with a "Search" feature. This trick
has helped me save many network supervisors in the last years. I would just like to remind you that no one should
break into a netware server unless authorized to do it by the company that owns the server. But you problably
know that already.
I actually had this typed up but kept changing it, so I stole this quote from the newsgroup to save me retyping ;-)
Now the quicky for 3.x users. Use LASTHOPE.NLM, which renames the bindery and downs the server. Reboot and you have Supe and Guest, no password.
If you have two volumes or some unallocated disk space you can use this hack to get Supe. Of course you need physical access but it works. I got this from a post in comp.os.security.netware
- Dismount all volumes - Rename SYS: to SYSOLD: - Rename VOL1: (or what ever) to SYS: or create new SYS: on new disk - Reboot server - Mount SYS: and SYSOLD: - Attach to server as Supervisor (Note: login not available) - Rename SYSOLD:SYSTEM\NET$***.SYS to NET$****.OLD - Dismount volumes - Rename volume back to correct names - Reboot server - Login as Supervisor, no password due to new bindery - Run BINDREST - You are currently logged in as Supe, you can create a new user as Supe equiv and use this new user to reset Supe's password, whatever.
Starting with the Green River beta software, Novell licensed NETBASIC.NLM (actually, everything in the SYS:NETBASIC directory) from HiTecSoft, Inc. HiTecSoft is really cool -- it allows some sophisticated apps to be developed with a Visual-Basic-type environment, including NLMs without using Watcom's compiler and linker.
When you load up NETBASIC.NLM, you type "shell" and you get a DOS-styled shell. It is actually still an NLM, but the "commands" include DOS-like commands like cd, dir, copy, etc. So the trick is to simply "cd _NETWARE" and bingo -- you're in. At this point you can do all kinds of fun things. Remember, you can still use JCMD.NLM, but the point is that this is kind of "built in". Fun things to do include -
- Make copies of any of the files, including the license(s), NDS, login scripts, auditing files, etc. - Copy these files to SYS:LOGIN and you can copy them off the server WITHOUT logging in. - Copy off the license file (MLS.000) and play around with a hex editor. Copy up the modified file and name it MLS.001 and you've doubled your license count (bear in mind this is illegal). - Modify login scripts for fun, profit, and gaining extra rights. - Poke around with auditing files, even delete NET$AUDT.CAF and files with an extension of .$AF in case your auditor forgot their password.
Thanks to the members of SIC (Hardware, Cyberius, and Jungman) for discovering the NETBASIC hole, and pointing out all of the license info.