This section deals with Netware passwords.
Contrary to not-so-popular belief, access to the password file in Netware is not like Unix - the password file isn't in the open. All objects and their properties are kept in the bindery files on 2.x and 3.x, and kept in the NDS database in 4.x. An example of an object might be a printer, a group, an individual's account etc. An example of an object's properties might include an account's password or full user name, or a group's member list or full name. The bindery files attributes (or flags) in 2.x and 3.x are Hidden and System, and these files are located on the SYS: volume in the SYSTEM subdirectory. Their names are as follows:
Netware version File Names --------------- ---------- 2.x NET$BIND.SYS, NET$BVAL.SYS 3.x NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS
The NET$BVAL.SYS and NET$VAL.SYS are where the passwords are actually located in 2.x and 3.x respectively.
In Netware 4.x, the files are located in a different location on the SYS: volume. It is a hidden directory called _NETWARE. In this directory are located the NDS files, license files, and a number of other system-related files such as login scripts and auditing files.
File What it is -------------- -------------------------- VALUE.NDS Object and property values BLOCK.NDS Extended property values ENTRY.NDS Object and property types PARTITIO.NDS NDS partition info (replication info, etc.) MLS.000 License file. VALINCEN.DAT License validation
To view the hidden SYS:_NETWARE directory, you can try to use RCONSOLE and the Scan Directory option, although later versions of Netware 4.x have patched this (starting with 410pt3). Here is another way to view these files, and potentially edit them. After installing NW4 on a NW3 volume, reboot the server with a 3.x SERVER.EXE. On volume SYS will be the _NETWARE directory. SYS:_NETWARE is hidden better on 4.1 than 4.0x, but in pre-410pt3 patched 4.1 you can still see the files by scanning directory entry numbers using NCP calls (you need the APIs for this) using function 0x17 subfunction 0xF3.
Using JCMD.NLM, it is possible to access SYS:_NETWARE, and do many fun things, like copy NDS, etc. But what hackers have asked for is a way to access this directory WITHOUT uploading an NLM via RCONSOLE. You can try using NETBASIC.NLM (see the Netware Console Attacks section for details), and actually copy NDS files to a directory you can access (like SYS:PUBLIC).
A Novell proprietary algorithm takes the password, and produces a 16 byte hash. This algorithm is the same for versions 3.x and 4.x of Netware. The algorithm is also inside the LOGIN.EXE file used by the client when logging in. The details of the algorithm itself can be found in the CRYPT.TXT file included with Pandora (see http://www.nmrc.org/pandora/index.html for details).
The 16 byte hash is stored within the bindery files in Netware 3.x and NDS in Netware 4.x. Since the object ID is used in the algorithm, it adds the equivalent of a salt. This along with the fact that the password length plays into the algorithm increases the overhead in cracking multiple passwords at once. Fortunately for the cracker, both the object ID and the password length are stored with the hash, along with that fact that lower case letters are converted to upper case before generating the hash does simplify the process slightly. Password crackers can brute force a little easier since they can eliminate trying lower case letters and concentrate on a particular password length.
Because of the complexity of the algorithm, using it the way it was designed is somewhat slow for cracking, especially by brute force. However the algorithm can be mathematically improved, and in fact WAS improved and optimized just for cracking purposes. See Jitsu-Disk's document CRYPT.TXT that was included with Pandora that details this. The algorithm is dozens of times faster than Novell's original code. However brute force is slow work with Netware, so only use it as a last resort, especially if you have a LOT of time.
This is especially true with regards to the brute force crackers that attack from the client. Since you are dealing with the network itself, expect AT BEST about a password attempt a second from most network cracking utilities.
With Pandora v2.0 you have the fastest dictionary cracking available. And if you must attack from a client, make sure if you are using a cracker that you are using dictionary attacking.
For Netware 3.x systems, consider using Al Grant's Bindery tool.
The best way for a Sys Admin to prevent Netware password hash extraction is to at least try the following:
You see, once the server has been compromised, sometimes not even completely, there will be NOTHING to stop unwanted password recovery. Hackers, just do the opposite of the above items and you'll be fine ;-)