Netware 4.x Attack Tool Announcement
Date: Mon, 13 Jul 1998 12:40:46 -0500
From: Simple Nomad <thegnome@NMRC.ORG>
To: BUGTRAQ@NETSPACE.ORG
Subject: Netware 4.x Attack Tool Announcement
On July 15, 1998 the Nomad Mobile Research Centre will release the DOS version
of Pandora v3.0, a set of Novell Netware 4.x attack tools. These tools will
provide the following functions:
- User and password hash extraction from Netware Directory Services (NDS).
- Brute force and dictionary attacking of the password hashes.
- Client-based attacks.
- The Pandora Toolkit API, including documentation.
- Full source code.
- Packet Signature defeating and bypassing.
This last element is probably the most interesting, as Novell's Packet
Signature has been around for around seven years. New techniques developed by
NMRC allow exploitation of weaknesses in the packet signing scheme, and in
some cases allow packet signing to be completely bypassed. This has SERIOUS
ramifications in every shop running a modern Netware server, including the
current shipping version 4.11. Some of the client attack tools even work with
Netware 5 betas 2 and 3. Tha main exploit we came up with was a series of
IPX spoofing techniques that allow a client to gain Admin privileges on a
Netware server even if the highest level of Packet Signature has been set.
We suspect that the ONLY configurations that are 100% protected are those user
locations using the full C2 configuration of Netware that uses the special
encrypting Ethernet cards, although we were unable to test this.
A white paper entitled "NCP: Netware Cries Pandora" (named in the style of
Hobbit's CIFS: Common Insecurities Fail Scrutiny) has been released and is
included with Pandora. The white paper is also online at the NMRC web site.
This white paper explains some of these new exploits, how they work, and what
to do to try and secure a Netware system.
Still under development are Linux versions that use the IPX connectivity tools
available for Linux, and a GUI for Windows 95/NT and X to simplify usage. These
tools are expected to be released within the next few weeks.
Novell was first contacted about these problems mid June. While our white paper
does outline a few pre-emptive things that can be done, it is unclear from
Novell exactly what patch revisions for what Netware versions fix what.
Hopefully Novell will be a bit more forthcoming regarding their approach to
announcing security fixes, as information that matches specific patches up to
specific security problems is non-existent. All we can safely say is that
according to Novell, patches exist for SOME of the new exploits.
The Pandora homepage is located at http://www.nmrc.org/pandora/
.o.
Simple Nomad .oOo. Data warrior, knowledge hunter/gatherer
www.nmrc.org .oOo. thegnome@nmrc.org
.o.