Bugtraq mailing list archives
Netware 4.x Attack Tool Announcement
From: thegnome () NMRC ORG (Simple Nomad)
Date: Mon, 13 Jul 1998 12:40:46 -0500
On July 15, 1998 the Nomad Mobile Research Centre will release the DOS version of Pandora v3.0, a set of Novell Netware 4.x attack tools. These tools will provide the following functions: - User and password hash extraction from Netware Directory Services (NDS). - Brute force and dictionary attacking of the password hashes. - Client-based attacks. - The Pandora Toolkit API, including documentation. - Full source code. - Packet Signature defeating and bypassing. This last element is probably the most interesting, as Novell's Packet Signature has been around for around seven years. New techniques developed by NMRC allow exploitation of weaknesses in the packet signing scheme, and in some cases allow packet signing to be completely bypassed. This has SERIOUS ramifications in every shop running a modern Netware server, including the current shipping version 4.11. Some of the client attack tools even work with Netware 5 betas 2 and 3. Tha main exploit we came up with was a series of IPX spoofing techniques that allow a client to gain Admin privileges on a Netware server even if the highest level of Packet Signature has been set. We suspect that the ONLY configurations that are 100% protected are those user locations using the full C2 configuration of Netware that uses the special encrypting Ethernet cards, although we were unable to test this. A white paper entitled "NCP: Netware Cries Pandora" (named in the style of Hobbit's CIFS: Common Insecurities Fail Scrutiny) has been released and is included with Pandora. The white paper is also online at the NMRC web site. This white paper explains some of these new exploits, how they work, and what to do to try and secure a Netware system. Still under development are Linux versions that use the IPX connectivity tools available for Linux, and a GUI for Windows 95/NT and X to simplify usage. These tools are expected to be released within the next few weeks. Novell was first contacted about these problems mid June. While our white paper does outline a few pre-emptive things that can be done, it is unclear from Novell exactly what patch revisions for what Netware versions fix what. Hopefully Novell will be a bit more forthcoming regarding their approach to announcing security fixes, as information that matches specific patches up to specific security problems is non-existent. All we can safely say is that according to Novell, patches exist for SOME of the new exploits. The Pandora homepage is located at http://www.nmrc.org/pandora/ .o. Simple Nomad .oOo. Data warrior, knowledge hunter/gatherer www.nmrc.org .oOo. thegnome () nmrc org .o.
Current thread:
- Re: Remote count.cgi exploit mods, (continued)
- Re: Remote count.cgi exploit mods Gus (Jul 11)
- Re: Forwared to me Raymond Medeiros (Jul 09)
- socks5 1.0r5 buffer overflow.. Zach Brown (Jul 10)
- Re: Forwared to me Toomas Soome (Jul 10)
- Re: Forwared to me Michael H. Warfield (Jul 13)
- Re: Forwared to me Raymond Medeiros (Jul 13)
- Re: Forwared to me Toomas Soome (Jul 13)
- Re: Forwared to me Michael H. Warfield (Jul 13)
- Re: Forwared to me Jason Downs (Jul 13)
- Re: Forwared to me Illuminatus Primus (Jul 13)
- Netware 4.x Attack Tool Announcement Simple Nomad (Jul 13)
- Re: ncurses 4.1 security bug Pavel Kankovsky (Jul 09)
- Re: ncurses 4.1 security bug Warner Losh (Jul 10)
- inetd can leak file descriptors +FIX Jeff Forys (Jul 14)
- Re: ncurses 4.1 security bug Alexander Kjeldaas (Jul 15)
- Re: ncurses 4.1 security bug David Schwartz (Jul 11)
- Re: ncurses 4.1 security bug Geoffrey KEATING (Jul 14)