RE: Escalating from Netware box

["Jerry Shenk" <jshenk () decommunications com>]

I'll swap ya info for the script;)

/system/autoexec.ncf - You already have that...it might have an rconsole
password in plain text (load rconsole password) or an rconj password
(load rconj password port .....).  You should study that file...it tells
you a lot about what's running on the box.
/etc/netinfo.cfg - rconsole could be loading from there and the password
may be there.  Telnet access (XCONSOLE) may also be enabled in there.
/system/abend.log, sys$log.err, dsrepair.log, 

The /etc/console.log file is locked when the server is running so you
may not be able to view the whole thing.

Are you able to view a directory?  You might look for /system/dsr_dib -
a backup of the NDS.

I think you're gonna have a tough time using the Netware box to launch
an attack on something else since there really isn't a "command prompt"
in the same sense that there is on a Linux of DOS/NT-based OS

Along the lines of "display ipx servers" is a more recent "list slp das"
and "list slp devices".

-----Original Message-----
From: McKenna Henage [mailto:mckennage () hotmail com] 
Sent: Wednesday, August 11, 2004 8:27 PM
To: pen-test () securityfocus com
Subject: Escalating from Netware box


I'm wrapping up a pen-test and I've gained access to a 
NetWare-Enterprise-Web-Server/5.1 box through the ability to run Perl 
commands using specially crafted URLs (e.g., 
"perl/-e%20system(%22dir%22);"). I wrote a program in Perl that crafts
the 
URLs to allow me to easily read any file on the server, write to any
file, 
or execute any command. However, without any Novell experience (I am a
MS 
and Linux guy), I am unable to escalate to the point of being able to
attack 
other systems on the client's network.

Any suggestions for ways I can use this Netware box to further exploit
their 
networks would be very much appreciated. In particular, I'm interested
in 
discovering what other devices are on their network (since I can only
see 
their Netware box from the Internet), performing port scans,
vulnerability 
scans, etc. I need to be nice to the server since it is in production,
so 
I'm trying not to experiment too much on their machine and risk bringing
it 
down (already crashed it once!).

I've already done some research on Netware, including listening to RFP's

Black Hat talk on Netware, and reading the "Novell Hacking FAQ"
available on 
the web. Unfortunately most resources I've found refer to Netware 2.x,
3.x, 
and 4.x. Here is what I've been able to gain so far, thanks to having 
partial access to files on the system using directory traversal:

-Internal IP address
-IPX servers (running the command "display ipx servers")
-See unencrypted passwords in /system/autoexec.ncf and /etc/netinfo.cfg
(and 
to crack a password in /Novonyx/suitespot/admin-serv/config/ADMPW)
-Successfully ping out to a device on the Internet (unfortunately it
appears 
to be continuous, because I wasn't able to stop it)
-.and pretty much anything else that is in a file, or almost any command

I have run into some limits:

-Any request I make (to read/write a file or execute a command) is
limited 
in character length, hampering my ability to execute an elaborate Perl 
program on the box or even to read some files that are too far down the 
directory tree
-Haven't found a way to send some characters such as " and ', even after

trying everything I could think of (encoding, double encoding, etc.).
Wish I 
could do that because then I could essentially start writing a new Perl 
script to their machine and overcome the character limitation just 
mentioned, and potentially find a way to upload a Perl port scanner of
some 
sort.
-An inability to correctly view all files. Since I'm getting the files
fed 
back in a web browser, I can sometimes only see the first parts of a
file 
(up to 500K or so), and have trouble downloading binaries.
-An inability to see the entire results of a command run on the system.
I 
can run a command, but then to see the results I have to open 
/etc/console.log and read the last few lines (so I can't always see the 
entire results, because it appears to be cut off in the log).
-I don't even know how to download files to the Netware box. I have been

unable to determine if it has a HTTP or FTP client I can use to pull
down a 
trojan/backdoor program, netcat, or anything else.
-Some blockage at the firewall (?). For example, I tried loading the
remote 
console and then accessing it remotely, but it appears to be blocked at
the 
firewall since I can't get in. If it were a Linux/Unix/Windows box then
I'd 
know how to download a SSH client and reverse-tunnel a connection out 
through the firewall, but I'm clueless on Netware.

Thanks in advance for any suggestions you can provide in the next couple

days.

Beme Lee

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfeeR 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963