Fun With Novell

by Cronicl3  (cronicl3@gmail.com)

My school uses a Novell NetWare network and manages its users with GroupWise.

I'd been trying for the past two years to somehow attain network passes.  However Novell's password database is quite secure.  The main user/pass database on the server is encrypted with some ridiculous RSA encryption and is nearly impossible to get to.

However, when users login, their passwords are stored in Windows XP's Security Account Manager (SAM) files.  That sounds like a good target.

As many of you probably know, there are several programs out there for "extracting" this data.  One of them is the ever-infamous PWDUMP.  It has several versions (PWDUMP, PWDUMP2... all the way through PWDUMP7).

All of these variations use the DLL injection method (SAMDUMP.DLL) under the ISASS.EXE process.  Unfortunately, many of these programs no longer work (and usually crash the machine) because of the various patches and service packs.

Even more so, our admins thought they were secure with SYSKEY on the machines, which encrypts the hashes.  A tricked-out version of PWDUMP2 (originally written to run under NT4) that I found seemed to do the trick.

You can locate this version of PWDUMP2 and several others at www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003.

Run PWDUMP2 through the command prompt and voilà!  The usernames and NTLM hashes for all the users that have ever logged on to the machine through Novell!  (Mind you, our school ghosts all the machines twice a year, so it's only the users that have logged on since the last ghosting).

Running these passes through L0phtCrack or another pass-cracking program (I like John the Ripper) will give you most of the passes within a few minutes.  Some of the "tougher" ones will take a few hours.

Inevitably our sysadmins have logged onto 90 percent of our school's machines themselves, so guess who runs our network now?  NetWare administrator, GroupWise managers, grading programs, all at my fingertips.

However, not being a "cracker" (a.k.a. the bad rep that all "hackers" are given), I have not abused this privilege, although the amount of power I have is truly amazing having full read/write access to our file server, our web server, and both our backup servers.

After several days of exploring, I realized that it must have slipped my mind that I had access to all staff email.  Why not take a peek, right?   As it turns out, perhaps some things are best left undiscovered.

Apparently, as Moebius Strip also discovered in his article in 23:2, interoffice romances do occur quite often.

As I'm sure you can imagine, all of this new power i had in my hands was such an insane rush and it was quite hard to keep myself from sharing it with everyone I knew.  I knew I had to though because as I'd learned from previous ventures, however untraceable you can make yourself or how perfectly you execute your plan, it's always the people you tell that get you caught.

Interestingly enough, one of our sysadmins seems to condemn the use of Firefox (or any alternative browser for that matter), which is odd because I've met many die-hards for Firefox, Opera, or whatever other browser, but I've never met a die-hard IE fan.

Guess there's a first for everything.  As an April Fool's Day joke, I made a little addition to the login scripts that removes IE from the Novell Directory Services (NDS) "Novell-Delivered Applications" window and adds Firefox to it instead.  Both of our admins, who are less-than-intelligent, still haven't figured it out.

Another popular thing that kids fool around with on our network is NWSend, which is like instant messaging through Novell on the intranet.

Included by Novell by default, our admins have disabled it.  But you can download it free from download.com, etc.  I'd think that if they'd just let the kids have it that the excitement would blow over after about a week and no one would care about it much anymore.

After all, through the program you can block messages from users, so teachers, etc., can block everyone and not be harassed.  I figured I would test this theory out, so I re-enabled NWSend through Novell and, to say the least, my theory wasn't quite right.

Maybe it didn't have enough time to mature, but I quite obviously failed to account for kids that have "skills," prime example being script-kiddies that run a program that floods the system with messages and crashes the network.

Our admins ferociously locked down the whole network and scurried about trying to figure out who re-enabled NWSend and looked through log files to see who maybe logged in or somehow got their privileges raised.

Of course they found nothing...  The only users that had logged in with admin privileges had been themselves, so they immediately began accusing each other and arguing, foul language being the primary vocabulary.  I love when dumb admins make themselves look even dumber.

On a final note, don't try these methods if you have a somewhat competent sysadmin (hahaha) who reviews the logs regularly.  However, if your case is like mine.... What's that I smell?  Could it be some badass pranking?  I think it is.