Sign In Sign-Up

Welcome!

Close

Would you like to make this site your homepage? It's fast and easy...

Yes, Please make this my home page!

No Thanks

  Don't show this to me again.

Close

Novell

NetWare has been with us a long time. The first version of NetWare was released in 1983. To put that in perspective, consider this: MS-DOS had just emerged. Computer enthusiasts were dreaming about the luxury of a 286 with 640KB RAM. It was less than 15 years ago, and when you think of it in these terms, it doesn't seem so far away. However, measure that 14 years against the backdrop of the computer industry (which has now exploded).

Since that time, NetWare has undergone some major changes. And, although it is not really secure in its out-of-the-box state, NetWare has some substantial security features. Control of what services run on what port is just as incisive in Novell as it is in UNIX. The system is, in fact, nearly identical. For those of you who are considering stringing your Novell network to the Net (which is now a popular practice), I suggest getting some background in TCP/IP. Many excellent Ethernet administrators familiar with IPX are less confident about their TCP/IP knowledge. This is where standards really shine through and assist the administrator. TCP/IP is negotiated in a similar fashion on almost every platform.

In NetWare, the file that governs your service is SYS:ETC\SERVICES. This file contains a list of services that you will be running from out of your intranet to the Internet at large. It is the equivalent of the /etc/services file in UNIX. It is from this file that you pick and choose your services, which may include TFTP, FTP, and Telnet. In this respect, a Novell network running TCP/IP could be scanned in the same fashion as a UNIX box. The SYS:ETC\SERVICES file is one to watch closely. Misconfigurations there can lead to security problems.

The discretionary access controls in NetWare are also formidable. In fact, Novell's control of the system is quite granular. It extends, for instance, to time-based restrictions. A user's access can be restricted to certain hours of the day and certain days of the week. Users' passwords are subjected to aging and there are at least rudimentary controls to reject passwords that are either too short or those that have been used before.

Control over directories and files is good. For example, the following controls can be placed on directories:

•Delete inhibit--Files or directories marked with this attribute cannot be deleted by system users.

•Hidden--Files or directories marked with this attribute cannot be seen. (That is, if a user is snooping through a directory, he will not discover a directory or file so marked.) Also, any object marked with this attribute cannot be deleted or copied.

•Purge--This attribute causes a file to be purged, or obliterated from existence upon deletion. In other words, when the supervisor deletes files marked with this attribute (or files within a directory marked with this attribute), the files cannot be restored.

The control that NetWare offers over files is even more finely structured. In addition to being able to apply any of these attributes to files, a Novell NetWare system administrator can also apply the following:

•Read only--This restricts users from altering the files.

•Execute only--Marks a file as execute-only, meaning that it cannot be copied, backed up, or otherwise "taken away."

•Copy inhibit--Prevents Macintosh users from copying files.

These controls are impressive in an operating system. A comparative analysis of Novell 3.x, for example, and Microsoft Windows for Workgroups is instructive. Windows for Workgroups was an excellent platform on which to establish a network. However, its security capabilities were practically nonexistent. In contrast, Novell NetWare had advanced controls on all elements of the system.

Here is an interesting bit of trivia: Using the Novell NetWare operating system, you can actually restrict the physical location at which a user can log in. That is, you can specify that John can only log in from his own station. If he proceeds to another computer, even just 6 feet away, he will be unable to log in. In order for you to do this, however, you must specify that all users are restricted in the same manner.

NetWare Security in General

NetWare has always been a platform that is attacked from within. That is, those on the internal network are usually the enemy. A wide variety of attacks are available if you are within close physical proximity of a NetWare server. Here are a few:

•Down the machine, access the disk, and alter the bindery. When this machine reboots, the operating system will examine the bindery. It will determine that a valid one does not exist. Based on this information, it will reconstruct a new default bindery. When it does, all previous password protection will no longer exist.

•Load one of several network loadable modules (NLMs) that can (at least on 3.x and before) change, disable, or otherwise bypass the supervisor password.

•Attack the Rconsole password on earlier distributions of Novell. Reportedly, the algorithm used for the encryption of that password was poorly conceived. It is weak and passwords so encrypted can be cracked quite easily.

Default Passwords

There is never a replacement for good system administration. The Webforce line of computers had a default login for the line printer. This login ID did not require a password. This is referred to as a passwordless account. Almost every network operating system has at least one account that already exists that does not require a password.

Spoofing

Spoofing is the act of using one machine to impersonate another by forging the other's "identity" or address. It is not a baseline skill with crackers. Either they know how to do it or they don't. The technique is talked about often because of its uniqueness. It is a method of breaking into a remote host without providing so much as a user ID or a password. For that reason, spoofing has developed a mystique on the Internet

Spoofing in the NetWare environment is not impossible, it is just difficult. Most crackers advise that you can change the hardware address in the NET.CFG file. However, it might not be as easy as this.

Cracking Tools

The following sections describe tools. Some were written by individuals who wanted to better network security. Others were written by crackers. All of them share one thing in common: They can be used to crack a Novell site.

Getit

Reportedly written by students at George Washington High School in Denver, Colorado, Getit is designed to capture passwords on a Novell network. The program was written in assembly language and is therefore quite small. This tool is triggered by any instance of the LOGIN.EXE application used in Novell to authenticate and begin a login session on a workstation. Technically, because of the way Getit works, it can be marginally qualified as a sniffer. It works directly at the operating system level, intercepting (and triggering on) calls to Interrupt 21h. It's probably the most well known NetWare hacking tool ever created.

Burglar

Burglar is a somewhat dubious utility. It can only be used where an individual has physical access to the NetWare file server. It is an NLM, or a loadable module. Most of Novell NetWare's programs executed at the server are loadable modules. (This includes everything from the system monitor to simple applications such as editors.) The utility is usually stored on a floppy disk. The attacker sometimes has to reboot the server. Providing that the attacker can reach the Novell server prompt (without encountering any password-protected programs along the way), the utility is then loaded into memory. This results in the establishment of an account with supervisor privileges. However, the utility's impact on the Novell networking community has probably been negligible. Rarely are file servers available for public tampering.

Spooflog

Spooflog is a program, written in C by Greg Miller, that can spoof a workstation into believing that it is communicating with the server. This is a fairly advanced exploit. It should be observed here that Miller is not a cracker. He provides these programs over the Internet for research into general network security and he has no affiliation with any radical or fringe group. He is simply a talented programmer with a very keen sense of NetWare.

Setpass

Another loadable module, Setpass is designed to give the user supervisor status. This module also requires physical access to the machine. Basically, it is a variation of Burglar. It works (reportedly) on Novell NetWare 3.x to 4.x.

NWPCRACK

NWPCRACK is a brute-force password cracker for cracking passwords on the Novell platform. This utility is best used from a remote location, working on passwords over long periods of time. As the author points out, there is a period of delay between password attempts and thus, brute forcing could take some time. This utility would probably work best if the cracker were attacking a network that he knew something about. (For example, if he knew something about the people who use the machine.) Short of that, I believe that a brute-force cracking tool for an environment like NetWare is probably impractical. Nevertheless, some crackers swear by it.

IPXCntrl

IPXCntrl is a sophisticated utility, written by Jay Hackney, that allows remote control of any compromised machine. For lack of a better description, the package comes with a client and a server, although these are not a client and server in the traditional sense. These are called the master and the minion, respectively. The master drives the minion over remote lines. In other words, this software persuades the network that keystrokes are coming from minion when they are actually coming from master. It runs as a TSR (terminate and stay resident) program.

Crack

Crack is a password cracker for the Novell NetWare platform. This password cracker is wordlist based (much like its UNIX-based namesake). It's a comprehensive tool that does not require NetWare to be on the local disk in order to operate effectively. It's a good tool for testing your passwords.

Denial of Service

FTP Vulnerability to Denial-of-Service Attacks

Certain versions of NetWare's FTP server are vulnerable to a denial-of-service attack. (This has been confirmed by Internet security systems and Novell, as well. Novell has issued a patch.) Apparently, when a brute-force attack is mounted against the anonymous FTP server, this activity causes an overflow and a memory leak. This leak ultimately consumes the remaining memory and the machine will freeze, failing to respond further.

A brute-force attack in this case is a program that automates the process of trying hundreds (or sometimes thousands) of passwords on a given server.

Login Protocol of NetWare 3.12 Flawed

In October 1996, Greg Miller posted an advisory and an accompanying paper to the Net demonstrating a successful attack against the login procedure in Novell 3.12. The procedure involved an interruption of the login process in real-time.

Utilities

The following sections describe a few utilities that are of some help in either securing your server or managing your network.

WSetPass

WSetPass  was designed by Nick Payne for system administrators to manage user passwords over multiple servers. It works for NetWare passwords and runs on Windows and Windows NT. It allows you to mix and match servers and sync the password update across all servers in the network.

BindView EMS

BindView EMS is a powerful network management and security tool. This tool can effectively analyze your network for security holes and identify problem areas, disk usage, user rights, and even user rights inheritance. You can also examine the state of objects, including all attributes on files. This is a substantial package for network management and it is a commercial product.

SecureConsole

SecureConsole is a security product from Australia that adds significant enhancements to your security. It is designed to protect the file console and adds greater access control and some deep auditing.

Although few people speak of Novell in the present tense, Novell has in fact made innovations that are relevant to the Internet. Indeed, Novell is still in the running, and Web servers and other Internet applications continue to be written for the Novell platform.