HACKING NOVELL LOCAL AREA NETWORKS Fairfax County, Virginia Pale Rider (C) 1991 I wanted to share the information about hacking Novell networks that I have acquired. My knowledge comes from working for a company that installed and maintained Novell networks and from using Novell networks in High School. There are two programs that I know of that are designed to get Novell passwords: one is a TSR password snagger, and the other is a password hacker. 1) The TSR password snagger is called GETIT.COM. It is available on Solsbury Hill in the file THIEFNOV.ZIP or GETIT.ZIP. GETIT.COM is a TSR that activates itself and records the keystrokes that are entered after the Novell LOGIN.EXE program is executed. It writes a hidden- system attribute file to the C: hard disk. This file can be viewed with the Norton (or any other) hex editor. The program works well, but only starts recording keystrokes after "LOGIN" is executed, so the command line parameters (which are not entered after "LOGIN" is executed) will not be recorded. This means that if the user specifies their username on the command line (ie "LOGIN supervisor"), then the program will only capture the password entered, not the name, since the name was entered before GETIT.COM started recording the keystrokes. If someone just types "LOGIN" and hits return, they are prompted for a username and then their password, so both things will be snagged by GETIT.COM and written to the file. The source code for the program is included in getit.zip, which is in assembly language. There are three factors that must be true for the program to work and be successful: a) The workstation must have a local hard disk ("C:") b) The workstation must boot locally and not from the fileserver c) To match the password to a username, the workstation must either: 1) Have users login with no login command line parameters (by just typing "LOGIN") and then entering both their username and password when prompted for them -- or -- 2) Have users login with or without command line parameters as long as you know who was sitting there at the time, or if the same person always uses that machine, since you will only have a password in the file written to the hard disk 2) The password hacker is called NETCRACK.ZIP and it is available on Solsbury Hill. This program uses repeated calls to the NetWare variable Verify_Password to try to hack out passwords. You just run the program and it sits there and trying to get the password for the username you entered. I assume that the workstation that is running this program does not need to be logged in to the network under an account, but only needs to have run IPX.COM and NETx.EXE so that it sees the fileserver, but I am unsure. In some experiments with this program, I (with the help of a cool teacher in whose room we ran it) created an account with the one letter password "A". The program hacked it out in about 10 minutes. When the password length was increased to two letters, it took about 30 minutes. We then tried to run the program to hack out the password of one of my friends, whose password was 5 letters long. We hacked for the password on an IBM PS/2 Model 80 386/20 for an entire weekend. We finally had to quit after something like 65 hours of hacking, still without the password. This program obviously works, but requires a *LONG* time. Perhaps you could whip out a pocket-Cray supercomputer and hook it up to the network and hack out passwords, but otherwise the program is not very ideal for subtle operation. While the program is attempting to hack a password, it displays a message on the screen that "This computer is trying to find the password of ." Perhaps the message could be doctored up with a hexadecimal editor, of you may want to turn the monitor off and put an "out o' order" sign on the workstation... 3) The third way to get Novell passwords is a program I wrote myself in Turbo Pascal 5.5. It is a fake login screen that works specifically at my High School. All the Novell networks have an IBM menu overlay program running on them called ICLAS. This ICLAS program is apparently a universal thing throughout the High Schools in Fairfax County (Don't now about elsewhere). It is an education classroom management thing that everyone uses to log in, run programs, and log out through. It is only an overlay however, so it still invokes the Novell programs LOGIN.EXE, LOGOUT.EXE, and SETPASS.EXE to do its stuff. The snagger that I developed is run from a batch file that says to run my program and then run the real program. My program shows an opening screen that looks just like the real opening screen. When is pressed to continue, it then shows a screen that looks just like the real second screen that asks for the username and then a password. After all the information is entered, instead of logging the person in, my program beeps and returns the exact error message that is given by Novell when an incorrect password is entered. My program then ends, and the real ICLAS program is run through the batch file. Since the error message that my program gives the user is the same as the one that is given when the wrong password is entered, and since the real program is loaded after mine just as ICLAS would reset itself after the incorrect password error, the person (or the baffled teacher) just figures that they mistyped their password. My program then writes the date, time, fileserver, username, and password to a file on the local hard drive of the workstation. I have made it work, and have snagged about 50 accounts with usernames and passwords, including the one for the supervisor. Once I had the supervisor password, I realized that my computer teacher had a backup supervisor security level account on every single fileserver in the whole school, since he is the only one who can handle any of the computer stuff at school (pretty sad...). I therefore had supervisor access (through this back door account of his) to every file server in the school since he used the same name and password on every one. After attaining supervisor access, it was more of a challenge to clean up the networky and keep it running (since the teachers can't) than to mess things up and delete stuff. It is uncool to delete and damage stuff, incase anyone is tempted. It should be seen as an excellent opportunity to learn more about Novell. Party on... Pale Rider