exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

hackfaq-18.html

hackfaq-18.html
Posted Aug 17, 1999

hackfaq-18.html

tags | paper
SHA-256 | 6c5e5586b85b53a487b6eb4c38447ab91b15c25c25796c531b9aea93b52df0f8

hackfaq-18.html

Change Mirror Download
<!DOCTYPE  HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.6">
<TITLE>The Hack FAQ: Netware Accounts</TITLE>
<LINK REL="next" HREF="hackfaq-19.html">
<LINK REL="previous" HREF="hackfaq-17.html">
<LINK REL="contents" HREF="hackfaq.html#toc18">
</HEAD>
<BODY BGCOLOR="black" VLINK="gray" TEXT="white" LINK="gray" HLINK="red">
<A HREF="hackfaq-19.html">Next</A>
<A HREF="hackfaq-17.html">Previous</A>
<A HREF="hackfaq.html#toc18">Contents</A>
<HR>
<H2><A NAME="netwareaccounts"></A> <A NAME="s18">18. Netware Accounts</A></H2>

<P>The following section deals with Accounts on Netware systems.
<P>
<H2><A NAME="ss18.1">18.1 What are common accounts and passwords for Netware?</A>
</H2>

<P>Out of the box Novell Netware has the following default accounts - SUPERVISOR, GUEST, and Netware 4.x
has ADMIN and USER_TEMPLATE as well. All of these have no password to start with. Virtually every
installer quickly gives SUPERVISOR and ADMIN a password. However, many locations will create special
purpose accounts that have easy-to-guess names, some with no passwords. Here are a few and their typical
purposes:
<P>
<PRE>
Account Purpose
---------- ------------------------------------------------------
PRINT Attaching to a second server for printing
LASER Attaching to a second server for printing
HPLASER Attaching to a second server for printing
PRINTER Attaching to a second server for printing
LASERWRITER Attaching to a second server for printing
POST Attaching to a second server for email
MAIL Attaching to a second server for email
GATEWAY Attaching a gateway machine to the server
GATE Attaching a gateway machine to the server
ROUTER Attaching an email router to the server
BACKUP May have password/station restrictions (see below), used
for backing up the server to a tape unit attached to a
workstation. For complete backups, Supervisor equivalence
is required.
WANGTEK See BACKUP
FAX Attaching a dedicated fax modem unit to the network
FAXUSER Attaching a dedicated fax modem unit to the network
FAXWORKS Attaching a dedicated fax modem unit to the network
TEST A test user account for temp use
ARCHIVIST Palidrome default account for backup
CHEY_ARCHSVR An account for Arcserve to login to the server from
from the console for tape backup. Version 5.01g's
password was WONDERLAND. Delete the Station
Restrictions and use SUPER.EXE to toggle this
account and you have an excellent backdoor.
WINDOWS_PASSTHRU Although not required, per the Microsoft Win95
Resource Kit, Ch. 9 pg. 292 and Ch. 11 pg. 401 you
need this for resource sharing without a password.
ROOT Found on Shiva LanRovers, gets you the command-line
equiv of the AdminGUI. By default, no password. A lot
admins just use the AdminGUI and never set up a
password.
</PRE>
<P>VARs (Value Added Resellers) repackage Netware with their own hardware or with custom software. Here is a
short list of known passwords:
<P>
<PRE>
VAR Account Password Purpose
------- ---------- -------- -------------------------------------------
STIN SUPERVISOR SYSTEM Travel agency running SABRE
STIN SABRE -none- Like a guest account
STIN WINSABRE WINSABRE Windows guest account for NW 2.15c
STIN WINSABRE SABRE Windows guest account for NW 3.x
HARRIS SUPERVISOR HARRIS Tricord reseller, ships NW preinstalled
NETFRAME SUPERVISOR NF Also NETFRAME and NFI
NETFRAME aaa New installation default password
</PRE>
<P>This should give you an idea of accounts to try if you have access to a machine that attaches to the server. A way
to "hide" yourself is to give GUEST or USER_TEMPLATE a password. Occassionally admins will check up on
GUEST, but most forget about USER_TEMPLATE. In fact, <EM>I</EM> forgot about USER_TEMPLATE until itsme
reminded me.
<P>This list is also a good starting point for account names for "backdoors". In some environments these account
names will be left alone, particularly in large companies, especially Netware 4.x sites with huge trees. And don't
forget account names like Alt-255 or NOT-LOGGED-IN.
<P>
<H2><A NAME="ss18.2">18.2 How can I figure out valid account names on Netware?</A>
</H2>

<P>
<P>Any limited account should have enough access to allow you to run SYSCON, located in the SYS:PUBLIC
directory. If you get in, type SYSCON and enter. Now go to User Information and you will see a list of all defined
accounts. You will not get much info with a limited account, but you can get the account and the user's full
name.
<P>If your in with any valid account, you can run USERLST.EXE and get a list of all valid account names on the
server.
<P>If you don't have access (maybe the sys admin deleted the GUEST account, a fairly common practice), you can't
just try any account name at the LOGIN prompt. It will ask you for a password whether the account name is
valid or not, and if it is valid and you guees the wrong password, you could be letting the world know what you're
up to if Intruder Detection is on. But there is a way to determine if an account is valid.
<P>From a DOS prompt use a local copy (on your handy floppy you carry everywhere) of MAP.EXE. After you've
loaded the Netware TSRs up through NETX or VLM, Try to map a drive using the server name and volume
SYS:. For example:
<P>
<PRE>
MAP G:=TARGET_SERVER/SYS:APPS
</PRE>
<P>Since you are not logged in, you will be prompted for a login ID. If it is a valid ID, you will be prompted for a
password. If not, you will immediately receive an error. Of course, if there is no password for the ID you use you
will be attached and mapped to the server. You can do the same thing with ATTACH.EXE:
<P>
<PRE>
ATTACH TARGET_SERVER/loginidtotry
</PRE>
<P>The same thing will happen as the MAP command. If valid, you will be prompted for a password. If not, you get
an error.
<P>Another program to check for valid users and the presence of a password is CHKNULL.EXE by itsme. This
program checks for users and whether they have a password assigned.
<P>In 4.1 CHKNULL shows you every account with no password and you do not have to be logged in. For this to
work bindery emulation must be on. But there is another way to get them in 4.1:
<P>Once you load up the VLMs you may be able to view the entire tree, or at least all of the tree you could see if
logged in. Try this:
<P>
<PRE>
CX /T /A /R
</PRE>
<P>
<P>
<P>During the installation of 4.1, [Public] has browse access to the entire tree because [Public] is added to [Root] as
a Trustee. The Inherited Rights Filter flows this stuff down unless explicitly blocked. If you have the VLMs
loaded and access to CX, you don't even have to log in, and you can get the name of virtually every account on
the server.
<P>If CX /T /A /R works, then NLIST USER /D will yield a massive amount of information, including who belongs to what groups, and their object ID. By combining the information between these two along with other NLIST options, you can learn a lot about an NDS
<P>tree and a server. Here a few more that come in handy:
<P>
<PRE>
NLIST GROUPS /D -List of groups, descriptions, and members.
NLIST SERVER /D -List of servers, versions, if attached you can determine if accounting is installed.
NLIST /OT=* /DYN /D -List of all readable objects, including dynamic objects, names of NDS trees, etc.
</PRE>
<P>Between using CHKNULL, CX, and NLIST an intruder could not only learn who is in what group and who has access to what, but certainly could learn who the administrators are, and specifically select accounts for attack.
<P>Finally, consider using the Intruder utility from NMRC's Pandora v3.0. This utility has a mode that allows you
to give it a list of potential account names, and it will tell you if they are valid and even if they have
no password. See
<A HREF="http://www.nmrc.org/pandora/index.html">http://www.nmrc.org/pandora/index.html</A>
for details.
<P>
<P>
<HR>
<A HREF="hackfaq-19.html">Next</A>
<A HREF="hackfaq-17.html">Previous</A>
<A HREF="hackfaq.html#toc18">Contents</A>
</BODY>
</HTML>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close