234 lines
8.9 KiB
Plaintext
234 lines
8.9 KiB
Plaintext
-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-
|
|
\ /
|
|
-$- Having Phun With Novell -$-
|
|
/ \
|
|
-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-
|
|
|
|
Brought 2 U by: Lord Foul/Decay 13th July, 1991
|
|
|
|
|
|
|
|
Ok, so you have a Novell network at skool or at work, and you
|
|
would like the supervisor account? But shit you say, Novell's
|
|
security is as water tight as a frog's arse. We'll my friend,
|
|
just read on and you will soon be logging on with the supervisor
|
|
account.
|
|
|
|
I will briefly explain some Netware concepts in regard to
|
|
security so if your an experienced Novell user or supervisor
|
|
then just skip this bit and stop complaining ok?
|
|
|
|
Netware (In this text I refer mainly to V3.11) has some very
|
|
advanced security features such as intruder lockout, which
|
|
causes some problems when you run sequential password hackers
|
|
namely after x attempts at the password the user is locked out
|
|
for a specified period, or the workstation locks up [which kinda
|
|
fucks up remote dial-ups]
|
|
|
|
Netware security consists mainly of a user or group being
|
|
assigned "trustee rights" to a given sub directory or file.
|
|
|
|
These rights consist of 8 attributes, in 3.11 these are:
|
|
|
|
Directory Rights: control general access to the directory, its
|
|
files and subdirectories. When granted at the directory level,
|
|
the rights apply to all the files and subdirectories in that
|
|
directory unless redefined at the file or subdirectory level.
|
|
|
|
When assigned to a directory, the rights have the following
|
|
effects:
|
|
|
|
S - Supervisory: Grants all rights, its files, and its
|
|
subdirectories. The supervisory right overrides
|
|
any restrictions placed on subdirectories or
|
|
files with an Inherited Rights Mask
|
|
Users who have this right in a directory can
|
|
grant other users the Supervisory rights to
|
|
the directory, its files, and its subdirectories
|
|
Once the Supervisory right has been granted, it
|
|
can only be revoked from the directory to which
|
|
it was granted. It cannot be revoked in a file
|
|
or subdirectory.
|
|
|
|
R - Read: Grants the right to open files in a directory and read
|
|
their contents or run the programs.
|
|
|
|
W - Write: Grants the right to open and modify files.
|
|
|
|
C - Create: Grants the right to create files and subdirectories
|
|
in the directory.
|
|
|
|
E - Erase: Grants the right to delete a directory, its files,
|
|
its subdirectories and its subdirectory files.
|
|
|
|
M - Modify: Grants the right to change directory and file
|
|
attributes. Also grants the rights to rename files,
|
|
the directory and its sub directories. This right
|
|
does not grant the right to modify the contents of
|
|
a file.
|
|
|
|
F - File Scan: Grants the right to see directory files.
|
|
|
|
A - Access Control: Grants the right to modify a directory's
|
|
or a file's trustee assignments and Inherited
|
|
rights mask. Users can also modify file
|
|
trustee assignments and Inherited Rights Masks.
|
|
Users can grant any right (except Supervisory)
|
|
to any other user, including rights that they
|
|
themselves have not been granted.
|
|
|
|
Commands used to grant or modify a directory trustee assignment
|
|
are FILER, GRANT, REMOVE, REVOKE, SYSCON
|
|
|
|
To view your current effective rights in your current directory
|
|
use FILER, RIGHTS, WHOAMI
|
|
|
|
Some other useful commands:
|
|
|
|
SLIST: Display list of servers currently attached
|
|
USERLIST: Display list of users currently logged in
|
|
|
|
For the purposes of brievity I am not going to go any further
|
|
than this on security concepts, if you require any further
|
|
info then read the netware reference manuals [yes all 20 or so
|
|
of them hahaha], If there is enough people who want it I might
|
|
write a more detailed explanation of Netware security and how
|
|
to use and abuse it etc. Kinda like a Netware bible. If you
|
|
want to see something like this then drop me a line.
|
|
|
|
Obtaining the supervisor password:
|
|
==================================
|
|
|
|
Ok now this method will work on EVERY Novell Network, any
|
|
version, but there is a small problem: You need to get physical
|
|
access to the file server(s) you wish to gain supervisor access
|
|
on. This should not be too hard as most places do not lock their
|
|
file server up. This process could take a while and will require
|
|
the file server to be down, so make sure that you are doing it
|
|
when no one else will be logging on, and that you won't get caught
|
|
|
|
(I'm sure if your elite enough to be wanting to do this then
|
|
you'll figure out some ways of doing this, one possibility is make
|
|
an exact copy of the file server you are going to work with and
|
|
hang the copy on the network and down the target, what? you
|
|
can't do this? sheeez).
|
|
|
|
Probably the best thing to do is if your target site is a multi
|
|
server site, select a server that is the least used and easiest
|
|
to get to, because the supervisor is likely to use the same
|
|
password on all file servers.
|
|
|
|
Before you down the server (type "DOWN" from the console) format
|
|
a bootable dos disk in whatever disk type the target server has
|
|
and copy the DISKED.EXE file included with this archive onto
|
|
the bootable dos disk.
|
|
|
|
Bring the server down and boot off the dos disk. After dos loads,
|
|
run DISKED.
|
|
|
|
We are looking for the files NET$BIND.SYS and NET$BVAL.SYS.
|
|
|
|
Type r32 at the ">" prompt to read sector 32, then type d to
|
|
display the sector. Keep viewing each sector in sequence, ie
|
|
33, 34 etc alternating the read and display commands until you
|
|
see one or both of these two files.
|
|
|
|
Keep track of the number of the current sector you are displaying
|
|
It is possible, although unlikely that these files are not in
|
|
the same sector.
|
|
|
|
Assuming they are in the same sector, once you find the files,
|
|
identify the starting offset address of the first letter of the
|
|
NET$BIND.SYS file (the letter "N")
|
|
|
|
Using the Change command, change it from 4E to 4F. Its character
|
|
representation is now the letter "O" (Use H or ? or whatever it
|
|
is in DISKED for help on its internal commands)
|
|
|
|
Repeat these steps for the NET$BVAL.SYS file if it exists in the
|
|
same sector as NET$BIND.SYS, Otherwise continue.
|
|
|
|
Next you will change the file attribute for each file. Eg lets
|
|
say the 4E you changed was the third character in the sample
|
|
line below:
|
|
|
|
00E0 00 02 4E etc etc
|
|
|
|
Directly under it will be a line similar to the following:
|
|
|
|
00f0 26 00 00 etc etc
|
|
|
|
Use the change command to change the attribute from "26" to "20"
|
|
Change this byte for both files. When you are done, be sure to
|
|
enter a "." to indicate you have no more changes.
|
|
|
|
When you are finished changing the sector, use the Write command
|
|
to write the changes to the drive eg:
|
|
|
|
>w36
|
|
|
|
WARNING: Writing to the wrong sector can really fuck things up,
|
|
so make sure you get this right!
|
|
|
|
if NET$BVAL is in a different sector, repeat the above steps
|
|
for this file, then when your finished, type "q" to exit to dos.
|
|
|
|
Now, reboot the file server. NET$OS looks for the binderies and
|
|
doesn't find them, it will then create some new ones. Now go to
|
|
a workstation and logon as Supervisor and as its a new Bindery
|
|
there will be no supervisor password.
|
|
|
|
Change to the SYS:SYSTEM directory.
|
|
|
|
type SHOWFILE oet$b*.* to make the old bindery visible.
|
|
|
|
type DEL *.OLD
|
|
|
|
then rename the oet$b*.* files to net$b*.OLD ie you should now
|
|
have NET$BIND.SYS and NET$BVAL.SYS which are your new, empty
|
|
binderies, and NET$BIND.OLD and NET$BVAL.OLD which are your
|
|
original binderies.
|
|
|
|
type BINDREST, this restores the bindery files you renamed in
|
|
disked to their original status and all prior users will be
|
|
restored.
|
|
|
|
So now you don't know the supervisor password because you just
|
|
restored the system to the way it was.
|
|
|
|
BUT: you are currently logged on as supervisor, so type SYSCON
|
|
and either change the supervisor password [this will cause a stir]
|
|
or if you want to remain unseen, create a user and give him
|
|
security equivalence to SUPERVISOR [just hit INS on the list of
|
|
users in syscon to create a user, then select security equivelance,
|
|
and hit INS and select SUPERVISOR]
|
|
|
|
The best account to give SUPERVISOR rights to is GUEST, but
|
|
make sure you assign a password to the GUEST!
|
|
|
|
Thats it, repeat for further file servers if desired.
|
|
|
|
If you want any further info on Novell shit or know any cool
|
|
shit about Novell or want to ask me about something then
|
|
I can be contacted on Zer0 City:
|
|
|
|
Zer0 City
|
|
Decay WHQ
|
|
2400: +61-2-361-4748
|
|
HST: +61-2-361-4750
|
|
Sysop: Lord Foul/Decay
|
|
Co: RokStar/Decay
|
|
|
|
NOTE: I take NO RESPONSIBILITY for the contents of this file,
|
|
I suggest you do not try this unless you have a good understanding
|
|
of Netware, as your boss will hit the roof if you destroy a file
|
|
server. If you do this then its your bad luck!
|
|
|
|
I suggest setting up a V3.11 Server at home and trying it on
|
|
that first.
|
|
|
|
Latz
|
|
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
This has been a DECAY production 1991. All rights reserved.
|