hackfaq-17.html.

释放双眼,带上耳机,听听看~!

hackfaq-17.html,

hackfaq-17.

html,标签纸,<!DOCTYPE HTML PUBLIC“-//W3C//DTD HTML 3.

2 Final//EN”> 黑客常见问题解答:Netware密码 下一页上一页内容 17.

Netware密码 本节介绍Netware密码. 17.1如何访问Netware中的密码文件? 与不太流行的观点相反,在Netware中访问密码文件与Unix不同-密码文件不在打开状态.

所有对象及其属性都保存在2.x和3.x上的bindery文件中,并保存在4.

x中的NDS数据库中.

对象的示例可以是打印机、组、个人帐户等.

对象的属性示例可以包括帐户密码或完整用户名、组的成员列表或全名.2.x和3.x中的bindery文件属性(或标志)是隐藏的和系统的,这些文件位于系统子目录中的SYS:volume中.

它们的名称如下: Netware版本文件名-------------2.

x NET$BIND.

SYS、NET$BVAL.SYS 3.x NET$OBJ.

SYS、NET$PROP.

SYS、NET$VAL.

SYS NET$BVAL.

SYS和NET$VAL.

SYS分别位于2.x和3.x中. 在Netware 4.

x中,文件位于SYS:卷上的其他位置.

它是一个名为“网络”的隐藏目录.

在此目录中有NDS文件、许可证文件和许多其他与系统相关的文件,如登录脚本和审核文件.

>------------------------Value.

NDS对象和属性值Base.

NDS扩展属性值Eng.

NDS对象和属性类型PultIo.

NDS NDS分区信息(复制信息等)MLS.

000许可文件.

VALINCEN.

DAT许可证验证 要查看隐藏的SYS:\u NETWARE目录,您可以尝试使用RCONSOLE和Scan directory选项,尽管较新版本的NETWARE 4.

x已经对此进行了修补(从410pt3开始).

下面是查看这些文件并可能对其进行编辑的另一种方法.

在NW3卷上安装NW4后,使用3.

x server.

EXE重新启动服务器.

在卷SYS上将是NETWARE目录.

SYS:\u NETWARE在4.1上比4.0x上隐藏得更好,但是在410pt3之前的4.

1补丁中,您仍然可以通过使用NCP调用(为此需要api)使用函数0x17子函数0xF3扫描目录条目号来查看文件.

使用JCMD.

NLM,可以访问SYS:\u NETWARE,并执行许多有趣的操作,如复制NDS等.

但黑客要求的是一种不通过RCONSOLE上载NLM的方式访问此目录.

您可以尝试使用NETBASIC.

NLM(有关详细信息,请参阅Netware控制台攻击部分),并实际将NDS文件复制到您可以访问的目录(如SYS:PUBLIC). 17.2 Netware密码的全部内容是什么? Novell专有算法接受密码,并生成16字节哈希.

对于Netware的3.x版和4.x版,此算法相同.

该算法也位于客户端登录时使用的LOGIN.

EXE文件中.

算法本身的详细信息可以在Pandora附带的CRYPT.

TXT文件中找到(详细信息请参见http://www.nmrc.org/Pandora/index.

html>http://www.nmrc.org/Pandora/index.

html).

16字节的散列存储在Netware 3.

x中的bindery文件中,Netware 4.

x中的NDS文件中.

由于在算法中使用了对象ID,因此它添加了相当于asalt的内容.

加上密码长度在算法中的作用,增加了一次破解多个密码的开销.

幸运的是,对于cracker来说,对象ID和密码长度都是存储的d使用散列,再加上小写字母在生成散列之前被转换为大写的事实,确实稍微简化了这个过程.

密码破解器可以暴力一点,因为他们可以消除尝试小写字母和集中在一个特定的密码长度. 17.3密码破解如何在Netware中工作? 由于算法的复杂性,使用它的方式对破解来说有点慢,尤其是蛮力.

然而,该算法在数学上是可以改进的,实际上是为了破解而改进和优化的.

详见潘多拉随附的柔术磁盘文档.

该算法比Novell的原始代码快几十倍.

然而,使用Netware时使用暴力是很慢的,所以只能将其作为最后的手段,特别是在您有很多时间的情况下.

这尤其适用于来自客户的暴力破解攻击.

由于您是在处理网络本身,因此最多只需要从大多数网络破解实用程序获得一秒钟的密码尝试. 17.4密码破解在Netware中是如何工作的? 使用Pandora v3.

0,您可以获得最快的词典破解速度.

如果你必须从一个客户攻击,确保你使用的是饼干,你使用字典攻击.

对于Netware 3.

x系统,请考虑使用Al Grant的装订工具. 17.5系统管理员是否可以阻止/停止Netware密码哈希提取? 系统管理员防止Netware密码哈希提取的最佳方法是至少尝试以下操作: 保护服务器控制台.

如果控制台受损,则所有赌注都将被取消.

一点也不要使用RCONSOLE.

转到控制台执行任何管理员类型的工作.

保护管理帐户.

如果其中一个账户被泄露,所有赌注再次被取消.

从安全的工作站最少使用这些帐户.

在您自己之后清理.

如果您运行一个BINDFIX、DSMAINT或DSREPAIR,请记住您将文件留在那里,以便从中恢复密码.

做你自己的事,确认你不必使用这些剩余的文件,然后删除并清除它们.

你看,一旦服务器被破坏,有时甚至不是完全破坏,就没有什么可以阻止不需要的密码恢复.

黑客,只要做与上述相反的事情,你就没事了.-) 17.6我可以用有限的权限重置一个NDS密码吗? 有一个名为N4PASS的免费软件实用程序,用于Netware 4.

10(使用NDS调用,不基于绑定).

此软件包的目的是使帮助台能够为用户重置密码,而不授予他们大量的权限.

它使用完整的日志记录,不需要大量的ACL操作.

显然,设置为使用此实用程序会打开一些门.

文件名是N4PA12.

EXE,可以从作者的网站http://fastlane.

net/homepages/dcollins检索,可以通过dcollins@fastlane.

net联系作者.

这个实用程序有几个有趣的地方——如果配置不正确,服务器可能会以多种方式受损.

例如,生成的密码是使用“临时文件名”、日期、用户登录名、帮助台登录名、种子值和其他一些项的计算.

(位于n4pass.

txt文件中) n4pass未设置为立即清除,该文件是可挽救的.

此外,如果对N4PASS目录的权限过于开放,您可以发现默认密码等.

实用程序附带的文本文件涵盖了这一点,因此如果要安装它,请仔细阅读.

如果您正在进行黑客攻击,请仔细阅读.

-) 访问sys:\ n4pass\password必须是安全的,因为任何“temp file”(.

1st扩展名)都可能导致“password reset”'对于“临时文件”中列出的人员. 17.7什么是OS2NT.

NLM? OS2NT.

NLM是一种Novell提供的NLM,用于恢复/固定管理,就像在它成为未知对象之后,与用户相反——特别是在DSREST之后.

此模块被视为“最后手段”NLM,您必须联系Novell才能使用它.

虽然我还没看到,但它应该在Novell的一个FTP站点上.

它应该是由Novell定制的,用于处理您的序列号,并且是一次性使用的NLM.

您必须向Novell证明您是谁,并且您的Netware副本已注册.

我怀疑这个NLM可能会被黑客攻击,以绕过一次性使用和序列号/密码的问题,但是从一个好的备份中恢复NDS可以更好地完成任务.

这样有点破坏性. 17.8密码加密如何工作? 来自itsme- 密码加密的工作原理如下:1-工作站从服务器(NCP-17-17)请求会话密钥2-服务器向工作站发送唯一的8字节密钥3-工作站使用用户ID加密密码,-此16字节的值是存储在服务器4上的装订库中的值-然后是WS用8字节的会话密钥加密这个16字节的值,得到8字节,然后发送给服务器(NCP-17-18=login),(NCP-17-4a=verify pw)(NCP-17-4b=change pw)5-服务器执行相同的加密,并将其自身的结果与WS->发送的结果进行比较,运行bindfix后可以在系统目录中找到的net$*.

old文件中包含的信息足以作为任何对象登录到服务器.

跳过步骤3 17.

9我可以不用密码登录吗? 如果您已经从Bindery或NDS文件中获取单向散列,那么您就有足够的信息可以在没有密码的情况下登录,正如Itsme在上一节中所述.

Pandora v3.

0包括实现这一点的工具——请参见http://www.nmrc.org/Pandora/index.

html>http://www.nmrc.org/Pandora/index.

html了解详细信息. 17.10 Windows 95和Netware密码是什么? Windows 95有自己的密码文件,并使用该文件将密码存储到windows95本身以及Netware和NT服务器.

这里的问题是,PWL文件很容易被暴力破解,使用的是互联网上现成的漏洞代码.

为了防止这种情况发生,应该应用Service Pack 1(请参阅Microsoft)或禁用密码缓存.

但您仍然可以访问WIN386.SWP文件.使用磁盘实用程序(如来自Norton的DiskEdit)或从DOS启动,您可以访问交换文件并以明文形式扫描密码.

寻找一个类似nwcs的字符串,然后密码就会跟随它.

下一页上一页

,网络安全教程hackfaq-17.html,tags |
paper,<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.6">
<TITLE>The Hack FAQ: Netware Passwords</TITLE>
<LINK HREF="hackfaq-18.html" REL=next>
<LINK HREF="hackfaq-16.html" REL=previous>
<LINK HREF="hackfaq.html#toc17" REL=contents>
</HEAD>
<BODY BGCOLOR="black" TEXT="white" LINK="gray" VLINK="gray" HLINK="red">
<A HREF="hackfaq-18.html">Next</A>
<A HREF="hackfaq-16.html">Previous</A>
<A HREF="hackfaq.html#toc17">Contents</A>
<HR>
<H2><A NAME="netwarepasswords"></A> <A NAME="s17">17. Netware Passwords</A></H2>

<P>This section deals with Netware passwords.
<P>
<H2><A NAME="ss17.1">17.1 How do I access the password file in Netware?</A>
</H2>

<P>Contrary to not-so-popular belief, access to the password file in Netware is not like Unix - the password file isn't in
the open. All objects and their properties are kept in the bindery files on 2.x and 3.x, and kept in the NDS database
in 4.x. An example of an object might be a printer, a group, an individual's account etc. An example of an object's
properties might include an account's password or full user name, or a group's member list or full name. The bindery
files attributes (or flags) in 2.x and 3.x are Hidden and System, and these files are located on the SYS: volume in
the SYSTEM subdirectory. Their names are as follows:
<P>
<PRE>
Netware version File Names
--------------- ----------
2.x NET$BIND.SYS, NET$BVAL.SYS
3.x NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS
</PRE>
<P>The NET$BVAL.SYS and NET$VAL.SYS are where the passwords are actually located in 2.x and 3.x respectively.
<P>In Netware 4.x, the files are located in a different location on the SYS: volume. It is a hidden directory
called _NETWARE. In this directory are located the NDS files, license files, and a number of other system-related
files such as login scripts and auditing files.
<P>
<PRE>
File What it is
-------------- --------------------------
VALUE.NDS Object and property values
BLOCK.NDS Extended property values
ENTRY.NDS Object and property types
PARTITIO.NDS NDS partition info (replication info, etc.)
MLS.000 License file.
VALINCEN.DAT License validation
</PRE>
<P>To view the hidden SYS:_NETWARE directory, you can try to use RCONSOLE and the Scan Directory option, although
later versions of Netware 4.x have patched this (starting with 410pt3). Here is another way to view these files,
and potentially edit them. After installing NW4 on a NW3 volume, reboot the server with a 3.x SERVER.EXE. On
volume SYS will be the _NETWARE directory. SYS:_NETWARE is hidden better on 4.1 than 4.0x, but in pre-410pt3
patched 4.1 you can still see the files by scanning directory entry numbers using NCP calls (you need the APIs for
this) using function 0x17 subfunction 0xF3.
<P>Using JCMD.NLM, it is possible to access SYS:_NETWARE, and do many fun things, like copy NDS, etc. But what
hackers have asked for is a way to access this directory WITHOUT uploading an NLM via RCONSOLE. You can try
using NETBASIC.NLM (see the Netware Console Attacks section for details), and actually copy NDS files to a
directory you can access (like SYS:PUBLIC).
<P>
<H2><A NAME="ss17.2">17.2 What's the full story with Netware passwords?</A>
</H2>

<P>A Novell proprietary algorithm takes the password, and produces a 16 byte hash. This algorithm is the same for
versions 3.x and 4.x of Netware. The algorithm is also inside the LOGIN.EXE file used by the client when logging
in. The details of the algorithm itself can be found in the CRYPT.TXT file included with Pandora (see
<A HREF="http://www.nmrc.org/pandora/index.html">http://www.nmrc.org/pandora/index.html</A> for details).
<P>The 16 byte hash is stored within the bindery files in Netware 3.x and NDS in Netware 4.x. Since the object ID
is used in the algorithm, it adds the equivalent of a
<A HREF="hackfaq-4.html#salt">salt</A>. This along with the fact
that the password length plays into the algorithm increases the overhead in cracking multiple passwords at once.
Fortunately for the cracker, both the object ID and the password length are stored with the hash, along with
that fact that lower case letters are converted to upper case before generating the hash does simplify the process
slightly. Password crackers can brute force a little easier since they can eliminate trying lower case letters
and concentrate on a particular password length.
<P>
<H2><A NAME="ss17.3">17.3 How does password cracking work with Netware?</A>
</H2>

<P>Because of the complexity of the algorithm, using it the way it was designed is
somewhat slow for cracking, especially by brute force. However the algorithm can
be mathematically improved, and in fact WAS improved and optimized just for
cracking purposes. See
<A HREF="mailto:golgo13@pratique.fr">Jitsu-Disk's</A>
document
<A HREF="http://www.nmrc.org/pandora/CRYPT.TXT">CRYPT.TXT</A> that
was included with
<A HREF="http://www.nmrc.org/pandora/index.html">Pandora</A>
that details this. The algorithm is dozens of times faster than Novell's original
code. However brute force is slow work with Netware, so only use it as a last resort,
especially if you have a LOT of time.
<P>This is especially true with regards to the brute force crackers that attack from
the client. Since you are dealing with the network itself, expect AT BEST about a
password attempt a second from most network cracking utilities.
<P>
<H2><A NAME="ss17.4">17.4 How does password cracking work with Netware?</A>
</H2>

<P>With Pandora v3.0 you have the fastest dictionary cracking available. And if you
must attack from a client, make sure if you are using a cracker that you are using dictionary
attacking.
<P>For Netware 3.x systems, consider using Al Grant's Bindery tool.
<P>
<H2><A NAME="ss17.5">17.5 Can an Sys Admin prevent/stop Netware password hash extraction?</A>
</H2>

<P>The best way for a Sys Admin to prevent Netware password hash extraction is to
at least try the following:
<P>
<UL>
<LI> Protect the server console. If the console is compromised, all bets are off. Don't use
RCONSOLE at all. Go to the console to do any administrator-type work.</LI>
<LI> Protect administrative accounts. If one of these accounts are compromised, once
again all bets are off. Use these accounts minimally from secured workstations.</LI>
<LI> Clean up after yourself. If you run a BINDFIX, DSMAINT, or DSREPAIR,
remember that you are leaving files out there that passwords can be recovered
from. Do your business, confirm you don't have to fall back using one of these
leftover files and then delete and purge them.</LI>
</UL>
<P>You see, once the server has been compromised, sometimes not even completely,
there will be NOTHING to stop unwanted password recovery. Hackers, just do the
opposite of the above items and you'll be fine ;-)
<P>
<H2><A NAME="ss17.6">17.6 Can I reset an NDS password with just limited rights?</A>
</H2>

<P>There is a freeware utility called N4PASS, that is meant for Netware 4.10 (uses NDS calls and is not bindery based). The intention of this package is to
enable a Help Desk to reset passwords for users without granting them tons of rights. It uses full logging and does not require massive ACL manipulation
to do it.
<P>Obviously being set up to use this utility opens a few doors. The filename is N4PA12.EXE, and can be retrieved from the author's web site at
http://fastlane.net/homepages/dcollins and the author can be reached at dcollins@fastlane.net.
<P>A couple of interesting things about this utility -- if configured incorrectly the server may be compromised in a number of ways. For instance, the
password generated is a calculation that uses a 'temp filename', the date, the user's loginname, helpdesk login name, seed value, and a few other items.
(its in the n4pass.txt file)
<P>N4PASS is not set to purge immediately, the file is salvagable. Also, if the rights to the N4PASS directory are too open, you can discover the default
password, among other things. The text file included with the utility covers this, so read it carefully if you are installing it. If you are hacking, read it
carefully too ;-)
<P>It is critical that access to the sys:\n4pass\password is secure since any 'temp file' (.1st extension) can cause the 'password reset' for the person listed in
the 'temp file'.
<P>
<H2><A NAME="ss17.7">17.7 What is OS2NT.NLM?</A>
</H2>

<P>OS2NT.NLM is a Novell-supplied NLM for recovering/fixing Admin, like after it becomes an Unknown object, as opposed to User -- especially after
a DSREPAIR. This module is considered a "last resort" NLM and you must contact Novell to use it. While I haven't seen it, it is supposed to be on one
of Novell's FTP sites. It supposedly is customized by Novell to work with your serial number and is a one-time use NLM. You have to prove to Novell
who you are and that your copy of Netware is registered.
<P>I would suspected it is possible that this NLM could be hacked to get around the one-time use and serial number/password thing, but a restore of NDS
from a good backup would accomplish things better. This way is a little destructive.
<P>
<H2><A NAME="ss17.8">17.8 How does password encryption work?</A>
</H2>

<P>From itsme -
<P>
<PRE>
the password encryption works as follows:
1- the workstation requests a session key from the server
(NCP-17-17)
2- the server sends a unique 8 byte key to the workstation

3- the workstation encrypts the password with the userid,
- this 16 byte value is what is stored in the bindery on the server

4- the WS then encrypts this 16 byte value with the 8 byte session key
resulting in 8 bytes, which it sends to the server
(NCP-17-18 = login), (NCP-17-4a = verify pw) (NCP-17-4b = change pw)

5- the server performs the same encryption, and compares its own result
with that sent by the WS

-> the information contained in the net$*.old files which can be found
in the system directory after bindfix was run, is enough to login
to the server as any object. just skip step 3
</PRE>
<P>
<H2><A NAME="ss17.9">17.9 Can I login without a password?</A>
</H2>

<P>If you have acquired the one-way hash from Bindery or NDS files, you have enough info to login without
password, as stated by Itsme in the previous section. Pandora v3.0 includes tools for accomplishing
this -- see
<A HREF="http://www.nmrc.org/pandora/index.html">http://www.nmrc.org/pandora/index.html</A> for details.
<P>
<H2><A NAME="ss17.10">17.10 What's with Windows 95 and Netware passwords?</A>
</H2>

<P>Windows 95 has its own password file, and uses this file to store passwords to Windows 95 itself as well as Netware and NT servers. The problem
here is that the PWL file is easily cracked by brute force, by using exploit code readily available on the Internet. To keep this from happening either
Service Pack 1 should be applied (see Microsoft) or disable password caching.
<P>But you can still access the WIN386.SWP file. Either using a disk utility like DiskEdit from Norton or by booting from DOS, you can access the swap
file and scan it for the password in plaintext. Look for a string like nwcs and the password will follow that.
<P>
<P>
<HR>
<A HREF="hackfaq-18.html">Next</A>
<A HREF="hackfaq-16.html">Previous</A>
<A HREF="hackfaq.html#toc17">Contents</A>
</BODY>
</HTML>

相关文章

人已赞赏
安全工具

<p>hackfaq-18.html.</p>

2020-2-6 3:22:13

安全工具

hackfaq-16.html

2020-2-6 3:22:15

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索