From the Nomad Mobile Research Centre:

			 Frequently Asked Questions 
				   About
			   Hacking Novell Netware

		     "The Unofficial Netware Hack FAQ"

			       Beta Version 5

			  Compiled by Simple Nomad


Contributions (and thanks to):  

The LAN God
Teiwaz         teiwaz@wolfe.net
Fauzan Mirza   fauzan@dcs.rhbnc.ac.uk
David A Wagner daw@lagos.CS.Berkeley.EDU
Diceman        diceman@fl.net.au
PEME_Inc
Craig          craigt@online1.magnus1.com

Tech Support (and special thanks to):

itsme       - infamous Netware Netherlands hack fame
Greg Miller - Programmer/Analyst (home page in the Resources section)

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Contents

U means update from last FAQ, N means new.


---------------------------------------------------------------------------

Section 00

General Info

  00-1. What is this "FAQ" for?
  00-2. What is the origin of this FAQ and how do I add to it?
U 00-3. Is this FAQ available by anonymous FTP or WWW?

---------------------------------------------------------------------------

Section 01

Access to Accounts

U 01-1. What are common accounts and passwords in Novell Netware?
  01-2. How can I figure out valid account names on Novell Netware?
  01-3. What is the "secret" method to gain Supervisor access Novell used to 
  teach in CNE classes?
  01-4. What is the cheesy way to get Supervisor access?
  01-5. How do I leave a backdoor?
  01-6. I don't have SETPWD.NLM or a disk editor. How can I get Supe access?

---------------------------------------------------------------------------

Section 02

Passwords

  02-1. How do I access the password file in Novell Netware?
  02-2. How do I crack Novell Netware passwords?
  02-3. What is a "brute force" password cracker?
  02-4. What is a "dictionary" password cracker?
  02-5. How do I use SETPWD.NLM? 
  02-6. What's the "debug" way to disable passwords?
  02-7. Exactly how do passwords get encrypted?
  02-8. What are the dangers of "storing" captured passwords?

---------------------------------------------------------------------------

Section 03

Accounting and Account Security

  03-1. What is Accounting?
  03-2. How do I defeat Accounting?
  03-3. What is Intruder Detection?
  03-4. How do I check for Intruder Detection?
  03-5. What are station/time restrictions?
  03-6. How do I spoof my node or IP address?

---------------------------------------------------------------------------

Section 04

The Console

  04-1. How do I defeat console logging?
  04-2. Can I set the RCONSOLE password to work for just Supervisor?
  04-3. How can I get around a locked MONITOR?

---------------------------------------------------------------------------

Section 05

File and Directory Access

  05-1. How can I see hidden files and directories?
  05-2. How do I defeat the execute-only flag?
  05-3. How can I hide my presence after altering files?
  05-4. What is a Netware-aware trojan?
  05-5. What are Trustee Directory Assignments?
  05-6. Are there any default Trustee Assignments that can be exploited?
  05-7. What are some general ways to exploit Trustee Rights?
  05-8. Can access to .NCF files help me?
  05-9. Can someone think they've logged out and I walk up and take over?
U 05-10. What other Novell and third party programs have holes that give
	 "too much access"?
  05-11. How can I get around disk space requirements?

---------------------------------------------------------------------------

Section 06

Fun with Netware 4.1

  06-1. What is interesting about Netware 4.x's licensing?
  06-2. How can I tell if something is being Audited?
  06-3. Where are the Login Scripts stored and can I edit them?
  06-4. What is the rumored "backdoor" in NDS?
  06-5. How can I remove NDS?
  06-6. How can I remove Auditing if I lost the Audit password?
  06-7. Does 4.x store the LOGIN password to a temporary file?
  06-8. Everyone can make themselves equivalent to anyone including Admin. 
	How?
  06-9. Can I reset an NDS password with just limited rights?
  06-10. What is OS2NT.NLM?
  06-11. Do you have to be Admin equivalent to reset a password?
  06-12. What if I can't see SYS:_NETWARE? 
  06-13. What are security considerations regarding partitions of the tree?
N 06-14. Can a department "Supe" become a regular Admin to the entire tree?

---------------------------------------------------------------------------

Section 07

Miscellaneous Info on Netware

  07-1. Why can't I get through the 3.x server to another network via TCP/IP?
  07-2. How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF?
  07-3. How can I login without running the System Login Script?
  07-4. How do I remotely reboot a Netware 3.x file server?
  07-5. How can I abend a Netware server? And why?
  07-6. What is Netware NFS and is it secure?
  07-7. Can sniffing packets help me break in?
  07-8. What else can sniffing get me?
  07-9. How does password encryption work?
  07-10. Are there products to help improve Netware's security?
  07-11. What is Packet Signature and how do I get around it?
  07-12. Do any Netware utilities have holes like Unix utilities?

---------------------------------------------------------------------------

Section 08

Netware and Windows 95

  08-1. Will Windows 95 cause server problems for Netware?
  08-2. Will Windows 95 cause network problems for Netware?
  08-3. What's with Windows 95 and Netware passwords?
  08-4. Can Windows 95 bypass NetWare user security?
---------------------------------------------------------------------------

Section 09

Resources

  09-1. What are some Netware FTP locations?
  09-2. What are some Netware WWW locations?
  09-3. What are some Netware USENET groups?
  09-4. What are some Netware mailing lists?
  09-5. Where are some other Netware FAQs?
  09-6. Where can I get the files mentioned in this FAQ?

---------------------------------------------------------------------------

Section 10

Netware APIs

  10-1. Where can I get the Netware APIs?
  10-2. Are there alternatives to Netware's APIs?

---------------------------------------------------------------------------

Section 11

Mathematical/Theoretical

  11-1. How does the whole password/login/encryption thing work?
  11-2. Are "man in the middle" attacks possible?
  11-3. Are Netware-aware viruses possible?
  11-4. Can a trojaned LOGIN.EXE be inserted during the login process?

---------------------------------------------------------------------------

Section 12

For Administrators Only

  12-1. How do I secure my server?
  12-2. I'm an idiot. Exactly how do hackers get in?
  12-3. I have xxx setup and xxx version running. Am I secure?

---------------------------------------------------------------------------

Appendix Section - Source Code and Other Documentation

N A-01. RCONSOLE Hacking Article
N A-02. Source code for SPOOFKEY
N A-03. Source code to NOCRYPT
N A-04. Documentation for NOCRYPT and the Attack Explanation
N A-05. Source code for SETPWD.NLM and BURGLAR.NLM

---------------------------------------------------------------------------

