---------------------------------------------------------------------------

Section 01

Access to Accounts

---------------------------------------------------------------------------

01-1. What are common accounts and passwords in Novell Netware?

Out of the box Novell Netware has the following default accounts -
SUPERVISOR, GUEST, and Netware 4.x has ADMIN and USER_TEMPLATE as well. All
of these have no password to start with. Virtually every installer quickly
gives SUPERVISOR and ADMIN a password. However, many locations will create 
special purpose accounts that have easy-to-guess names, some with no
passwords. Here are a few and their typical purposes:

	Account         Purpose
	----------      ------------------------------------------------------
	PRINT           Attaching to a second server for printing
	LASER           Attaching to a second server for printing
	HPLASER         Attaching to a second server for printing
	PRINTER         Attaching to a second server for printing
	LASERWRITER     Attaching to a second server for printing
	POST            Attaching to a second server for email
	MAIL            Attaching to a second server for email
	GATEWAY         Attaching a gateway machine to the server
	GATE            Attaching a gateway machine to the server
	ROUTER          Attaching an email router to the server
	BACKUP          May have password/station restrictions (see below), used
			for backing up the server to a tape unit attached to a
			workstation. For complete backups, Supervisor equivalence
			is required.
	WANGTEK         See BACKUP
	FAX             Attaching a dedicated fax modem unit to the network
	FAXUSER         Attaching a dedicated fax modem unit to the network
	FAXWORKS        Attaching a dedicated fax modem unit to the network
	TEST            A test user account for temp use
	ARCHIVIST       Palidrome default account for backup
	CHEY_ARCHSVR    An account for Arcserve to login to the server from    
			from the console for tape backup. Version 5.01g's
			password was WONDERLAND. Delete the Station
			Restrictions and use SUPER.EXE to toggle this 
			account and you have an excellent backdoor.
	WINDOWS_PASSTHRU Although not required, per the Microsoft Win95
			Resource Kit, Ch. 9 pg. 292 and Ch. 11 pg. 401 you
			need this for resource sharing without a password.
	ROOT            Found on Shiva LanRovers, gets you the command-line
			equiv of the AdminGUI. By default, no password. A lot 
			admins just use the AdminGUI and never set up a 
			password.

VARs (Value Added Resellers) repackage Netware with their own hardware or
with custom software. Here is a short list of known passwords:

VAR	 Account     Password  Purpose
-------  ----------  --------  -------------------------------------------
STIN	 SUPERVISOR  SYSTEM    Travel agency running SABRE
STIN	 SABRE       -none-    Like a guest account
STIN	 WINSABRE    WINSABRE  Windows guest account for NW 2.15c
STIN	 WINSABRE    SABRE     Windows guest account for NW 3.x
HARRIS	 SUPERVISOR  HARRIS    Tricord reseller, ships NW preinstalled
NETFRAME SUPERVISOR  NF        Also NETFRAME and NFI
						
This should give you an idea of accounts to try if you have access to a
machine that attaches to the server. A way to "hide" yourself is to give
GUEST or USER_TEMPLATE a password. Occassionally admins will check up on
GUEST, but most forget about USER_TEMPLATE. In fact, _I_ forgot about
USER_TEMPLATE until itsme reminded me.

This list is also a good starting point for account names for "backdoors".
In some environments these account names will be left alone, particularly
in large companies, especially Netware 4.x sites with huge trees. And don't
forget account names like Alt-255 or NOT-LOGGED-IN.

---------------------------------------------------------------------------

01-2. How can I figure out valid account names on Novell Netware?

Any limited account should have enough access to allow you to run SYSCON,
located in the SYS:PUBLIC directory. If you get in, type SYSCON and enter.
Now go to User Information and you will see a list of all defined accounts.
You will not get much info with a limited account, but you can get the
account and the user's full name.

If your in with any valid account, you can run USERLST.EXE and get a list
of all valid account names on the server.

If you don't have access (maybe the sys admin deleted the GUEST account,
a fairly common practice), you can't just try any account name at the LOGIN
prompt. It will ask you for a password whether the account name is valid or
not, and if it is valid and you guees the wrong password, you could be
letting the world know what you're up to if Intruder Detection is on. But
there is a way to determine if an account is valid.

From a DOS prompt use a local copy (on your handy floppy you carry
everywhere) of MAP.EXE. After you've loaded the Netware TSRs up through
NETX or VLM, Try to map a drive using the server name and volume SYS:.
For example:

	MAP G:=TARGET_SERVER/SYS:APPS <enter>

Since you are not logged in, you will be prompted for a login ID. If it
is a valid ID, you will be prompted for a password. If not, you will
immediately receive an error. Of course, if there is no password for the
ID you use you will be attached and mapped to the server. You can do the
same thing with ATTACH.EXE:

	ATTACH TARGET_SERVER/loginidtotry <enter>

The same thing will happen as the MAP command. If valid, you will be
prompted for a password. If not, you get an error.

Another program to check for valid users and the presence of a password is
CHKNULL.EXE by itsme. This program checks for users and whether they have
a password assigned.

In 4.1 CHKNULL shows you every account with no password and you do not
have to be logged in. For this to work bindery emulation must be on. But 
there is another way to get them in 4.1:

Once you load up the VLMs you may be able to view the entire tree, or at
least all of the tree you could see if logged in. Try this:

      CX /T /A /R

During the installation of 4.1, [Public] has browse access to the entire
tree because [Public] is added to [Root] as a Trustee. The Inherited Rights
Filter flows this stuff down unless explicitly blocked. If you have the VLMs 
loaded and access to CX, you don't even have to log in, and you can get the
name of virtually every account on the server.

---------------------------------------------------------------------------

01-3. What is the "secret" method to gain Supervisor access Novell used to teach 
in CNE classes?

Before I start this section, let me recommend another solution, my God, ANY
other solution is better than this! If you are running 3.x, jump to the end of 
this section.

The secret method is the method of using a DOS-based sector editor to edit the 
entry in the FAT, and reset the bindery to default upon server reboot. This gives 
you Supervisor and Guest with no passwords. The method was taught in case you 
lost Supervisor on a Netware 2.15 server and you had no supe equivalent accounts 
created. It also saves the server from a wipe and reboot in case the Supervisor account is corrupt, deleted, or trashed.

While you get a variety of answers from Novell about this technique, from it 
doesn't work to it is technically impossible, truth be it it can be  done. Here 
are the steps, as quoted from comp.os.netware.security, with my comments in 
[brackets]:

[start of quote]
A Netware Server is supposed to be a very safe place to keep your files. Only
people with the right password will have access to the data stored there. The
Supervisor (or Admin) user's password is usually the most well kept secret in
the company, since anyone that has that code could simply log to the server and 
do anything he/she wants.

But what happens if this password is lost and there's no user that is 
security-equivalent to the supervisor? [Use SETPWD.NLM, instead of this process,
see section 02-3 - S.N.] What happens if the password system is somehow damaged
and no one can log to the network? According to the manual, there's simply no 
way out. You would have to reinstall the server and try to find your most recent 
backup. 

Fortunately, there is a very interesting way to gain complete access to a Netware
server without knowing the Supervisor's (or Admin's) password. You may imagine
that you would have to learn complex decryption techniques or even type in a long
C program, but that's not the case. The trick is so simple and generic that it
will work the same way for Netware 2.x, 3.x and 4.x. 

The idea is to fool Netware to think that you have just installed the server and
that no security system has been estabilished yet. Just after a Netware 2.x or
3.x server is installed, the Supervisor's password is null and you can log in
with no restriction. Netware 4.x works slightly differently, but it also allows
anyone to log in after the initial installation, since the installer is asked to
enter a password for the Admin user.

But how can you make the server think it has just been installed  without
actually reinstalling the server and losing all data on the disk? Simple. You
just delete the files that contain the security system. In Netware 2.x, all
security information is stored in two files (NET$BIND.SYS and NET$BVAL.SYS).
Netware 3.x stores that information in three files (NET$OBJ.SYS, NET$VAL.SYS and
NET$PROP.SYS). The all new Netware 4.x system stores all login names and 
passwords in five different files (PARTITIO.NDS, BLOCK.NDS, ENTRY.NDS, VALUE.NDS
and UNINSTAL.NDS [This last file may not be there, don't worry - S.N.]).

One last question remains. How can we delete these files if we don't have access
to the network, anyway? The answer is, again, simple. Altough the people from
Novell did a very good job encrypting passwords, they let all directory
information easy to find and change if you can access the server's disk directly,
using common utilities like Norton's Disk Edit. Using this utility as an example,
I'll give a step-by-step procedure to make these files vanish. All you need is a
bootable DOS disk,  Norton Utilities' Emergency Disk containing the DiskEdit
program and some time near the server.

1. Boot the server and go to the DOS prompt. To do this, just let the network
boot normally and then use the DOWN and EXIT commands. This procedure does not
work on old Netware 2.x servers and in some installations where DOS has been 
removed from memory. In those cases, you'll have to use a DOS bootable disk.

2. Run Norton's DiskEdit utility from drive A:

3. Select "Tools" in the main menu and then select "Configuration". At the
configuration window, uncheck the "Read-Only" checkbox. And be very careful with
everything you type after this point.

4. Select "Object" and then "Drive". At the window, select the C: drive and make
sure you check the button "physical drive". After that, you'll be looking at your
physical disk and you be able to see (and change) everything on it.

5. Select "Tools" and then "Find". Here, you'll enter the name of the file you 
are trying to find. Use "NET$BIND" for Netware 2,  "NET$PROP.SYS"  for  Netware 3 and "PARTITIO.NDS" for Netware 4. It is possible that you find these strings in a
place that is not the Netware directory. If the file names are not all near each
other and proportionaly separated by some unreadable codes (at least 32 bytes
between them), then you it's not the place we are looking for. In that case, 
you'll have to keep searching by selecting "Tools" and then "Find again". [In
Netware 3.x, you can change all occurences of the bindery files and it should
still work okay, I've done it before. - S.N.]

6. You found the directory and you are ready to change it. Instead of deleting 
the files, you'll be renaming them. This will avoid problems with the directory
structure (like lost FAT chains). Just type "OLD" over the existing "SYS" or
"NDS" extension. Be extremely careful and don't change anything else.

7. Select "Tools" and then "Find again". Since Netware store the directory
information in two different places, you have to find the other copy and change 
it the same way. This will again prevent directory structure problems.

8. Exit Norton Disk Edit and boot the server again. If you're running Netware 2 
or 3, your server would be already accessible. Just go to any station and log in 
as user Supervisor. No password will be asked. If you're running Netware 4, there
is one last step.

9. Load Netware 4 install utility (just type LOAD INSTALL at the console prompt) 
and select the options to install the Directory Services. You be prompted for the
Admin password while doing this. After that, you may go to any station and log in
as user Admin, using the password that you have selected.

What I did with Norton's Disk Edit could be done with any disk editing utility 
with a "Search" feature. This trick has helped me save many network supervisors 
in the last years. I would just like to remind you that no one should break into
a netware server unless authorized to do it by the company that owns the server. 
But you problably know that already.
[end of quote]

I actually had this typed up but kept changing it, so I stole this quote from
the newsgroup to save me retyping ;-)

Now the quicky for 3.x users. Use LASTHOPE.NLM, which renames the bindery and
downs the server. Reboot and you have Supe and Guest, no password.

---------------------------------------------------------------------------

01-4. What is the cheesy way to get Supervisor access?

The cheesy way is the way that will get you in, but it will be obvious to the 
server's admin that the server has been compromised. This technique works for 
3.11.

Using NW-HACK.EXE, if the Supervisor is logged in NW-HACK does the following 
things. 1) The Supervisor password is changed to SUPER_HACKER, 2) every account 
on the server is made a supe equivalent, and 3) the sys admin is going to know 
very quickly something is wrong. What the admin will do is remove the supe rights 
from all accounts that are not supposed to have it and change the Supervisor 
password back. The only thing you can do is leave a backdoor for yourself (see 
next question).

---------------------------------------------------------------------------

01-5. How do I leave a backdoor?

Once you are in, you want to leave a way back with supe equivalency. You can use 
SUPER.EXE, written for the express purpose of allowing the non-supe user to 
toggle on and off supe equivalency. If you use the cheesy way in (previous 
question), you turn on the toggle before the admin removes your supe 
equivalency. If you gain access to a supe equivalent account, give Guest supe 
equivalency and then login as Guest and toggle it on. Now get back in as the 
original supe account and remove the supe equivalency. Now Guest can toggle on 
supe equivalency whenever it's convenient.

Of course Guest doesn't have to be used, it could be another account, like an
account used for e-mail administration or an e-mail router, a gateway's account, 
you get the idea.

Now SUPER.EXE is not completely clean. Running the Security utility or Bindfix 
will give away that an account has been altered at the bindery level, but the 
only way for an admin to clear the error is to delete and rebuild the account.

Another backdoor is outlined in section 02-2 regarding the replacement LOGIN.EXE 
and PROP.EXE

---------------------------------------------------------------------------

01-6. I don't have SETPWD.NLM or a disk editor. How can I get Supe access?

If you have two volumes or some unallocated disk space you can use this
hack to get Supe. Of course you need physical access but it works. I got
this from a post in comp.os.security.netware

  - Dismount all volumes
  - Rename SYS: to SYSOLD:
  - Rename VOL1: (or what ever) to SYS: or create new SYS: on new disk
  - Reboot server
  - Mount SYS: and SYSOLD:
  - Attach to server as Supervisor (Note: login not available)
  - Rename SYSOLD:SYSTEM\NET$***.SYS to NET$****.OLD
  - Dismount volumes
  - Rename volume back to correct names
  - Reboot server
  - Login as Supervisor, no password due to new bindery
  - Run BINDREST
  - You are currently logged in as Supe, you can create a new user as
    Supe equiv and use this new user to reset Supe's password, whatever.

---------------------------------------------------------------------------
