On July 15, 1998 the Nomad Mobile Research Centre will release the DOS version of Pandora v3.0, a set of Novell Netware 4.x attack tools. These tools will provide the following functions: - User and password hash extraction from Netware Directory Services (NDS). - Brute force and dictionary attacking of the password hashes. - Client-based attacks. - The Pandora Toolkit API, including documentation. - Full source code. - Packet Signature defeating and bypassing. This last element is probably the most interesting, as Novell's Packet Signature has been around for around seven years. New techniques developed by NMRC allow exploitation of weaknesses in the packet signing scheme, and in some cases allow packet signing to be completely bypassed. This has SERIOUS ramifications in every shop running a modern Netware server, including the current shipping version 4.11. Some of the client attack tools even work with Netware 5 betas 2 and 3. Tha main exploit we came up with was a series of IPX spoofing techniques that allow a client to gain Admin privileges on a Netware server even if the highest level of Packet Signature has been set. We suspect that the ONLY configurations that are 100% protected are those user locations using the full C2 configuration of Netware that uses the special encrypting Ethernet cards, although we were unable to test this. A white paper entitled "NCP: Netware Cries Pandora" (named in the style of Hobbit's CIFS: Common Insecurities Fail Scrutiny) has been released and is included with Pandora. The white paper is also online at the NMRC web site. This white paper explains some of these new exploits, how they work, and what to do to try and secure a Netware system. Still under development are Linux versions that use the IPX connectivity tools available for Linux, and a GUI for Windows 95/NT and X to simplify usage. These tools are expected to be released within the next few weeks. Novell was first contacted about these problems mid June. While our white paper does outline a few pre-emptive things that can be done, it is unclear from Novell exactly what patch revisions for what Netware versions fix what. Hopefully Novell will be a bit more forthcoming regarding their approach to announcing security fixes, as information that matches specific patches up to specific security problems is non-existent. All we can safely say is that according to Novell, patches exist for SOME of the new exploits. The Pandora homepage is located at http://www.nmrc.org/pandora/ .o. Simple Nomad .oOo. Data warrior, knowledge hunter/gatherer www.nmrc.org .oOo. thegnomeat_private .o.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:18 PDT