On Mon, 15 Jul 2002, st0ff st0ff wrote: > i have to pentest a nt client. there is tcp/ip as well > as ipx/spx installed. An ip-filter prevents accessing > the box using tcp/ip. is there a possibility to do it > over ipx? The trick would be to make the netware client execute a login script of your choice (where you can execute any command). You can do this either by breaking into the server the client normally logs into, or by making the client connect to your server. If there isn't a server on the network then set up one - it will work if the user is dumb enough to log in. The login script was once located in SYS:MAIL/<object id of the user in hex>/login. If you don't know what username the user will try to login with, you could try to modify mars_nwe to treat all login names as one user. If there is a server present on the network try to DoS it and repeat the above. You could also break into the server and modify the login script of the user, try to use pandora (from www.nmrc.org). Another way would be to find a printer object with no password, and use it to elevate privliges to SUPERVISOR status via the ChangeToClientRights() netware API call. For DoSing it you can send the server a license broadcast with the same license number as the server uses, or try to use some other version specific method (for 3.12 search for ipxod). After you're done with the DoS, flood the network with SAP packets advertising your server (actually this sometimes will DoS the server). > are there scanner-tools available like nmap? For enumeration try enin (this version works only under linux but would be easy to port to other systems supporting ipx): http://acid.ch.pw.edu.pl/~sq5bpf/mylinux/enin/ It will ping all ipx networks and show all ipx hosts. Additionally it will give you some information on what is running on the remote host and try to make a lame guess about what the client really is (it can tell you if it's a novell ipx client for windows or a microsoft ipx client for windows). Hope this helps, sq5bpf ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 12:34:22 PDT