Novell Netware 3.12
Netware reverse engineering - basic

by The Undertacker
(03 September 1997, slightly edited by Fravia)


Courtesy of Fravia's page of reverse engineering

Well, this is a welcome new direction for our studies... anybody else in order to start a new +HCU project: Netware cracking? Here is an excerpt from The Undertacker's accompanying letter:
I will start publishing Netware 3.12 cracks  first, because this is the version 
most widely used by organizations. Then, later, we'll move on to NW4.10 & NW4.11.

Novell Netware 3.12 -- [Session - 1] Exploring The Password Procetion Scheme By The Undertacker -=BANDA=-
Before we start exploring Novell Netware here is a small introduction to the Netware Operating System. Basically Netware supports Print & File sharing facilities. It also uses the NCP{IPX} to communicate with the clients. Netware comes with different number of client services(25user,50user...Versions). If you really want to learn more about this, check their web site at www.novell.com Finally Netware has lots of weak points (Security, Connection control, ....). So our aim is to examine those weak points and reverse their code. In this session we discuss how Netware security is organized & how to defeat the Netware security protection schemes. The following Algorithm will give you a idea of how Netware passwords are being encripted. Thanks go to {LiLiPuT} for the following information. encryptd(int id[4], char password[]) char buffer[32]; concatenate password[] to itself until its at least 32 bytes long put the result in buffer[] concatenate id[] to itself until its at least 32 bytes long xor the result into buffer[] return encrypd(buffer[]) encrypb(char buf[32]) nibble output[32]; // 4 bits msb or lsb complicated (but easily crackable!) function to buf[] for (i=0; i<32; i++) output[i]="S-box[buf[i]];" return output[] /* 16 byte return value */ where the S-box[] crunches 8 bit values down to 4 bit values. So here's how to invert the password hash function, given the 16 byte hash output[] value: for (i=0; i<32; i++) pick any x such that S-box[x]="=" output[i] // crack simple buf[i]="x" apply the reverse of the complicated function to buf[] concatenate id[] to itself..., and xor the result into buf[] use the resulting 32 byte buf[] as the inverse password I hope you all understand the above algorithm. If not FORGET about it and start working directly in the cracking session. To crack the password protection you need to use the server (console screen). Netware O/Sr comes with the internal Debugger for Developers. We can use this debugger for most of our cracks. Here is the way to get into the debugger. In the Console Screen, Press :- Lt.Shift+Rt.Shift+Alt+Esc - to Enter the debugger. Now you are at the '#' prompt. To get more information about the Debugger type (H,HB,HE,.H). -= CraCk SeSsion =- Debugger supports CASE SENSITIVE Api names. I will include in the next session the complete Netware Api names. Ok Let's ROCK !!!!! In the Debugger Type,.. #u VerifyPassword ----> This function checks the user input password and the encrypted bindery entry. If it matches it returns EAX=0 else EAX=bla bla bla.... Press the "Enter" key to scroll unassembled listing. Scroll until you see the "RET" instruction. 00328F76 C3 RET ----> Address may change according to your server Configuration. Now Put a execution Break Point on above address. B = 00328F76 Leave the Debugger by Pressing "g". Now log into the server from a work station using a wrong password. BUFFF!!! you land in sidethe debugger. Check the EAX value. OH! it is not equal to 0. That means it is a wrong password. If you would press "g" again you would see a 'Password Incorrect' message inside your work station. But if we change the value of the EAX register to 0 "EAX=0" & press "g" you can nevertheless log into the server. Ok Lets start the Crack.!!!!! c VerifyPassword = B8 0 0 0 0 C3 ---> This command changes the operand and the opcode u VerifyPassword Now you can see our changes.... XXXXXXXX B800000000 MOV EAX,0 XXXXXXXX C3 RET Clear all break points "bca" & press "g". Thats it you have done it. Novell Netware 3.1 reversed! It doesn't ask for the password here after. I have kept this essay very simple because most of our readers are not familiar with Netware, nor with the Netware debugger. Once you'll have understood the basic, and we'll go along smoothly, I will include more complicated stuff in my sessions. More Sessions to come shortly. My thanks to all the friends in the +HCU. Happy NetworKing... Se Ya SOOn!!!!. ((((((( ReversE EngineerinG LiveS ForeveR ))))))) (C) 1997 The Undertacker -=BANDA=- All Rights Reserved. // SRI LANKA //
(c) The Undertacker, 1997. All rights reversed.
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
academy database antismut search_forms mail_fravia
is reverse engineering legal?