Novell Security Penetration ---------------- by

Net Battle Bot

Do not modify this file in any way

1. Introduction (PLEASE READ)

2. Novell - What You Need to Know
3. The Basics of Novell Hacking
i. Navigating the Network
ii. Command Prompt
iii. Floppy / CD
iv. Gaining Admin
v. Other stuff...
4. Advanced Novell Hacking
i. Tools

ii. File / Print Sharing

iii. SAM
iv. Access the Server
v. Viewing "restricted" drives

INTRODUCTION

Before we get started, let me get a couple of things straight. First of all, I hate it when I
surf the web and can't ever access any site without having shit like "This site is for
educational purposes only" pop up. For you people who are like me, I'll do you all a favour.

Which brings me to my next point. Admins. Most schools across the world have admins that
think they're the smartest things on two legs because they got some diploma that says they
know how to turn on a computer. Well, for any admins that think this way and are reading
this tutorial, let me say this: your diploma or certificate or whatever doesn't mean shit. Sure,
it makes you look smart on paper, but in the real world, if you're lazy or just plain stupid,
you will get 0wned by a person that you think is too young or too stupid to do any real
damage to your network. Make no mistake: if you stop learning, if you stop surfing the web
to sharpen your skills, if you stop caring about your network, sooner or later, some punk
who's gonna try and have some fun's gonna make your life really shit really fast when you
find out that you are way out of your depth real quick. Enough said. Always keep up with
what's happening on the web, no matter how much time you have to put into it.

Moving on. Now I would like to get some things straight about myself. Although I have
made this tutorial for people wishing to gain privileges in Novell, this tutorial isn't for
everybody. Although I like to think I'm a nice guy, there are certain people I dislike. These
are the people who always want you to do things for them. They never want to learn
because they "can't be bothered" so they always come to you for help. This tutorial is not
for people who want the easy way out. If the only reason you want to know how to do this
is so you can impress your friends, close this tutorial and click on it's icon. Now press
Shift+DEL. There we go. That probably got rid of some of them. Anyway, this tutorial is
being written for serious people who have little or no knowledge of Novell simply because
they haven't come across it. No problem. Enjoy.
Novell - What You Need To Know

Let's start off with the question "What is Novell?" Novell is basically a program that you
install over windows that works over a network to give users appropriate access. For
example, many schools use Novell because it allows them to give students limited rights so
they can only do what the admin allows them to (erhem). There is always at least one
administrator to supervise the network and manage student accounts.

Novell is a respected company that has been making security related programs for a long
time. Unfortunately, in recent years, Novell has been slipping up when it comes to the
integrity of their programs. Not surprisingly, many security holes have been found and
many more are on their way.

The Basics of Novell Hacking

As with any hack, we must first decide on the objective ie what do we want to achieve? Well,
let's go through it. Since you have physical access to the network, chances are you use it
quite often. Therefore you probably wouldn't want to install a virus as you would only be
doing yourself a bad favour. In places like schools, it is very common for admins to restrict
access to the floppy or cd drives as they don't want people bringing in stuff like viruses,
corrupt files or even games. We will soon see how to access these files anyway. Maybe you
want admin rights? If the admin is stupid, even this is possible. Do you want to install a
game? Do you want to look at other users files? All these things and more are possible on
some Novell networks. What you have to understand as either a user or an admin is that
networks will always have flaws. I have classified Novell networks into three basic
categories:

 shit security
 ok security
 perfect flawless security

In my experience, I have come across two of the above mentioned types of networks.
Guess which two. Note that many systems start off in the "shit security" category but move
up into the "ok security" category. When this happens, a hacker that had gotten used to a
certain system may be depressed for a while. Until he or she finds new holes. There is only
so much an admin can disable on your computer before it becomes a vegetable and of
absolutely no use to anyone. That's why we use whatever programs we have left to our
advantage. If you are a student then you will undoubtedly have programs that aid in study,
such as Notepad, MS Word, you may have Powerpoint etc. All these programs can be used
to our advantage.

First of all, let me cover the "shit" network class. In this network class, you should be able
to do anything. If something you do comes up with the message "This operation has been
cancelled by the Administrator" or "You have insufficient rights to execute this command" or
something to that effect, then the network falls into the "ok" class. Anyway, if your network
falls into the "shit" class, you should be able to open Internet Explorer then go File > Open
then Browse... When you do this, you will be able to see the entire C: drive of the computer,
though you may not necessarily be able to open any of the files.

***Note: This tutorial assumes that the Desktop has been stripped of all icons and the start
menu is almost bare if not completely removed.
OK. Now that we can see the path of all the files, we click Browse... again and attempt to
open a file using IE. Pick a useful file like "command.com" if you are using winnt. When you
find the file, click ok and you will have a little box with the full pathname of the file. You can
either OK, Cancel or Browse... Do neither. Copy the pathname. Now open MS Word. Go to
View > Toolbars then go to Visual Basic. A toolbox will pop up. Click "Design Mode". A new
toolbox should pop up again. This time click the "Command Button" which just looks like a
small rectangle. When the button pops up, double click it. You should be taken to a VB
screen with the following in the middle:

Private Sub CommandButton1_Click()

End Sub

Now type in...

SHELL("C:\winnt\system32\command.com")
...and hit F5 (Debug), so your screen looks like

Private Sub CommandButton1_Click()

SHELL("C:\winnt\system32\command.com")
End Sub

Hopefully, a minimized command screen will come up. If it doesn't, try this:

Private Sub CommandButton1_Click()

a = SHELL("C:\winnt\system32\command.com",vbNormalFocus)
End Sub

Hit F5 again. If this doesn't work there could be a number of things wrong. If a screen
comes up saying macros have been disabled, go back to your first Visual Basic toolbar. One
of the buttons says "Security...". Click it, then select the option that says "Low". Try again.
If this was the problem, you are lucky. If it still doesn't work, read on. If it says "Run-time
error:'53'--- File not found" you are in trouble. It means you either fucked up the pathname
or it isn't there. Of course, if your computer is running win2k or xp you will have to slightly
adjust your pathname to the one above.

***Note: I recommend you use command.com as apposed to cmd.exe. The main reason is that cmd.exe can be
blocked off by your administrator, so as soon as you open it you will get something that says "CMD has been
restricted by your administrotor. Press any key to continue...". If this happens, cmd is useless.
Now we move on to Powerpoint. This is a very simple way of opening files. You create any
slide, then right clock and go "Hyperlink" or whatever it says. From there you are able to
link it to any file on the computer. When you view the slide show, click on the hyperlink and
you will open the file.

Now we move on to Notepad. Notepad is one of those things that I would kill for. It is just
so versatile that it can be used for anything and everybody has it, so there are never any
problems with compatibility. That's part of the reason most tutorials, including this one, are
written in Notepad. The way we will use Notepad in this example is by creating a hyperlink
to a document, much like what we did with Powerpoint. So we open Notepad then type:

<a href="C:\winnt\system32\command.com">click</a>

We then go to File > Save as... then we type in "link.html" in our private drive (the drive
the admin has allocated to each user for storage of personal files, sometimes also called My
Documents). When we refresh the drive, we should be able to see an IE icon called
"link.html". Double click it, then click the hyperlink. Hope it works!

Now we will try creating shortcuts. This is probably the easiest method to use to get into
DOS (strictly speaking this is not true DOS, but for the purpose of this tutorial I will refer to
it as such). That's the reason I saved it for last. The earlier methods allow you to fish
around inside the network and get to know how it works, what makes it tick. Not to mention
that the previous methods were not limited to accessing command, but allowed us to open
ANYTHING. Now let's take a look at how shortcuts work. Open your local drive, then right
click and go to New > Shortcut (if you have right click disabled go to File > New > Shortcut).
In the space provided type "command" and hit next. Now click finish. You should have a
shortcut placed on your drive that takes you to DOS.

Now let's take a look at QBasic. QBasic is a primitive sequential programming language
used to create really crappy programs. Luckily, most schools have QBasic in their syllabus,
so you should have the icon. If you do, you are lucky. Open QBasic, then when you get to
the main screen, type...

SHELL

...and Hit F5

This will immediately open up DOS for you. Cool huh? So, what can we do with DOS? If you
need to be asking that question then you shouldn't be reading this tutorial, but briefly I will
tell you that DOS is very helpful when accessing anything, whether it be on a hardrive,
floppy, cd or anywhere else.

Speaking of floppy, you may be wondering how to access it or cds on a network that
appears to be completely locked down. There are a couple of ways. First of all, if you can
see any drives as icons, try right clicking on them. You might have an option that says "Map
Network Drive" and "Disconnect Network Drive". If this is the case, find out which one is the
floppy drive (try a: or b: first) and disconnect it. Now, in the address bar in any window,
type "a:" and you should be taken to the floppy.
If this doesn't work, then don't worry. Heaps of things definitely will. Of course it depends
greatly on the network, but generally the principle is the same. In a network where you
don't have the luxury of being able to freely browse everything, you have to be shifty. In
your private drive, try creating a shortcut to a:. This will almost definitely not work but is
worth a try. Also, try going to File > Winzip > Zip to file. This will allow you to transfer files
to your floppy.

Lastly, we can use DOS. This is my favourite method because it's hell hard to disable shit in
DOS, at least, effectively, so there aren't heaps of ways around it. In DOS type:

C:\>a:
A:\>dir

Volume in A has no label

Volume Serial Number is 0001-0AA0
Directory of A:

BO2k.zip 111,111 1/1/04

Netbus.zip 111,111 1/1/04

C:\>

So now we can see what's on the disk. If you wanna run it you can type:

A:\>Netbus.zip

However, a more efficient way of opening it would be to first copy it to your private drive.
We do this by typing:

A:\>copy a:\*.zip h:

Assuming h: is your private drive. The wildcard will copy all files with the extension ".zip".
The same way, we can open cds. Exactly the same. Sometimes when we copy it to our
drives we get the message that "This operation has been cancelled by your administrator".
In this case, we go back to MS Word and open a VB macro. Type in the path and you open
it. No questions asked and no crappy prompts. By the way, you can also use a macro to
open files directly from the floppy or cd. I just prefer not to. I think it's easier to just copy
them directly. Also you don't have to check the pathname every time you want to open a
new file. But whatever. Do what you feel comfortable with. There is another way of getting
access to the a: drive using the "net use" command, but more about that later.

Another extremely useful thing you can do with DOS access is type something like:

C:\>copy c:\winnt\*.pwl a:

This command copies all the .pwl (password) files that are stored in the winnt directory. We
can now take the disk home and crack the password files in our own time at our own leisure.
This only works on crappy networks though. Most reasonably secure or just new networks
no longer store their passwords in .pwl files. In win2k, there's a new thing called SAM
(Security AccountsManager). This is much harder to break, so more on that later.
Now for a quick lesson on network file sharing. In some networks, the admin allows you
access to all drives. If this is the case, there should be a drive which contains the files of all
people who have access to the network. Once you find the drive, simply scroll down to the
folder with the same name as the targets login name and you can browse their personal
files. It should be noted, however, that this kind of file sharing is only allowed on the
shittiest of crappy networks. I have come across it only once in my life =)

Now let's move on to something that may seem obvious, yet many people don't even
consider. Downloading off the web. As an admin, it is really very simple to turn off
downloads. However, you would be surprised how many admins forget about it and leave
the web open to all their users for all intents and purposes. I think the usefulness of being
able to download files off the internet is quite obvious, so I won't go on for long. In case you
have absolutely no imagination, the internet could be used for downloading backdoor
programs, viruses (again, what's the point?), password crackers or even just simple things
like DOS =)

On a slightly different topic, DOS has many features that the common happy internet user
doesn't know, or doesn't need to know about. The most interesting one of these is Netstat.
Netstat is a time honoured command that allows the user to see all the inbound and
outbound connections his computer is engaged in. Netstat has many uses, but we will only
quickly look at the most useful. For the common internet user, Netstat can be used to find
out, for example, whether or not they have a trojan installed on their computer. For
example, if they type in Netstat and see that some computer has established a connection
with them on a high numbered port such as 12345, they know they're in trouble. Although
by this time it may be too late, the person could then terminate his internet connection and
run down to the store to buy the latest anti-virus. Just an example. For people who have
malicious intentions, Netstat is an invaluable tool for quickly and easily finding out
someone's IP address or hostname. The trick is to send them a file and execute the
command. This file can be sent using anything; IRC, MSN etc.

***Note: Netstat usually shows only the hostname of the target. For an actual IP, type
Netstat -n.

At this point, you may be wondering why I'm wasting time in showing off my DOS skills.
The reason is that if you're connected to a network, Netstat can show you the IP of the
server ie the "big daddy" computer which runs and maintains the network. In theory, if you
wanted to and you knew the IP of the server, you could create a DoS (Denial of Service)
attack on the server. In the old days this could be achieved by pinging the server with large
packets in an infinite loop. You might me less lucky these days... but hey, it's worth a shot.

Something really cool with DOS is that you can create batch files that execute commands in
DOS. Batch files are basically little programs that you can get to fire off commands. For
example, I can create a batch file that pings the server until I turn off the file. I can, of
course, use all the same commands that I could in an actual DOS window. Thus I can
specify how many packets I send, the timeout, packet size etc.

Creating batch files is incredibly simple. Open up Notepad, then type:

@echo.on
ping 10.15.196.26 -t -l 1000 [This is the command you want to run]
@echo.off
ping.bat [Creates a loop to repeat command forever]
Now save this file as ping.bat, or anything you want it to be called but make sure you
change the filename at the bottom of the bat file to ensure a loop. The cool thing about this
is that it doesn't wait for the command to be completed. It immediately starts the next
command regardless of the result of the previous one. This method can, of course, be used
to execute any command, and the loop can be stopped by removing the "ping.bat" at the
end of the file. If you wanna have some fun, try typing in "net send [username] [message]"
in the command prompt. If the user is currently logged on, a message will appear on his
screen. It's really funny if you can see their monitor from where you are sitting if you type a
crazy message like "You have just been owned!!!". Be aware however that the person
receiving the message will know what computer the message has come from. Your
computer name will be something crazy like LIB00123. Although the user may not be able
to tell exactly who sent the message (then again, if he's smart he will), he can type in the
computer name instead of the username and create a .bat file to spam you to hell.

Let's get back on track. It's time to show you how to create admin accounts in Novell if the
OS is winnt, assuming the Control Panel is disabled. Note however that this is easy to
disable, but most admins forget about it. Go into any folder and go to the help menu, the
Help Topics. Search anything related to users, passwords etc. You will then find a topic that
contains a hyperlink to "Users and Passwords". Click it. The crappy thing about winnt
security is that when changing a password, you don't have to know the old one! Anyway,
once you either create a new account or change the password on an existing account,
restart the computer. When the logon screen appears, type your login name and password.
Now look around for a checkbox that says "Workstation". Check it and press OK.

***Note: you will only have admin access on that particular computer. "Workstation" means that you log onto an
account on that workstation. If the checkbox isn't on the login screen, then you cannot create admin accounts in
this way. You will have to try certain programs described later in the "Advanced Novell Hacking" section.

Lastly, I will show you how to access telnet. As you may have seen, most of my methods
involve DOS. Telnet is no different. In a DOS screen, type "telnet" and you will be taken to
the Telnet screen. From here try telnetting to the server and punch in a few commands to
see what you can do. Find out as much info as you can about what programs he's using and
go online to look for some tutorials.
Advanced Novell Hacking

This short section will discuss various advanced Novell hacking techniques. These involve
using programs such as port scanners, keyloggers, trojans and password crackers. I will
also be looking at File and Print Sharing (Legion V2.1, Sid2User - User2Sid, DumpSec), as
well as some tips and tricks with navigating around the network, including the "net use"
command.

Firstly, let's look at various methods of hacking the network using specific programs.
Although this section may offend some people, it is nevertheless an essential part of Novell
security. It is an unfortunate fact that many people these days want to hack someone to be
"cool" in the eyes of their friends. These people have little or no morals, and almost always
possess absolutely no skill what so ever. All they care about is getting what they want, and
they don't care how they get it. Because of their lack of skill, these people usually rely solely
on programs to do their dirty work (if they don't have a friend who does it for them). If
anybody like this is reading this, I spit on you.

On the other hand, there are many skilled hackers out there who also turn to programs
which automate the process for a variety of reasons, usually because it is easier and usually
more effective to use programs.

As with any hack, there is one tool that you simply cannot live without. A port scanner.
There has been much debate over which port scanner is the best, what the pro's and con's
of each scanner are etc. Many say Nmap, but I often there's no need to waste time with
such an advanced scanner. The problem with Nmap is that it is too complicated for quick
and easy use. Nmap is good for home use, when you have a lot of time on your hands to try
out various scans. In my humble opinion, the best scanner for a Novell network is Angry IP
Scanner by Angryziber (angryziber@angryziber.com). Angry IP allows for lightning fast port
scans on huge networks, with great accuracy. It has some built in features like being able to
establish connections over HTTP, FTP and Telnet, as well as being able to Traceroute. It also
has cool things like "favourites" and being able to tell you many things about the target,
such as Hostname, Comp. Name, Group Name, User Name, MAC address and TTL. On top of
all this, it can be used from the command line! Anyway, it has many more features that you
need to explore yourself. For now, all we really need to be focussing on is its efficient simple
port scanning features.

First of all, you will need to get the IP of some computers on your network. If you have
been reading this tutorial carefully instead of just skip to this section, you will remember
that this can be done using the netstat command in DOS (btw, if you still can't get DOS
then you are really dumb - no offence). You really only need one IP, because most, if not all
of the IP's on the network will have the same Network Number and Host Number. So, if you
can see that your IP is 123.123.12.123, you should only scan IP's that have the same
Network Number and Host Number. In the case of the example, you would enter the start
IP as 123.123.12.1 and the end IP as 123.123.12.255. First you should scan using only one
port because you want to know exactly how many computers you are potentially dealing
with. If you put too many ports, you will be waiting ages for your results if there are heaps
of computers on the network. An alternative to this would be to use the "net view"
command.
C:\>net view

This displays all the computers connected to the network that you are currently on. This
command can be used to get further information about an individual machine by typing:

C:\>net view \\SOMECOMPUTER

==============================
Disk | share name

C:\>net view \\workgroup:TARGETWG (gives all computers in workgroup)

C:\>net view \\domain:TARGETD (gives all computers in domain)

Anyway, it would be best to specify the port as TCP 139, which you should all know as
NetBIOS. If this is open on any computers (and it damn well should be, you are on a
network), you may be able to get access to that computers hard drive. Go into DOS, and
type in:

C:\>net use \\ADMINCOMPUTER\IPC$ "" /u:""

If you have even the slightest experience in hacking, you would have seen this command a
thousand times before. For those haven't, all you are doing is attempting to connect to
computer "ADMINCOMPUTER" using the inbuilt IPC$ share with a null password "" and an
anonymous user /u:"". If this doesn't work, you can try substituting the password for a
wilcard * or even the account, so you can have:

C:\>NET USE \\ADMINCOMPUTER\IPC$ "" /u:""

C:\>NET USE \\ADMINCOMPUTER\IPC$ * /USER:""
C:\>NET USE \\ADMINCOMPUTER\IPC$ * /USER:

They all do the same thing, but sometimes only certain ones will work on certain machines.
If you are unlucky, you could try to substitute the IPC$ for ADMIN$ or C$. These are just
additional default shares. The difference between ADMIN$, C$ and IPC$ is that IPC$ cannot
be removed. This means that you should always be able to establish a connection. Of course,
the admin may want to create additional shares such as such as A$ (remote floppy drive),
E$ (remote CD drive) and really anything he wants. An admin can quite easily create and
delete shares using the "net share" command:

C:\>net share ADMIN$ /delete

Command completed successfully

This command deletes the remote administrator ADMIN$ share. Shares can be added by
typing:

C:\>net share A$ a:
Command completed successfully.

This tells the computer to create a share A$ with the target to the a: drive.
I said earlier that it is possible to disconnect the a: drive from the network, thus enabling it
for our own usage. This can be done using the command:

C:\>net use a: /delete

Unfortunately, this command can be restricted by the administrator. Once it is, no command
with the prefix "net" will work. On the bright side, it is rare for an admin to realise that
anybody has been fucking with net use commands and establishing connections, yet alone
disable the command. If the command does get disabled, we are forced to turn to programs
to do our dirty work.

Although there are a number of Netbios scanners, most of them are rather dated as these
days few hackers seriously rely on Netbios as their main weapon. Sure, it can be fun and
rewarding, but most computers these days have patches to guard against unauthorised
access, or simply block access to TCP 139 through their firewall or router. As a result, most
people have stopped making new Netbios programs. Because of this, most of the programs
for Netbios are old. REALLY old. We're talking old as in 1999 old. Sure, doesn't seem like
that long ago, but in the computer world, that is an eternity. Luckily for us, this is slightly
different for networks. Because a network has to be tied together very closely, it usually
depends on port 139 to handle all the traffic. As a result, most old programs will work like a
charm. Although there are many, many different programs you can use to try and get the
shares, I recommend you use Legion V2.1 from the now dead Rhino9 Security Group. It
generally floats among internet sites.

Now let's take a quick look at the Security Accounts Manager (SAM). SAM is a way of
storing users details on the computer. It has usernames and password hashes inside, so it is
very important to keep safe from prying eyes. If you're the one with those eyes, SAM may
just be your goal. To cut the long story short, SAM cannot be accessed while anyone is
logged onto that computer. So what you have to do is restart it in DOS and try and copy it
from there onto floppy. The only problem with this is that sometimes SAM can be very big -
a couple of Mb even so floppy disk is an unlikely alternative. If the computer doesn't have a
burner then it is unlikely that you will be able to extract the hashes, so try and make the
best of it any way you can. Sometimes it's even possible to rename the SAM file by
restarting in DOS and typing:

ren C:\winnt\repair\sam wateva

This will make the SAM file unreadable, so if the passwords are stored on the computer
rather than the server, they will all be useless. If this works, you will be able to log on
without a username or password. If you are able to extract the SAM file, there are many
different password crackers that you can use to take a peek at what's insisde. L0pht, Cain
and Abel and many more do a splendid job. Try them out and see what works for you.

Finally, I'll just show you one last thing that will freak the hell out of your admin if he ever
sees it. It is ridiculously easy to access the server on most networks and nobody even
considers this method. Simply create a shortcut to it!!! If you can find a way to find the
hostname of your server, all you have to do it right click, select new then click on shortcut.
In the space provided, type the hostname of the server. For example, if the server is called
"server-1" then in the shotcut type:

\\server-1
Then click next and that's it! You can double click on the shortcut and you will have access
to all the files on the server!!! As I said before, this will scare the hell out of any admin
because he wouldn't have thought of it himself and has definately not seen this before.
As for how much you can actually do - that depends entirely on the server. Most times
you will just browse but sometimes, who knows?

Lastly, we will take a quick look at the the SUBST command. The SUBST command
associates a path with a drive letter. This means it creates a virtual drive on top of an actual
one. This can be extremely handy when the administrator has blocked of say the C: drive
from being viewed. Often the admin simply restricts access to the C: drive by not showing
the icon for the drive. If this is the case simple open up a command prompt and type:

explorer c:

This will open explorer to the C: drive. Generally one will not be so lucky. The C: drive itself
is often restricted and trying to open explorer through command will tell us we don't have
permission. SUBST allows us to get passed this. Open up a command prompt and type in:

subst z: C:\

where z: is the virtual drive you wish to create and C:\ is the path of the drive you wish to
view. Now all you have to do is type...

explorer z:

...and an explorer window will pop up showing you the contents of C: but in the z: drive.
You may navigate this at will just as you would normally on an unrestricted computer.
Although useful, SUBST really only gives you a graphic interface since we may the entire
contents of adrive through command.

***Note: SUBST will also add the virtual drive to My Computer. If you have access to My Computer you will see z:
as well.

If you are having trouble with command because you cannot scroll up whilst trying to use
dir, try using dir /w or /p instead. Otherwise...

dir >> H:\dir.txt

...will send the results of the dir to a file called dir.txt (or will create the file if it does not
already exist) on the H: drive. Also note that on large networks net view can also be a pain,
but using

net view >> H:\net.txt

we can see all the computers in a text file!

Conclusion

Well, I hope you have learnt something from this file and you enjoyed reading it. I certainly
enjoyed writing it. I have tried to make it as informative as possible and readable for all
levels. If anyone has anything to add don't hesitate to email me at: scum_69@hotmail.com.
I will gladly accept all emails and hear what you have to say. I may even write back...
Please no attachments =)

Angry IP Scanner 2.20 can be found at many sites, and as of this writing, its homepage is
http://www.angryziber.com This file may be freely distributed as long as it remains
unchanged in any way.

Good luck and happy BHH!

©2004 Net Battle Bot