From: Steven A. Fletcher (sfletcher@integrityts.com)
Date: Fri Aug 13 2004 - 02:29:06 EDT
Like you, the bulk of my experience is with Windows, but I do have a
fair amount of experience with NetWare also, so I might be able to
provide a little help. Unfortunately, my pen-testing experience is
pretty limited, so I'm not sure how much help I will be, but I will try.
I will start with some the questions in the limitations you have
discovered.
You said that you were not able to determine if the server has an FTP or
HTTP client. As far as I know, neither of these are built into the OS.
I have seen an FTP client that you can install, but I do not know of one
that comes with the OS.
As for the remote console, if you loaded the old style console, that
only support IPX, which would be useless from the outside. There is an
IP based console, but I have not used it enough to tell you how to set
it up. The client is named rconj.exe and should be somewhere under the
SYS:\Public folder. Unfortunately, if the firewall is configured
properly, then that port is likely to not be open from the outside.
When it comes to gaining knowledge of the internal network, if you can
gain a full remote console, the Monitor utility will show a list of
current connections, complete with IP addresses of the clients.
That is all I can think of right now, but if I think of anything else, I
will let you know.
Steve Fletcher
Senior Network Engineer, MCSE, HP Master ASE, CCNA, Security+
Integrity Technology Solutions
Phone: (309)664-8129
Toll Free: (888) 764-8100 ext. 129
Fax: (309) 662-6421
sfletcher@integrityts.com
-----Original Message-----
From: McKenna Henage [mailto:mckennage@hotmail.com]
Sent: Wednesday, August 11, 2004 7:27 PM
To: pen-test@securityfocus.com
Subject: Escalating from Netware box
I'm wrapping up a pen-test and I've gained access to a
NetWare-Enterprise-Web-Server/5.1 box through the ability to run Perl
commands using specially crafted URLs (e.g.,
"perl/-e%20system(%22dir%22);"). I wrote a program in Perl that crafts
the
URLs to allow me to easily read any file on the server, write to any
file,
or execute any command. However, without any Novell experience (I am a
MS
and Linux guy), I am unable to escalate to the point of being able to
attack
other systems on the client's network.
Any suggestions for ways I can use this Netware box to further exploit
their
networks would be very much appreciated. In particular, I'm interested
in
discovering what other devices are on their network (since I can only
see
their Netware box from the Internet), performing port scans,
vulnerability
scans, etc. I need to be nice to the server since it is in production,
so
I'm trying not to experiment too much on their machine and risk bringing
it
down (already crashed it once!).
I've already done some research on Netware, including listening to RFP's
Black Hat talk on Netware, and reading the "Novell Hacking FAQ"
available on
the web. Unfortunately most resources I've found refer to Netware 2.x,
3.x,
and 4.x. Here is what I've been able to gain so far, thanks to having
partial access to files on the system using directory traversal:
-Internal IP address
-IPX servers (running the command "display ipx servers")
-See unencrypted passwords in /system/autoexec.ncf and /etc/netinfo.cfg
(and
to crack a password in /Novonyx/suitespot/admin-serv/config/ADMPW)
-Successfully ping out to a device on the Internet (unfortunately it
appears
to be continuous, because I wasn't able to stop it)
-...and pretty much anything else that is in a file, or almost any
command
I have run into some limits:
-Any request I make (to read/write a file or execute a command) is
limited
in character length, hampering my ability to execute an elaborate Perl
program on the box or even to read some files that are too far down the
directory tree
-Haven't found a way to send some characters such as " and ', even after
trying everything I could think of (encoding, double encoding, etc.).
Wish I
could do that because then I could essentially start writing a new Perl
script to their machine and overcome the character limitation just
mentioned, and potentially find a way to upload a Perl port scanner of
some
sort.
-An inability to correctly view all files. Since I'm getting the files
fed
back in a web browser, I can sometimes only see the first parts of a
file
(up to 500K or so), and have trouble downloading binaries.
-An inability to see the entire results of a command run on the system.
I
can run a command, but then to see the results I have to open
/etc/console.log and read the last few lines (so I can't always see the
entire results, because it appears to be cut off in the log).
-I don't even know how to download files to the Netware box. I have been
unable to determine if it has a HTTP or FTP client I can use to pull
down a
trojan/backdoor program, netcat, or anything else.
-Some blockage at the firewall (?). For example, I tried loading the
remote
console and then accessing it remotely, but it appears to be blocked at
the
firewall since I can't get in. If it were a Linux/Unix/Windows box then
I'd
know how to download a SSH client and reverse-tunnel a connection out
through the firewall, but I'm clueless on Netware.
Thanks in advance for any suggestions you can provide in the next couple
days.
Beme Lee
_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from
McAfee(r)
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT