Re: PenTesting a IPX/SPX Client

From: Jacek Lipkowski (
Date: 07/16/02

Date: Tue, 16 Jul 2002 15:09:05 +0200 (CEST)
From: Jacek Lipkowski <>
To: st0ff st0ff <>

On Mon, 15 Jul 2002, st0ff st0ff wrote:

> i have to pentest a nt client. there is tcp/ip as well
> as ipx/spx installed. An ip-filter prevents accessing
> the box using tcp/ip. is there a possibility to do it
> over ipx?

The trick would be to make the netware client execute a login script of
your choice (where you can execute any command). You can do this either by
breaking into the server the client normally logs into, or by making the
client connect to your server.

If there isn't a server on the network then set up one - it will work if
the user is dumb enough to log in. The login script was once located in
SYS:MAIL/<object id of the user in hex>/login. If you don't know what
username the user will try to login with, you could try to modify mars_nwe
to treat all login names as one user.

If there is a server present on the network try to DoS it and repeat the
You could also break into the server and modify the login script of
the user, try to use pandora (from Another way would be to
find a printer object with no password, and use it to elevate
privliges to SUPERVISOR status via the ChangeToClientRights() netware API
For DoSing it you can send the server a license broadcast with the
same license number as the server uses, or try to use some other version
specific method (for 3.12 search for ipxod).

After you're done with the DoS, flood the network with SAP packets
advertising your server (actually this sometimes will DoS the server).

> are there scanner-tools available like nmap?

For enumeration try enin (this version works only under linux but would
be easy to port to other systems supporting ipx):
It will ping all ipx networks and show all ipx hosts.

Additionally it will give you some information on what is running on the
remote host and try to make a lame guess about what the client really is
(it can tell you if it's a novell ipx client for windows or a microsoft
ipx client for windows).

Hope this helps,


This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see: