Re: PenTesting a IPX/SPX Client

From: Jacek Lipkowski (sq5bpf@acid.ch.pw.edu.pl)
Date: 07/16/02


Date: Tue, 16 Jul 2002 15:09:05 +0200 (CEST)
From: Jacek Lipkowski <sq5bpf@acid.ch.pw.edu.pl>
To: st0ff st0ff <if0ff@yahoo.com>

On Mon, 15 Jul 2002, st0ff st0ff wrote:

> i have to pentest a nt client. there is tcp/ip as well
> as ipx/spx installed. An ip-filter prevents accessing
> the box using tcp/ip. is there a possibility to do it
> over ipx?

The trick would be to make the netware client execute a login script of
your choice (where you can execute any command). You can do this either by
breaking into the server the client normally logs into, or by making the
client connect to your server.

If there isn't a server on the network then set up one - it will work if
the user is dumb enough to log in. The login script was once located in
SYS:MAIL/<object id of the user in hex>/login. If you don't know what
username the user will try to login with, you could try to modify mars_nwe
to treat all login names as one user.

If there is a server present on the network try to DoS it and repeat the
above.
You could also break into the server and modify the login script of
the user, try to use pandora (from www.nmrc.org). Another way would be to
find a printer object with no password, and use it to elevate
privliges to SUPERVISOR status via the ChangeToClientRights() netware API
call.
For DoSing it you can send the server a license broadcast with the
same license number as the server uses, or try to use some other version
specific method (for 3.12 search for ipxod).

After you're done with the DoS, flood the network with SAP packets
advertising your server (actually this sometimes will DoS the server).

> are there scanner-tools available like nmap?

For enumeration try enin (this version works only under linux but would
be easy to port to other systems supporting ipx):
http://acid.ch.pw.edu.pl/~sq5bpf/mylinux/enin/
It will ping all ipx networks and show all ipx hosts.

Additionally it will give you some information on what is running on the
remote host and try to make a lame guess about what the client really is
(it can tell you if it's a novell ipx client for windows or a microsoft
ipx client for windows).

Hope this helps,

sq5bpf

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: Slow opening of files
    ... You shouldn't be mapping drives on the server at all - no login script ... Also, the ipconfig /all from the server & a client, just in case. ... shows upto to 4 files and folders until the document opens ...
    (microsoft.public.windows.server.sbs)
  • Re: Login Script problem
    ... > We have SBS 2000 server and I have created a login script to sync the ... > server time to all the clients system. ... What client OS? ... > as Aditional Domain Controller. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Connectcomputer works partly but does not complete
    ... I had to due to some updates that I installed on the server, ... The connectcomputer does create a logfile on the client. ... Does your domain administrator account have a login script assigned to ...
    (microsoft.public.windows.server.sbs)
  • Re: Connectcomputer works partly but does not complete
    ... If you had installed updates that needed a reboot, and delayed that reboot, ... I had to due to some updates that I installed on the server, ... The connectcomputer does create a logfile on the client. ... Does your domain administrator account have a login script assigned ...
    (microsoft.public.windows.server.sbs)
  • Re: IPX-Server nicht erreichbar
    ... Client IP bevorzugt, wenn das nicht tut, dann IPX als "fallback". ... Client und Server haben unterschiedliche Kontexte. ... TCP-Connection via Port 524 zu bekommen. ...
    (de.comp.sys.novell)