Escalating from Netware box

From: McKenna Henage (mckennage_at_hotmail.com)
Date: 08/12/04

  • Next message: H D Moore: "Metasploit Framework v2.2" 
    To: pen-test@securityfocus.com
Date: Thu, 12 Aug 2004 00:26:40 +0000

    I'm wrapping up a pen-test and I've gained access to a
    NetWare-Enterprise-Web-Server/5.1 box through the ability to run Perl
    commands using specially crafted URLs (e.g.,
    "perl/-e%20system(%22dir%22);"). I wrote a program in Perl that crafts the
    URLs to allow me to easily read any file on the server, write to any file,
    or execute any command. However, without any Novell experience (I am a MS
    and Linux guy), I am unable to escalate to the point of being able to attack
    other systems on the client's network.

    Any suggestions for ways I can use this Netware box to further exploit their
    networks would be very much appreciated. In particular, I'm interested in
    discovering what other devices are on their network (since I can only see
    their Netware box from the Internet), performing port scans, vulnerability
    scans, etc. I need to be nice to the server since it is in production, so
    I'm trying not to experiment too much on their machine and risk bringing it
    down (already crashed it once!).

    I've already done some research on Netware, including listening to RFP's
    Black Hat talk on Netware, and reading the "Novell Hacking FAQ" available on
    the web. Unfortunately most resources I've found refer to Netware 2.x, 3.x,
    and 4.x. Here is what I've been able to gain so far, thanks to having
    partial access to files on the system using directory traversal:

    -Internal IP address
    -IPX servers (running the command “display ipx servers”)
    -See unencrypted passwords in /system/autoexec.ncf and /etc/netinfo.cfg (and
    to crack a password in /Novonyx/suitespot/admin-serv/config/ADMPW)
    -Successfully ping out to a device on the Internet (unfortunately it appears
    to be continuous, because I wasn’t able to stop it)
    -…and pretty much anything else that is in a file, or almost any command

    I have run into some limits:

    -Any request I make (to read/write a file or execute a command) is limited
    in character length, hampering my ability to execute an elaborate Perl
    program on the box or even to read some files that are too far down the
    directory tree
    -Haven't found a way to send some characters such as " and ', even after
    trying everything I could think of (encoding, double encoding, etc.). Wish I
    could do that because then I could essentially start writing a new Perl
    script to their machine and overcome the character limitation just
    mentioned, and potentially find a way to upload a Perl port scanner of some
    sort.
    -An inability to correctly view all files. Since I'm getting the files fed
    back in a web browser, I can sometimes only see the first parts of a file
    (up to 500K or so), and have trouble downloading binaries.
    -An inability to see the entire results of a command run on the system. I
    can run a command, but then to see the results I have to open
    /etc/console.log and read the last few lines (so I can't always see the
    entire results, because it appears to be cut off in the log).
    -I don’t even know how to download files to the Netware box. I have been
    unable to determine if it has a HTTP or FTP client I can use to pull down a
    trojan/backdoor program, netcat, or anything else.
    -Some blockage at the firewall (?). For example, I tried loading the remote
    console and then accessing it remotely, but it appears to be blocked at the
    firewall since I can’t get in. If it were a Linux/Unix/Windows box then I’d
    know how to download a SSH client and reverse-tunnel a connection out
    through the firewall, but I’m clueless on Netware.

    Thanks in advance for any suggestions you can provide in the next couple
    days.

    Beme Lee

    _________________________________________________________________
    Is your PC infected? Get a FREE online computer virus scan from McAfee®
    Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

  • Next message: H D Moore: "Metasploit Framework v2.2"

    Relevant Pages

    • Netware Client for FreeBSD
      ... I have access to a Netware IV server and am trying to connect to it from ... my FreeBSD 5.1-Current desktop. ... I also check out the man page for "mount_nwfs" and run a command to log ...
      (freebsd-questions)
    • nwfs panic
      ... All I am experiencing a panic when I use the mount_nwfs command to ... Netware OS version information: ... File server name: MVR1 ... Frame type: ETHERNET_II ...
      (freebsd-current)
    • nwfs panic
      ... All I am experiencing a panic when I use the mount_nwfs command to ... Netware OS version information: ... File server name: MVR1 ... Frame type: ETHERNET_II ...
      (freebsd-stable)
    • socket input, unexpected behaviour
      ... As a small 'get to know perl' project I have been writing a simple pop3 ... Telneting to this 'server' works fine & I can send commands and get the ... expected responses - peculiar thing is, when I send command string LIST (by ... I was runnign ActiveState PERL 5.8 on both boxes. ...
      (perl.beginners)
    • RE: Escalating from Netware box
      ... The /etc/console.log file is locked when the server is running so you ... I think you're gonna have a tough time using the Netware box to launch ... NetWare-Enterprise-Web-Server/5.1 box through the ability to run Perl ... or execute any command. ...
      (Pen-Test)