ch18.htm

Maximum Security (First Edition) 网络安全 英文版

</BLOCKQUOTE>

<P>The node address is generally hard-coded into the Ethernet card itself. If you
have such a card lying around the office, take a look at it; the address is generally
posted directly on the face of the card (a little sticker or perhaps even letters
burned into the board itself). Some cards have jumpers that allow you to alternate
the IRQ and ROM address settings. Some boards also allow you to alter the node address
of the card via software. That is where the spoofing comes into the picture.</P>
<P>The popular way to spoof is by altering the address in the <TT>NODE</TT> field
in the <TT>NET.CFG</TT> file. In this scenario, you assign the node an address belonging
to another workstation. However, severe problems could result from this if you were
to initiate a session using the identical hardware address of a workstation also
logged on. This could potentially crash the system, hang the machine, or cause other
trouble on the wire.</P>
<P>If this technique is to be truly effective, the cracker must devise a way to temporarily
&quot;kill&quot; or anesthetize the machine from which he is claiming to originate.
This may not be a problem, depending on the circumstances. Perhaps the other machine
has been turned off for the night. If so, the cracker has a wide open field for experimentation.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>In order for this type of attack
	to work, <I>many </I>variables must be just right. For example, if there are any
	network interfaces between the attacker and the target, this may not work. Say the
	packets have to cross a hub and there is some hardwire scheme that manifests the
	path between the target and the machine the cracker is claiming to originate from.
	Under this scenario, the spoofing attack will fail miserably. 
<HR>


</BLOCKQUOTE>

<P>This refers only to hardware address spoofing in an Ethernet setting. However,
some Novell NetWare networks are running TCP/IP on the inside. TCP/IP spoofing from
inside a Novell NetWare network is a different matter and much will depend on how
much information the cracker can glean about the network.
<H2><FONT COLOR="#000077"><B>Sniffers and Novell</B></FONT></H2>
<P>In Chapter 12, &quot;Sniffers,&quot; I examined sniffers as one important method
of attack against an Ethernet network. Sniffers are primarily valuable in surreptitiously
capturing login IDs and passwords on a network.</P>
<P>Fortunately, in most instances, such an attack will not be effective against a
Novell NetWare network. Following version 2.0a, passwords passed during the login
process were encrypted. Therefore, a sniffer attack would be largely a waste of time.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>An attacker could technically capture
	encrypted passwords and transport these elsewhere, perhaps to his home or office.
	There, he could eventually crack these using a brute-force password utility. However,
	there are other more immediate avenues to try. Running a sniffer could be a complicated
	process on a NetWare network. Many workstations are liable to be diskless clients,
	leaving the cracker no place to hide his bounty. (And realistically, just how much
	sniffed traffic can fit on a floppy that already has boot and network loading files
	on it?) 
<HR>


</BLOCKQUOTE>

<P>Any attempt to capture passwords on a Novell NetWare network would probably be
via a keystroke capture utility. There are only a limited number of these and they
all have to be at least on the same interface or machine as the target. Thus, securing
each workstation for key capture utilities is a fairly straightforward process.</P>
<P>Obviously, keystroke capture utilities won't be found on diskless clients (unless
loaded onto the floppy), so your field of investigation is narrow. The time your
search will consume is increased only by the hard drive size and directory structure
depth of the workstation you are examining. You can assume that the utility is probably
a hidden file, probably named something different from what it was originally named.
(In other words, you will not be looking for files such as <TT>Gobbler</TT> or <TT>Sniffer</TT>.
Crackers and hackers may <I>write</I> programs with dramatic, pulp-fiction names,
but when they go to deploy those tools, more innocuous names are in order.)</P>
<P>There are several ways you can search. One is by checksum/size. Another is to
use a utility such as <TT>grep</TT>. Most of these cracking utilities contain within
the code some string of unique text. (Frequently, crackers put a slogan, a nickname,
or a comment within the code.) Using <TT>grep</TT>, <TT>awk</TT>, or other utilities
with powerful regular expression search capabilities, you can attempt to identify
such files, which may be masquerading as normal system files or documents.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Crackers suggest that keystroke
	capture utilities be placed somewhere in the path. This allows the utility to be
	remote, but still capture the needed data. Thus, if you were searching for such a
	utility, you would start with all directories declared in the path statement. This
	statement may be oddly formed, too, depending on whether the machine is a diskless
	workstation. If it is not a diskless workstation, take a look at the <TT>autoexec.bat</TT>.
	
<HR>


</BLOCKQUOTE>

<P>It is true that sniffers are almost pointless (too much effort and too great a
risk) with respect to Novell NetWare passwords in versions higher than 2.0a. However,
if your network houses older file servers, the default password encryption scheme
must be disabled, according to <I>Novell NetWare Version 3.11 Installation Guide</I>
(Novell, Inc.).</P>
<P>This poses quite a different situation. Passwords on those interfaces will be
moved across the network in clear text. This is a fact well known to crackers. Under
such circumstances, a cracker would benefit greatly from utilizing a packet sniffer.
If you are currently in such a situation, I suggest you attempt to transplant that
information elsewhere and upgrade the OS or to disconnect that file server from any
portion of a network already reasonably believed to be safe from sniffing attacks.
<H2><FONT COLOR="#000077"><B>Cracking Tools</B></FONT></H2>
<P>The following sections describe tools. Some were written by individuals who wanted
to better network security. Others were written by crackers. All of them share one
thing in common: They can be used to crack a Novell site.
<H3><FONT COLOR="#000077"><B>Getit</B></FONT></H3>
<P>Reportedly written by students at George Washington High School in Denver, Colorado,
Getit is designed to capture passwords on a Novell network. The program was written
in assembly language and is therefore quite small. This tool is triggered by any
instance of the <TT>LOGIN.EXE</TT> application used in Novell to authenticate and
begin a login session on a workstation. Technically, because of the way Getit works,
it can be marginally qualified as a sniffer. It works directly at the operating system
level, intercepting (and triggering on) calls to Interrupt 21h. It's probably the
most well known NetWare hacking tool ever created.
<H3><FONT COLOR="#000077"><B>Burglar</B></FONT></H3>
<P>Burglar is a somewhat dubious utility. It can only be used where an individual
has physical access to the NetWare file server. It is an NLM, or a loadable module.
Most of Novell NetWare's programs executed at the server are loadable modules. (This
includes everything from the system monitor to simple applications such as editors.)
The utility is usually stored on a floppy disk. The attacker sometimes has to reboot
the server. Providing that the attacker can reach the Novell server prompt (without
encountering any password-protected programs along the way), the utility is then
loaded into memory. This results in the establishment of an account with supervisor
privileges. However, the utility's impact on the Novell networking community has
probably been negligible. Rarely are file servers available for public tampering.
<H3><FONT COLOR="#000077"><B>Spooflog</B></FONT></H3>
<P>Spooflog is a program, written in C by Greg Miller, that can spoof a workstation
into believing that it is communicating with the server. This is a fairly advanced
exploit. It should be observed here that Miller is not a cracker. He provides these
programs over the Internet for research into general network security and he has
no affiliation with any radical or fringe group. He is simply a talented programmer
with a very keen sense of NetWare.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Spooflog is available
	(along with the source code) at <A HREF="http://www.users.mis.net/~gregmi/"><TT>http://www.users.mis.net/~gregmi/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Setpass</B></FONT></H3>
<P>Another loadable module, Setpass is designed to give the user supervisor status.
This module also requires physical access to the machine. Basically, it is a variation
of Burglar. It works (reportedly) on Novell NetWare 3.<I>x</I> to 4.<I>x</I>.
<H3><FONT COLOR="#000077"><B>NWPCRACK</B></FONT></H3>
<P>NWPCRACK is a brute-force password cracker for cracking passwords on the Novell
platform. This utility is best used from a remote location, working on passwords
over long periods of time. As the author points out, there is a period of delay between
password attempts and thus, brute forcing could take some time. This utility would
probably work best if the cracker were attacking a network that he knew something
about. (For example, if he knew something about the people who use the machine.)
Short of that, I believe that a brute-force cracking tool for an environment like
NetWare is probably impractical. Nevertheless, some crackers swear by it.
<H3><FONT COLOR="#000077"><B>IPXCntrl</B></FONT></H3>
<P>IPXCntrl is a sophisticated utility, written by Jay Hackney, that allows remote
control of any compromised machine. For lack of a better description, the package
comes with a client and a server, although these are not a client and server in the
traditional sense. These are called the master and the minion, respectively. The
master drives the minion over remote lines. In other words, this software persuades
the network that keystrokes are coming from minion when they are actually coming
from master. It runs as a TSR (terminate and stay resident) program.
<H3><FONT COLOR="#000077"><B>Crack</B></FONT></H3>
<P>Crack is a password cracker for the Novell NetWare platform. This password cracker
is wordlist based (much like its UNIX-based namesake). It's a comprehensive tool
that does not require NetWare to be on the local disk in order to operate effectively.
It's a good tool for testing your passwords.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Crack is available at
	<A HREF="http://www.mechnet.liv.ac.uk/~roy/freeware/crack.html"><TT>http://www.mechnet.liv.ac.uk/~roy/freeware/crack.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Snoop</B></FONT></H3>
<P>Snoop is quite something. It gathers information about processes and the shell.
It's an excellent tool for collecting information about each individual workstation
and for watching the shell.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Snoop is available at
	<A 
HREF="http://www.shareware.com/code/engine/File?archive=novell-netwire&file=napi%2fcltsdk1e%2fsnoop%2eexe&size=102625"><TT>http://www.shareware.com/code/engine/File?archive=novell-netwire&amp;file=napi%2fcltsdk1e%2fsnoop%2eexe&amp;size=102625</TT></A>
.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>LA</B></FONT></H3>
<P>LA is identical to IPXCntrl in purpose, but not nearly so well designed. It is
a simple utility, though, and works well.
<H3><FONT COLOR="#000077"><B>Chknull</B></FONT></H3>
<P>Chknull, by an unknown author, checks for null passwords and is to be used primarily
as a tool to strengthen security by alerting the supervisor to possible problems
stemming from such null passwords. However, like all these utilities, this is dangerous
in the hands of a cracker.
<H3><FONT COLOR="#000077"><B>Novelbfh.exe</B></FONT></H3>
<P>Novelbfh.exe is a brute-force password cracker for login. It keeps guessing combinations
of letters until it finally cracks the password.</P>
<P>The problem with these utilities, of course, is that they take an enormous amount
of time. Moreover, if the supervisor has enabled intruder detection, an intruder
detection lockout (IDL) will occur. IDL works by setting a &quot;threshold,&quot;
which is the number of times that a user can forward incorrect login attempts. Added
to this value is the Bad Login Count Retention Time. This time period (which defaults
to 30 minutes) is the block of time during which bad login attempts are applied to
the IDL scheme. So if an incorrect login is received at 1:00 p.m., monitoring of
subsequent logins on that account (relative to IDL) will continue to look for additional
bad logins until 1:30 p.m. To compound this, the supervisor can also specify the
length of time that the account will remain locked out. This value defaults to 15
minutes. IDL is therefore a very viable way of preventing brute-force attacks. If
these options are enabled, a brute-force cracker is worthless against the Novell
NetWare platform.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>If you are new to security and have
	been handed a Novell NetWare network, you will want to enable IDL if it hasn't already
	been. Also, you should check-- at least twice a week--the audit log generated from
	that process. (The events are logged to a file.) You can access that log (which is
	really the equivalent of <TT>/var/adm/messages</TT> and <TT>syslog</TT> in UNIX)
	by changing the directory to <TT>SYS:SYSTEM</TT> and entering the command <TT>PAUDIT</TT>.
	
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>Denial of Service</B></FONT></H2>
<P>As I have pointed out at several stages in this book, the denial-of-service attack
is not much of an issue. The average denial-of-service attack typically disables
one network service. In the worst case, such an attack may force a reboot or freeze
a server. These actions remain more an embarrassment to the programmers who coded
the affected application than they do a critical security issue for the target. Nevertheless,
such activity can be irritating.</P>
<P>One reported way to cause a denial-of-service attack on NetWare (3.<I>x</I> and
possibly 4.<I>x</I>) is to capture a network printer and attempt to print an absurdly
large file. This overflows the <TT>SYS</TT> volume and causes the machine to crash.
Naturally, this would require not only physical access to an internal machine, but
also an account there. However, in large organizations, it is entirely possible that
malicious individuals may exist--individuals who may be secretly working for a competitor
or just plain crackers who love to see a system go down. This is a relatively low-priority
attack, as the machine can easily be rebooted and the problem solved.
<H3><FONT COLOR="#000077"><B>FTP Vulnerability to Denial-of-Service Attacks</B></FONT></H3>
<P>Certain versions of NetWare's FTP server are vulnerable to a denial-of-service
attack. (This has been confirmed by Internet security systems and Novell, as well.
Novell has issued a patch.) Apparently, when a brute-force attack is mounted against
the anonymous FTP server, this activity causes an overflow and a memory leak. This
leak ultimately consumes the remaining memory and the machine will freeze, failing
to respond further.</P>
<P>A brute-force attack in this case is a program that automates the process of trying
hundreds (or sometimes thousands) of passwords on a given server.