Netware Hack

Section 08

Netware and Windows 95


08-1. Will Windows 95 cause server problems for Netware?

By default Windows 95 shipped with long file names (LFN) and Packet Burst enabled, which created a unique problem -- if the server didn't have long name space loaded (OS/2 name space) it caused problems with files and occassionally crashed the server. But the worse one was Packet Burst. Unless you had at least a 3.11 server with the PBURST.NLM up and running, along with drivers for the server's network capable of handling Packet Burst, the buffer space used for network connections and/or the buffer space on the network card created problems ranging from lockups to timeouts to abends.

There were a couple of different fixes you could do, like updating the server for long name space and Packet Burst (sorry Netware 2.x users), or you could update the clients' SYSTEM.INI file with the following entries:


        [nwredir]
        SupportBurst=0
        SupportLFN=0

Alternately, a frame type (802.3) that doesn't support Packet Burst could be used, and you could enforce no LFNs via system policies.


08-2. Will Windows 95 cause network problems for Netware?

If File & Print Sharing for Netware is configured and you have non-Windows 95 users, there could be serious network problems. How does this happen? Here is a very simplified explanation -

The way Netware advertises its file and print services is via Netware's proprietary (but widely documented) Service Advertising Protocol (SAP). How to get to these resources is communicated via Routing Information Protocol (RIP) packets. Both SAP and RIP info are transmitted broadcast style. Netware servers and even intelligent networking equipment that conform to the SAP and RIP protocol scheme (like routers) share this info dynamically between each other.

The problem is when Windows 95 is set up with File & Print Sharing for Netware, because the Windows 95 workstation does a lousy job of implementing and interacting with the SAP and RIP info. As any LAN/WAN specialist will tell you, extra SAPs can quickly waste bandwidth, causing timeouts and broadcast storms. And that is exactly what Windows 95 does. Netware 3.x and 4.x have released patches, but the easiest thing to do is simply NOT use File & Print Sharing under Windows 95 -- use Netware's file and print services like they're supposed to be used, or use Client/FPS for Microsoft networks instead.

Can hackers take advantage of this? Here's the theory how -

- Turn on File & Print Sharing for Netware in Windows 95.

- On an SLIST the Windows 95 workstation will show up.

- In a Netware 3.x and 4.x environment, there is an internal network number and an external number. Windows 95 will only show an external number, and since these numbers help determine how many hops away the service is, not having an internal one means (depending on your network layout) your Windows 95 workstation is one hop closer.

- When a regular user boots up, the user needs to get to the nearest server to find his prefered server's location from the nearest server's SAP and RIP tables. Routers typically will simply pass on the name and address of the closest server attached to it. This with the hop counts will lead to a lot of attachments to the Winodws 95 server. Therfore even a PREFERED SERVER variable in the NET.CFG would not help.

- To keep clients from timing out with an error, Microsoft passes the user onto the prefered server IF the Windows 95 server is set up with the same name.

- In theory could create a \LOGIN directory and run your own LOGIN.EXE that grabbed the password and then send the client onto it's real server.

What could prevent this? Well, in a WAN environment a router could be configured to only allow SAPs to come from certain segments, or every one of the workstations are running Windows 95 (which is probably Microsoft's solution). And even though I have heard from a dozen people stating that this could be done, no one has said they've done it (the alternate LOGIN directory and trojan LOGIN.EXE).


08-3. What's with Windows 95 and Netware passwords?

Windows 95 has its own password file, and uses this file to store passwords to Windows 95 itself as well as Netware and NT servers. The problem here is that the PWL file is easily cracked by brute force, by using exploit code readily available on the Internet. To keep this from happening either Service Pack 1 should be applied (see Microsoft) or disable password caching.

But you can still access the WIN386.SWP file. Either using a disk utility like DiskEdit from Norton or by booting from DOS, you can access the swap file and scan it for the password in plaintext. Look for a string like nwcs and the password will follow that.


08-4. Can Windows 95 bypass NetWare user security?

I am unsure as to the conditions (if anyone knows, please forward me the info) but if your .PWL file is around 900 bytes versus 600 bytes, your workstation will log in without prompting you for a password. This bug was working as of December 1995, and I would think at this point patched via the latest service pack.

Two ways this can be abused -- on some systems generating the longer file you can simply make sure you generate a .PWL file with the target account name and reboot using that .PWL file.

The other way is to simply collect the .PWL file from an unattended workstation and boot using it (or attack it using the exploit code referenced in Section 08-3.