Any way to read Passwords out of Bindery?

0 views
Skip to first unread message

Rich Chong

unread,
Feb 16, 1993, 11:07:35 AM2/16/93
to
Is there any utility to allow me, as Supervisor, to read passwords
out of the bindery on a NW3.11 system? Thanks. rich chong

Kevin A. Pinto

unread,
Feb 16, 1993, 3:33:51 PM2/16/93
to
In article <93047.100...@uicvm.uic.edu> Rich Chong <U41...@uicvm.uic.edu> writes:
>
>Is there any utility to allow me, as Supervisor, to read passwords
>out of the bindery on a NW3.11 system? Thanks. rich chong

I don't think so. The password property of the user object has a security
equivalent to the bindery, meaning that only Netware can directly read it
and change it. Netware provides two functions to handle passwords:

1. Change the password - you have to be the same user as the object
or the supervisor to do this.
2. Verify the password - you pass Netware a string which you think
is the password of the user object and Netware will tell you
if it indeed was the password.

Regards,

Kevin


--
-----------------------------------------------------------------------------
Kevin Pinto ag...@acvax.inre.asu.edu
Chem Engg, ASU, Tempe, AZ
-----------------------------------------------------------------------------

Gordon Shephard

unread,
Feb 17, 1993, 2:05:52 AM2/17/93
to
pi...@enuxha.eas.asu.edu (Kevin A. Pinto) writes:
>In article <93047.100...@uicvm.uic.edu> Rich Chong <U41...@uicvm.uic.edu> writes:
>>
>>Is there any utility to allow me, as Supervisor, to read passwords
>>out of the bindery on a NW3.11 system? Thanks. rich chong

>I don't think so. The password property of the user object has a security
>equivalent to the bindery, meaning that only Netware can directly read it
>and change it. Netware provides two functions to handle passwords:

You can, of course, read it right out of net$val.sys after locking
the bindery. And, of course, it is encrypted.

A 15 minute investigation shows that the password is stored in (at least?)
16 characters, and, of course, change 1 and all 16 characters change.

Rumour has it that Novell's encryption algorithm is Lossy.

Having absolutely no Crypto-Background, I have no Idea whether Novell's
Algorithm is Secure, but I hope so, because it only takes about 10 or
so seconds (depending on how large your bindery is) to get a snapshot
of the Bindery. Better not leave your terminals unattended.

Some things to be aware of, anybody capturing your bindery
this way will leave a bit of a trail,

1) A bindery lock will appear on the system console.
2) The bindery lock will be recorded in the sys$log.err file.

Of course the Competent cracker will erase both of those traces.

Furthermore, leaving your console unsecure gives the cracker the
ability to instantly create a supervisor Equiv user. Sigh. So
Secure that Terminal.

--
| Gordon Harry Shephard | Distributed Computing Support Group |
| Academic Computing Services | Phone: (604)291-3930 (604)464-4991 |
| Simon Fraser University | |
| Burnaby, BC, Canada. V5A 1S6 | shep...@sfu.ca |
| |
| Disclaimer: In No Way am I speaking for my Employers or Simon Fraser |
| University. |

Rich Chong

unread,
Feb 17, 1993, 11:48:17 AM2/17/93
to
I've basically gotten a lot of helpful responses that says:
NO, it's a one way encrypted algorithm. Ok, let me rephrase my question.

I basically want to move users from from one server to another, or
want to give them access to another server with their same id and pswd.
Is there a way for me to sync and/or merge that part of the bindery?
I'm talking on the order of 500+ users.
Thanks.
rich chong

Gordon Shephard

unread,
Feb 17, 1993, 5:01:23 PM2/17/93
to
Rich Chong <U41...@uicvm.uic.edu> writes:

>I basically want to move users from from one server to another, or
>want to give them access to another server with their same id and pswd.
>Is there a way for me to sync and/or merge that part of the bindery?
>I'm talking on the order of 500+ users.
>Thanks.
>rich chong

Hmmm. You could Install a Trojan Horse which captures their plain-text
password, and places it in a location (secure hopefully) for later account
creation (Of course this requires them to log in)

Gary Heston

unread,
Feb 18, 1993, 9:21:46 AM2/18/93
to
In article <93047.100...@uicvm.uic.edu> Rich Chong <U41...@uicvm.uic.edu> writes:
>Is there any utility to allow me, as Supervisor, to read passwords
>out of the bindery on a NW3.11 system? Thanks. rich chong

You can read out the encrypted string, but not the plaintext--it's not
there to read.

--
Gary Heston SCI Systems, Inc. ga...@sci34hub.sci.com site admin
The Chairman of the Board and the CFO speak for SCI. I'm neither.
Remember: A majority of the American people voted against *all* of the
Presidential Candidates. How encouraging....

Rich Chong

unread,
Feb 18, 1993, 11:24:17 PM2/18/93
to
>>Is there any utility to allow me, as Supervisor, to read passwords
>>out of the bindery on a NW3.11 system? Thanks. rich chong
>
>You can read out the encrypted string, but not the plaintext--it's not
>there to read.

Is there a utility that will just move that encrypted string to another
server? I really dont care what the password is, but would like to make a
partial server transition somewhat seamless to end users.
Thanks.rich

Bill Hunt

unread,
Feb 19, 1993, 1:39:38 AM2/19/93
to
In article <93048.104...@uicvm.uic.edu> Rich Chong <U41...@uicvm.uic.edu> writes:
>I basically want to move users from from one server to another, or
>want to give them access to another server with their same id and pswd.
>Is there a way for me to sync and/or merge that part of the bindery?
>I'm talking on the order of 500+ users.

Hi Rich, here's what you need to do:
On your existing server, run bindfix. Bindfix will modify the bindery,
and create 3 backup files in the process: NET$OBJ.OLD, NET$PROP.OLD,
and NET$VAL.OLD.

Copy these files into your new server's SYSTEM directory.

Run bindrest on your new server. You will now have all of your bindery
intact on your new server. Note that this will not move the users login
scripts, printdefs, and certainly not any files in their directorys.
To move that stuff, you'll need to xcopy the mail directory, and any other
directorys that you need.

Your users will still have the same ids, so the mail directorys will
match correctly.

Good luck, Rich.....
Bill Hunt


Rich Chong

unread,
Feb 20, 1993, 8:49:15 AM2/20/93
to
>> Run bindrest on your new server. You will now have all of your bindery
>> intact on your new server. Note that this will not move the users login
>> scripts, printdefs, and certainly not any files in their directorys.
>> To move that stuff, you'll need to xcopy the mail directory, and any other
>> directorys that you need.
>>
>> Your users will still have the same ids, so the mail directorys will
>> match correctly.
>>
>> Good luck, Rich.....
>> Bill Hunt
>I don't think this will work (but I can't remember for sure). I don't believe
>that novell will allow you to copy the net$.old files

This will work. It's the active net$*.sys files which wont copy easily.
I've gotten half a dozen email suggesting I do this. I've done it succesfully
at least three times in the past. But this time, I have two binderys with
different users in them. I'd like to plop all the users (and passwords, etc)
from one into the other without destroying what's already in the target.
I've gotten several suggestions to just write a program that reads and writes
to the respective bindery too. Those kinda suggs useless to me because I
would've already done so if I easily knew how. Thanks anyhow. rich

Bill Hunt

unread,
Feb 21, 1993, 9:46:34 PM2/21/93
to
In article <1993Feb19.2...@ll.mit.edu> lu...@ll.mit.edu (Paul Luse) writes:

>I don't think this will work (but I can't remember for sure). I don't believe


>that novell will allow you to copy the net$.old files

Hi Paul, I'm quite certain that this will work; I've done it many times.
Regards, Bill

R.v.Kampen

unread,
Feb 22, 1993, 9:47:45 AM2/22/93
to
In article <shephard....@sfu.ca> shep...@fraser.sfu.ca (Gordon Shephard) writes:
>pi...@enuxha.eas.asu.edu (Kevin A. Pinto) writes:
>>In article <93047.100...@uicvm.uic.edu> Rich Chong <U41...@uicvm.uic.edu> writes:
>>>
>>>Is there any utility to allow me, as Supervisor, to read passwords
>>>out of the bindery on a NW3.11 system? Thanks. rich chong
>
>>I don't think so. The password property of the user object has a security
>>equivalent to the bindery, meaning that only Netware can directly read it
>>and change it. Netware provides two functions to handle passwords:
>
>You can, of course, read it right out of net$val.sys after locking
>the bindery. And, of course, it is encrypted.
>
>A 15 minute investigation shows that the password is stored in (at least?)
>16 characters, and, of course, change 1 and all 16 characters change.
>
>Rumour has it that Novell's encryption algorithm is Lossy.
>
>Having absolutely no Crypto-Background, I have no Idea whether Novell's
>Algorithm is Secure, but I hope so, because it only takes about 10 or
>so seconds (depending on how large your bindery is) to get a snapshot
>of the Bindery. Better not leave your terminals unattended.
>

I disassembled the encryption routines used by novell, and translated
them to C, you can ftp the source from dutiws.twi.tudelft.nl,
from directory /pub/novell : nvpw.c

I don't know if it is reversible, I tried encrypting strings of all
zeroes and 1 bit set to one, when you look at the result, there are
many encrypted strings almost equal, some are equal.

It can be implemented very fast, so brute force attacks may not be so
hard.


willem

Reply all
Reply to author
Forward
0 new messages