NOTE: Hacking is a
illegal activity so don't try on anyone. this tutorial is Only for educational
purpose. If you want to use this tutorial for miscellaneous purpose please stop
reading.
Accessing the bindery files directly
1. Introduction
This Article
describes a command for accessing the NetWare 3.x bindery
files directly, bypassing
the NetWare network API calls.It can be used for fast bindery access, bulk user
management, bypassing security restrictions, investigating problems etc. It is
quite possible to destroy the bindery completely, or to reveal information
which could be used by hackers to obtain passwords. Users are assumed to have a
basic grasp of good procedures for security and
backup.
2. Command syntax
The basic format of the
command is bindery [options] bindery-spec action action ...
2.1 Specifying a bindery
A bindery specification
takes the form
path/.extension
E.g. SYS:SYSTEM/.SYS. The
path defaults to the current directory. The extension defaults to .OLD.
Alternatively an 'active'
bindery can be specified:
SERVER server
The bindery will be closed
if necessary.
2.2 Actions on the bindery
INFO
print info about the bindery
SCHEMA
checks the bindery against the schema in BINDERY.SCH
DUMP obj dump all
information for the specified object(s)
OBJ
list all object records
PROP
list all property records
VAL
list all value records
VALDATA list
all value records, with data
EXPORT
export the bindery to a text file; see below
IMPORT
import the bindery from a text file
ETC
export user password information, suitable for input to the
password-cracking
program described below
The following actions apply
only if a bindery has been specified by the
SERVER parameter:
CLOSE
close the bindery, i.e. make it available for direct access;
users attempting to access
the bindery via NetWare API calls will receive an error
OPEN
open the bindery, which causes the server to reload it and may take some time for large binderies COPY directory
copy the bindery files into
a directory elsewhere
3. Export/import
The bindery can be exported
to and imported from a text file. This can be used for various purposes:
- problem
diagnosis and repair
-
creation of large binderies given a set of user information
-
compaction of binderies
- merging
binderies or moving users between binderies while preserving their
passwords
To see the format of the
export file, try exporting a small bindery.
4. Password cracking
Passwords are not stored in
clear in the bindery. What is stored is a 16-byte value computed via a one-way
function from the user's object id and the password. Given the object id and
password it is possible to generate a candidate password which can be compared
against that in the bindery.
The ETC option of the
BINDERY command produces a file containing the required information, in a
format superficially similar to /etc/passwd on Unix:
userid:pw-hash:object-id:pw-len:name::
e.g.
ttidy:32d8998e098a05830f809b809ea02137:D0000001:8:Terry
Tidy
This can then be input into
bindery cracking programs. Separating the
functions in this way
allows various forms of parallelism:
- the
password file can be split into smaller chunks
- the
same password file can be worked on by several crackin programs each with
different dictionaries or algorithms
-
cracking programs can be run on faster machines
A cracking program BINCRACK
is provided which takes such a file as input. It has command syntax:
bincrack [/verify]
[/numsub] pw-file dict-file/verify lists the passwords that are being tried.
/numsub tries substituting numbers for letters, e.g. "1D10T". This
takes a lot longer as all possible combinations are tried. pw-file is an
exported bindery password file. dict-file is a simple word list.
Versions are available for
MS-DOS and for Solaris 1 and Solaris 2 SPARC
systems.
Suitable wordlists can be
found at
ftp://ftp.jh.com/pub/wordlists/
Legal Disclaimer : This
tutorial is completely for educational purpose only. For any misuse of this
tutorial by any means the author will not be held responsible.
If you have any queries Please comment my posts.
If you have any queries Please comment my posts.
0 Comments