Pandora release 1.0 6/30/97 Send bugs, comments, etc. to pandora@nmrc.org Files included: convert - Converts a BACKUP.DS file back into its original NDS components. convert.c - Source code to convert. crypto - Crypto does brute force attacking using the PASSWORD.NDS file created by Extract. Every 1000 attempts it saves where it is at so a brute force attack can be resumed later. Since the length of the password is known, Crypto only works on the proper lengthed password to save time. Lower case letters are not tried since they are not used in Novell's scheme. Any password up to 16 characters in length can be brute forced. crypto.c - Source code to crypto. crypto2 - Crypto2 is very similiar to Crypto except Crypto2 uses a wordlist and performs a "dictionary" style attack. The wordlist can be any text file with one word per line. Since the password length is known, words that are not the proper length are skipped to save time. All lower case letters are converted to upper case since lower case letters are not used. crypto2.c - Source code to crypto2. extract - Extract will read the ENTRY.NDS, VALUE.NDS, and BLOCK.NDS files and create a PASSWORD.NDS file that contains all of the information needed for Crypto or Crypto2 to do their job in cracking a user password. The Common Name, the object ID, the parent ID (usually O or OU), the password length, and the one way password hash are extracted. extract.c - Source code to extract. inside.txt - Text file explaining the layout of NDS and how all of the utilties actually work. manipul8 - Manipul8 allows seeding of the RESTORE.PAN file created during Crypto's brute force attack. For created during Crypto's brute force attack. For example, if you wish to skip ahead in the brute forcing, or wish to set up multiple sessions or machines to spread out the brute force attack, simply use Manipul8 to set things up. manipul8.c - Source code to manipul8. readme - Do I have to explain this one? showpass - Showpass allow a quick dump of PASSWORD.NDS. This is handy when you want to verify spelling and case of user accounts. showpass.c - Source code to showpass. ----------------------- Tips on usage: 1. Read the inside.txt file. It has a lot of detail. 2. If you have a copy of backup.ds, use convert to get the NDS files. 3. If you have a copy of ENTRY.NDS, VALUE.NDS, and BLOCK.NDS you do not need to run convert. Start with extract. 4. If you get access to sys:_netware and find .BAK copies of the NDS files, these are left over from a DSREPAIR. Make copies of these and rename them back to their original NDS extensions, and move on to extract. But remember, these will not have the absolute latest passwords in them. 5. When running extract, large NDS files can take hours. A 47MB backup.ds file took just a few minutes with convert, but took 3 1/2 hours with extract. This was 5300+ users, with extract running on a RISC system. So be patient. 6. Running crypto can take hours, even days, to brute force a password. Be patient. Use a Pentium or RISC system for the best speed. 7. Account names are CASE SENSITIVE. Passwords are not. Go figure. So when using a Pandora utility that accepts account names, keep this in mind. Use showpass to help show you what is what. 8. Use crypto2 with a large wordlist first before crypto. Hey, you might get lucky. 9. Since crypto saves its place in RESTORE.PAN, you can seed this file using manipul8. Multiple crypto sessions can be managed by seeding a RESTORE.PAN file for each session. ----------------------- The Source Code is FREE!! All Pandora files are very simple C programs, and should compile with very little trouble. For DOS, simply make a standard DOS EXE (not an overlay). The programs are freeware, feel free to snarf, alter, and hack at the code. The programs will run in a DOS windows under Windows 95/NT and OS/2. If you change or find interesting ways to alter the code, making it more useful, send me your changes. I'll incorporate the better ideas into the next Pandora release. And if you find a bug, FIX IT! Oh, and send me the fix. ----------------------- Special Notes for Pandora Unix users: To compile on your Unix system, you should do the following steps. 1. gunzip pandora.tgz 2. tar xvf pandora.tar 3. cd pandora 4. make all The default compiler is cc, feel free to change the Makefile to make it gcc if so inclined. The only problem I have encountered when using Pandora on Unix has been with big endian platforms (Alpha, AIX, IRIX, etc.). You see, Novell runs on Intel machines which do little endian reads and writes. For example, an object ID of 12345678 is stored as 78563412, but when read into Pandora it is presented as 12345678. On a big endian system it is read in and presented as 78563412. This causes problems as these 4 byte chunks are used for calculating offsets into files and used as a part of the encryption algorithm. Therefore if you have a big endian machine you are compiling on, edit the Makefile and use the CFLAGS line that has -DENDIAN in it. All of the Pandora utilities that need it will use this switch. This is especially important for crypto/crypto2. These utilities will run just fine on big endian machines, but since it thinks the 12345678 is 78563412, the password will not be found. crypto and crypto2 have to have things in 12345678 order, regardless of endian. This endian thing causes unbelieveable problems if you decide to run convert and create NDS files on your Intel machine, but wish to run crypto on your RISC machine. I will work out a utility or utilities to address this problem in the next release of Pandora. Right now, simply study the inside.txt doc and start altering code. Sorry. ----------------------- Things to look for in the next revision: 1. You should be able to specify a name besides RESTORE.PAN for extract, crypto, and manipul8 (or take the default). 2. You should be able to specify an end target password for brute forcing with crypto and manipul8. For example, using manipul8 create a RESTORE.PAN file that will brute force a specific range, such as AAAAAA through 000000. 3. You should be able to specify a name besides PASSWORD.NDS. 4. An INTRUDE utility for DOS that uses either brute force or dictionary attacks to gain access to an account on a Netware 4.x server, taking advantage of the fact that Intruder Detect is not turned on by default. 5. An ENDIAN utility for Unix that allows Intel created files to be migrated to RISC systems for additional manipulation. ----------------------- Simple Nomad Nomad Mobile Research Centre http://www.nmrc.org June 30, 1997