Tutorial: Dumping Novell creds from memory
I confirmed an interesting vulnerability with Novell. According to this advisory, the Novell password can be dumped out of memory:
We confirmed this on a Novell 7 environment while performing a pentest.
You will need the PSTools, available here:
Use both Psexec and pmdump as follows:
psexec \\hostname -u username -p password -s -f -c pmdump -list
Find the PID of the Gwise.exe service. Then:
psexec \\hostname -u -p password -s -f -c pmdump PID PID_dump.txt
This will dump the memory to \\hostname\c$\windows\system32
Open the dump file in a hex editor and search for an organizational string, like an OU in the targets memory dump file.
From there you can find the Novell password for the user within the file.
To simplify this, if you have already found one Novell password, dump the PID for gwise of that user and search for the password. From there, you can work backwards to find the OU format, and apply it to other targets. For instance, at this particular location, the client's OU is similar to clientname.AA_FINANCE.AA_NW
If you do a search for AA_FINANCE.AA_NW in the memory dump you will see the password in plain text. Suppose the CFO is whomever.AA_FINANCE.AA_NW. By dumping his memory, you can search for the OU and reference your original dump, match up the location and password.
This was buried on another topic, but I thought it deserved its own.