Results 1 to 2 of 2

Thread: Gaining access to Novell Groupwise 8 passwords

Hybrid View

  1. 05-20-2009, 05:35 PM #1
    williamc
    williamc is offline
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default Gaining access to Novell Groupwise 8 passwords

    I'm performing a pen-test on a Novell/Windows environment. I've managed to gain domain administrator and full access to the Groupwise console. I've cracked the majority of the users hashes on the windows side with LC5. The problem is when I get to Groupwise. Even though I have access to all the accounts, I have no way of dumping the credentials. They use seperate authentication for Groupwise, so my goal is to compare passwords. Luckily, the domain admin had synchronized his credentials, so I got access to the iconsole. All the remaining users have seperate credentials for the Groupwise.

    So far, I've only found a few tools. One being for edirectory:
    http://ldapwiki.willeke.com/Wiki.jsp...nformationTool

    This did not work, as they are not using edirectory. Simple Nomad has some legacy tools, but they don't work on Groupwise 8:
    http://www.nmrc.org/project/index.html

    Any ideas or suggestions on how to proceed? Thanks.

    William
  2. 05-28-2009, 11:32 PM #2
    williamc
    williamc is offline
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    There doesn't seem to be a process to extract credentials from the Novell Groupwise server. The only workaround was for me to dump the running grpwise process on each workstation and look for the password. As they are running 6.5.3, this was rather easy, since the password is stored in memory. I posted about this earlier:
    http://forums.remote-exploit.org/showthread.php?t=15588

    Same process, dump the grpwise process to disk and parse the file. However, this can be sped up if you know the location of the password, which is the same for this location. I used this perl script:
    Code:
    #!/usr/bin/perl

my @array;
my $i =0;
my $file = $ARGV[0];

open(FILE, $file) || die $!;

@data=<FILE>;
foreach $line (@data)
{
chomp($line);
	if ($line =~ /PONAME_HERE/)
	{
		if ($line =~ /(\006\000\000.{15})/)
		{
			print $i.": ".$1."\n";
			$i++;
		}
	}
}
    Replace PONAME_HERE with the name of the post office your auditing. If they are running 6.5.3 or lower clients, then the memory address should contain the plain text groupwise password. Apparently, later versions have patched for this issue.

    William
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules