Results 1 to 7 of 7

Thread: Novell local password cache NIS

  1. #1
    Junior Member
    Join Date
    Feb 2010
    Posts
    44

    Default Novell local password cache NIS

    Hello guys,

    I know in a Windows environment local passwords are stored in SAM and domain passwords are cached locally in the register at HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through NL$10.

    At the moment I am doing an password audit on a Novell server
    (NDS/ eDirectory) and Windows client environment. In this case local passwords are still stored in SAM. But where are the local NDS cached passwords on the Windows client. Probably not in the same register location, since I cannot grab them with CacheDump?

    Thanks for your help.

    Regards,

    Macamba

  2. #2
    Junior Member
    Join Date
    Feb 2010
    Posts
    44

    Default Anybody?

    Somebody, anybody...

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    <shrug> just fire-up google and see what you can find. I don't know anyone who actually uses Novell (not that I've had to Pentest anyway).

    http://www.novell.com/documentation/...a/bsqdjwi.html

    ...secrets from SecretStore in eDirectory or NDS are cached to an encrypted information store on the workstation's Windows directory. This local store persists after the eDirectory authenticated session is closed. For laptop users, this functionality provides access to login data while the users aren't connected to the network.
    Doesn't tell you the exact file but I'm sure with some additional searching you can find it.

  4. #4
    Junior Member
    Join Date
    Feb 2010
    Posts
    44

    Default Thorough search

    Thanks Thorin. I already did some thorough search via Google, but I can only find vague references like: "the local data store with the cached NDS/ eDirectory credentials', but still didn't find the actually location.

    Regards,

    Macamba

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    What about using SysInternals Filemon and Regmon tools (or just windows search for any file(s) modified in the last day) and force a new user to be added to the cache somehow?

  6. #6
    Junior Member
    Join Date
    Feb 2010
    Posts
    44

    Default SAM database

    I tested it with a new account. Funny Novell caches the NDS/ eDirectory credentials in the SAM database where Windows only stores local accounts.

    Macamba

  7. #7
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    I confirmed an interesting vulnerability with Novell. According to this advisory, the Novell password can be dumped out of memory:
    http://www.securityfocus.com/archive/1/402767

    We confirmed this on a Novell 7 environment while performing a pentest.
    Use both Psexec and pmdump as follows:
    psexec \\hostname -u username -p password -s -f -c pmdump -list

    Find the PID of the Gwise.exe service. Then:
    psexec \\hostname -u -p password -s -f -c pmdump PID PID_dump.txt

    This will dump the memory to \\hostname\c$\windows\system32
    Open the dump file in a hex editor and search for an organizational string, like an OU in the targets memory dump file.

    From there you can find the Novell password for the user within the file.

    To simplify this, if you have already found one Novell password, dump the PID for gwise of that user and search for the password. From there, you can work backwards to find the OU format, and apply it to other targets. For instance, at this particular location, the client's OU is similar to clientname.AA_FINANCE.AA_NW
    If you do a search for AA_FINANCE.AA_NW in the memory dump you will see the password in plain text. Suppose the CFO is whomever.AA_FINANCE.AA_NW. By dumping his memory, you can search for the OU and reference your original dump, match up the location and password.

    William

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •