Pandora v4.0 FAQ 1. Is Netware 5 supported as well as Netware 4? 2. Does Pandora Offline do really big NDS trees? 3. Pandora Offline won't get my 18 character password. 4. I can't get spoofing and sniffing attacks in Pandora Online to work. What's wrong? 5. So how do I install the packet driver? 6. Why are you doing this? You are giving crackers tools to break in! 7. So Pandora uses bindery-based attacks? 8. What are the basic steps for fully utilizing Pandora Offline? 9. Why does my machine slow to a crawl when I do a dictionary attack against a huge NDS tree? 10. I can't get Pandora Online to properly "Hijack admin connection". What's wrong? 11. Why isn't there a Pandora Online for Linux? 12. So how do I secure my systems from Pandora attacks? ------ 1. Is Netware 5 supported as well as Netware 4? Yes. We do Netware 5 now. We also do BACKUP.DS and DSREPAIR.DIB files for both versions. 2. Does Pandora Offline do really big NDS trees? Yes. In previous versions of Pandora this was a problem. The new Offline code will try and recover what it can from NDS, in case of NDS problems. Before you needed very clean NDS files before recovery -- now you can at least recover most password information from damaged NDS files. 3. Pandora Offline won't get my 18 character password. Unless you are the NSA, you probably do not really have the time to crack an 18 character password anyway. Besides, to simplify the code Pandora will not work with passwords over 16 characters. We have no reason to extend this, although if someone wants to know how, write to Jitsu-Disk or Simple Nomad. In your request please explain why your life is so pathetic that you must crack a password this long. 4. I can't get spoofing/sniffing/DoS attacks in Pandora Online to work. What's wrong? Well, there could be several different problems. Here are a few: - Network card does not support promiscuous mode. We've personally tested with a few cards, and can say that most modern 3Com cards do just fine. Let us know about success with others. - Make sure you have the packet driver software configured correctly for Windows. - For Linux you must be running as root. - Novell reports that if the SET PACKET SIGNATURE LEVEL=3 line is in the AUTOEXEC.NCF after DS.NLM loads, you are vulnerable. If the SET command is the first line in the AUTOEXEC.NCF or in the STARTUP.NCF Packet Signature will work properly if the DS.NLM version is 5.95 or greater. - There are reports that Netware 4.11 SP7 and Netware 5 SP3 fix a number of the "holes". Some we have reopened, some we have not. 5. So how do I install the packet driver? Simple steps (remember we didn't write the driver, it was free and we're using it, alternatives are welcomed): - Download and extract the packet drivers into a temp directory. - Right click on Network Neighborhood and go to Properties. - Click on Protocols. - Click on Add, and use the Have Disk option. - Browse to the temp directory, and click on the driver listed. 6. Why are you doing this? You are giving crackers tools to break in! The NCP exploits were originally explored in v2.0 of Pandora as a direct result of hackers using 3.x attack tools against 4.x servers and gaining access. Several different hackers in eastern Europe were reporting to NMRC about their success, and several administrators wrote in asking for help. Simple Nomad discovered several flaws in mid 1997, and Jitsu-Disk expanded on these in 1998 for v3.0 of Pandora. Since these exploits were already being used in the underground we felt there was a greater harm in NOT bringing these things forward. In v4 we added a graphic front end. We understand that there will be people that abuse these tools -- we also understand these tools will help administrators protect their systems. If you must complain, complain to Novell. 7. So Pandora uses bindery-based attacks? Yes and no. Many of these attacks will work fine against Netware 3.x servers, but will still work against 4.x servers even with bindery context not turned on. Novell has mistakenly stated that these are bindery-based attacks implying that they will not work against a Netware 4.x server that does not have bindery context set. These attacks work against flaws in NCP, and many of the same NCP calls that work against a Netware 3.x server will still work against a 4.x server. Why? This is important: NO BINDERY CONTEXT DOES NOT MEAN NO BINDERY CALLS VIA NCP. The problem is with NCP, not the bindery calls used during login that need a bindery context to place them in the tree at the proper spot. 8. What are the basic steps for fully utilizing Pandora Offline? - Acquire NDS files. If you acquire a BACKUP.DS or DSREPAIR.DIB file, you can extract the needed info out of there using the menu selection File->Extract and Load->NDS&Password which will create the NDS files and also create a PASSWORD.NDS file. - The accounts extracted will appear in the Input section. - Double-click to select a target for attack. - Adjust your settings from the menu Crack->Password Crack Settings. - Select either Crack->Brute force or Crack->Dictionary attack. - Results will appear in the Results section. As you crack a password, it will update the Input section as well. - You can save the PASSWORD.NDS and Results section. - You can start multiple sessions as the program is multi-threaded, although it is recommended you do not do multiple dictionary sessions. 9. Why does my machine slow to a crawl when I do a dictionary attack against a huge NDS tree? Each individual account is spun off with its own thread during the dictionary attack. For example, a dictionary attack against 1000 accounts will spawn 1000 threads (in theory, if your OS will allow it). Obviously this will slow general processing down. It is recommended on large trees you specify a range of accounts to attack. Go to Crack->Password Crack Settings and select "When dictionary attack, crack range of objects". Then when you Crack->Dictionary attack, you can specify a range of objects based upon the sort order in the Input window. 10. I can't get Pandora Online to properly "Hijack admin connection". What's wrong? You need to be in the proper spot to do the hijacking. Sine you are entering the MAC address of the Admin, you obviously need to be on the same Ethernet segment. While it should work in theory across a router (using the MAC address of the segment the Admin packets are coming from), you still have to be in between the Admin's computer and the server. This is also a race of sorts -- it is possible that the Admin's computer may beat you on this. Unless you are running a sniffer on the same segment of network cabling (and you know how to read the results) you may not know why you are failing. Sniffing may help in diagnosing any problems. 11. Why isn't there a Pandora Online for Linux? There is. As of December 1999 we have a fairly stable version up and running. Linux will probably be the primary platform we support from now on. 12. So how do I secure my systems from Pandora attacks? This can be done in a few simple steps. - Remove the ability for anyone to read the NDS tree (check the rights for [Root], they should not be public). - Isolate servers on one Ethernet segment, admins on another, and end users elsewhere, or go to switched Ethernet. - Use Packet Signature at the highest settings on servers and workstations at all times. - Use the latest patches on servers and workstations. Novell is always dropping in security fixes in maintenance patches and not telling anyone about it. So patch up. - The SET PACKET SIGNATURE line should be in the STARTUP.NCF, not the AUTOEXEC.NCF. - Build an NDS account named SUPERVISOR, give it no rights and disable it. - Give the bindery Supervisor account a huge password. - Make sure the server object is not in the same container as the Admin account. - Turn on Intruder Detection on every container. - Minimum password length should be 8 for most users, LAN administrators should have an even longer password. - Never use RConsole. Ever. Walk to the damn server, or use an out-of-band method for access if it is truly in a remote location.