A Netware Server is supposed to be a very safe place to keep your files. Only
people with the right password will have access to the data stored there. The
Supervisor (or Admin) user's password is usually the most well kept secret in
the company, since anyone that has that code could simply log to the server and
do anything he/she wants.
But what happens if this password is lost and there's no user that is
security-equivalent to the supervisor? [Use SETPWD.NLM, instead of this process,
see section 02-3 - S.N.] What happens if the password system is somehow damaged
and no one can log to the network? According to the manual, there's simply no
way out. You would have to reinstall the server and try to find your most recent
backup.
Fortunately, there is a very interesting way to gain complete access to a Netware
server without knowing the Supervisor's (or Admin's) password. You may imagine
that you would have to learn complex decryption techniques or even type in a long
C program, but that's not the case. The trick is so simple and generic that it
will work the same way for Netware 2.x, 3.x and 4.x.
The idea is to fool Netware to think that you have just installed the server and
that no security system has been estabilished yet. Just after a Netware 2.x or
3.x server is installed, the Supervisor's password is null and you can log in
with no restriction. Netware 4.x works slightly differently, but it also allows
anyone to log in after the initial installation, since the installer is asked to
enter a password for the Admin user.
But how can you make the server think it has just been installed without
actually reinstalling the server and losing all data on the disk? Simple. You
just delete the files that contain the security system. In Netware 2.x, all
security information is stored in two files (NET$BIND.SYS and NET$BVAL.SYS).
Netware 3.x stores that information in three files (NET$OBJ.SYS, NET$VAL.SYS and
NET$PROP.SYS). The all new Netware 4.x system stores all login names and
passwords in five different files (PARTITIO.NDS, BLOCK.NDS, ENTRY.NDS, VALUE.NDS
and UNINSTAL.NDS [This last file may not be there, don't worry - S.N.]).
One last question remains. How can we delete these files if we don't have access
to the network, anyway? The answer is, again, simple. Altough the people from
Novell did a very good job encrypting passwords, they let all directory
information easy to find and change if you can access the server's disk directly,
using common utilities like Norton's Disk Edit. Using this utility as an example,
I'll give a step-by-step procedure to make these files vanish. All you need is a
bootable DOS disk, Norton Utilities' Emergency Disk containing the DiskEdit
program and some time near the server.
1. Boot the server and go to the DOS prompt. To do this, just let the network
boot normally and then use the DOWN and EXIT commands. This procedure does not
work on old Netware 2.x servers and in some installations where DOS has been
removed from memory. In those cases, you'll have to use a DOS bootable disk.
2. Run Norton's DiskEdit utility from drive A:
3. Select "Tools" in the main menu and then select "Configuration". At the
configuration window, uncheck the "Read-Only" checkbox. And be very careful with
everything you type after this point.
4. Select "Object" and then "Drive". At the window, select the C: drive and make
sure you check the button "physical drive". After that, you'll be looking at your
physical disk and you be able to see (and change) everything on it.
5. Select "Tools" and then "Find". Here, you'll enter the name of the file you
are trying to find. Use "NET$BIND" for Netware 2, "NET$PROP.SYS" for Netware 3 and "PARTITIO.NDS" for Netware 4. It is possible that you find these strings in a
place that is not the Netware directory. If the file names are not all near each
other and proportionaly separated by some unreadable codes (at least 32 bytes
between them), then you it's not the place we are looking for. In that case,
you'll have to keep searching by selecting "Tools" and then "Find again". [In
Netware 3.x, you can change all occurences of the bindery files and it should
still work okay, I've done it before. - S.N.]
6. You found the directory and you are ready to change it. Instead of deleting
the files, you'll be renaming them. This will avoid problems with the directory
structure (like lost FAT chains). Just type "OLD" over the existing "SYS" or
"NDS" extension. Be extremely careful and don't change anything else.
7. Select "Tools" and then "Find again". Since Netware store the directory
information in two different places, you have to find the other copy and change
it the same way. This will again prevent directory structure problems.
8. Exit Norton Disk Edit and boot the server again. If you're running Netware 2
or 3, your server would be already accessible. Just go to any station and log in
as user Supervisor. No password will be asked. If you're running Netware 4, there
is one last step.
9. Load Netware 4 install utility (just type LOAD INSTALL at the console prompt)
and select the options to install the Directory Services. You be prompted for the
Admin password while doing this. After that, you may go to any station and log in
as user Admin, using the password that you have selected.
What I did with Norton's Disk Edit could be done with any disk editing utility
with a "Search" feature. This trick has helped me save many network supervisors
in the last years. I would just like to remind you that no one should break into
a netware server unless authorized to do it by the company that owns the server.
But you problably know that already.
