Accessing the bindery files directly by prosidnpatu


FEDERAL GOVERNMENT BULLETIN BOARD SYSTEMS (Last Updated: 8/23/94) OPM BBSs: ~~~~~~~~ MAINSTREET............. (202) 606-4800 Fed Pers & Job Info from OPM's Agencywide BBS Federal Jobline......... (818) 575-6521 Fed Pers & Job Info from OPM's Western Region BBS Fed Job Opp Board (FJOB) (912) 757-3100 Fed Pers & Job Info from OPM's Macon, GA Service Ctr FEDJOBS................. (215) 580-2216 Fed Pers & Job Info from OPM's Philadelphia Region BBS PayPerNet#1 ............ (202) 606-2675 Fed. Pay & Per. Mgmt Info from OPM (Line #1) PayPerNet#2 ............ (202) 606-1876 Fed. Pay & Per. Mgmt Info from OPM (Line #2) WASNET ................. (202) 606-1113 OPM Wash Area Serv Ctr BBS; phone first: 202-606-1848 OTHER FEDERAL BBSs: ~~~~~~~~~~~~~~~~~~ AGRICULTURE DEPT Agriculture Library 301-504-6510/301-504-5496 Biological Impact Assessment 703-231-3858/800-624-2723 Commercial Information Delivery Service (Must subscribe first: 202-720-5505) Economic Research Service 800-821-6229 Human Nutrition Information Service 301-436-5078 IndiaNET (USDA & EPA) 605-393-0468 AIR FORCE DEPT Air Force Small Business BBS 800-821-6229 (type SIGNUP) Small Computer Support Center 406-731-2503 ULANA BBS (AF Engrg Installation) 405-736-0928 ULANA II (AF Engrg Installation) 405-741-0824 Competition Advocate (AF Space Command) (Call voice first: 719-554-5325) Standard Systems Center 205-416-5651 Hill AFB 801-774-6509 Argonne National Laboratory 708-252-8241

More Info
									                                                            3 November 1995

                     Accessing the bindery files directly

                     Alastair Grant, Cambridge University

1. Introduction

This document describes a command for accessing the NetWare 3.x bindery
files directly, bypassing the NetWare network API calls.

It can be used for fast bindery access, bulk user management, bypassing
security restrictions, investigating problems etc.

It is quite possible to destroy the bindery completely, or to reveal
information which could be used by hackers to obtain passwords. Users
are assumed to have a basic grasp of good procedures for security and

2. Command syntax

The basic format of the command is

   bindery [options] bindery-spec action action ...

2.1 Specifying a bindery

A bindery specification takes the form


E.g. SYS:SYSTEM/.SYS. The path defaults to the current directory. The
extension defaults to .OLD.

Alternatively an 'active' bindery can be specified:

   SERVER server

The bindery will be closed if necessary.

2.2 Actions on the bindery

  INFO       print info about the bindery
  SCHEMA     checks the bindery against the schema in BINDERY.SCH
  DUMP obj   dump all information for the specified object(s)
  OBJ        list all object records
  PROP       list all property records
  VAL        list all value records
     VALDATA   list all value records, with data
     EXPORT    export the bindery to a text file; see below
     IMPORT    import the bindery from a text file
     ETC       export user password information, suitable for input to the
               password-cracking program described below

The following actions apply only if a bindery has been specified by the
SERVER parameter:
  CLOSE     close the bindery, i.e. make it available for direct access;
            users attempting to access the bindery via NetWare API calls
            will receive an error
  OPEN      open the bindery, which causes the server to reload it and
            may take some time for large binderies
  COPY directory
            copy the bindery files into a directory elsewhere

3. Export/import

The bindery can be exported to and imported from a text file. This can
be used for various purposes:

 -     problem diagnosis and repair

 -     creation of large binderies given a set of user information

 -     compaction of binderies

 -     merging binderies or moving users between binderies while
       preserving their passwords

To see the format of the export file, try exporting a small bindery.

4. Password cracking

Passwords are not stored in clear in the bindery. What is stored is a
16-byte value computed via a one-way function from the user's object id
and the password. Given the object id and password it is possible to
generate a candidate password which can be compared against that in the

The ETC option of the BINDERY command produces a file containing the
required information, in a format superficially similar to /etc/passwd
on Unix:



     ttidy:32d8998e098a05830f809b809ea02137:D0000001:8:Terry Tidy

This can then be input into bindery cracking programs. Separating the
functions in this way allows various forms of parallelism:
 -    the password file can be split into smaller chunks

 -    the same password file can be worked on by several cracking
      programs each with different dictionaries or algorithms

 -    cracking programs can be run on faster machines

A cracking program BINCRACK is provided which takes such a file as
input. It has command syntax:

     bincrack [/verify] [/numsub] pw-file dict-file

/verify lists the passwords that are being tried. /numsub tries
substituting numbers for letters, e.g. "1D10T". This takes a lot longer
as all possible combinations are tried. pw-file is an exported bindery
password file. dict-file is a simple word list.

Versions are available for MS-DOS and for Solaris 1 and Solaris 2 SPARC

Suitable wordlists can be found at

To top