Pandora v4.0 FAQ

1. Is Netware 5 supported as well as Netware 4?
2. Does Pandora Offline do really big NDS trees?
3. Pandora Offline won't get my 18 character password.
4. I can't get spoofing and sniffing attacks in Pandora Online to work. 
   What's wrong?
5. So how do I install the packet driver?
6. Why are you doing this? You are giving crackers tools to break in!
7. So Pandora uses bindery-based attacks?
8. What are the basic steps for fully utilizing Pandora Offline?
9. Why does my machine slow to a crawl when I do a dictionary attack
   against a huge NDS tree?
10. I can't get Pandora Online to properly "Hijack admin connection".
    What's wrong?
11. Why isn't there a Pandora Online for Linux?
12. So how do I secure my systems from Pandora attacks?

------

1. Is Netware 5 supported as well as Netware 4?

 Yes. We do Netware 5 now. We also do BACKUP.DS and DSREPAIR.DIB files
 for both versions.

2. Does Pandora Offline do really big NDS trees?
 Yes. In previous versions of Pandora this was a problem. The new Offline
 code will try and recover what it can from NDS, in case of NDS problems.
 Before you needed very clean NDS files before recovery -- now you can at
 least recover most password information from damaged NDS files.

3. Pandora Offline won't get my 18 character password.
 Unless you are the NSA, you probably do not really have the time to crack
 an 18 character password anyway. Besides, to simplify the code Pandora
 will not work with passwords over 16 characters. We have no reason to
 extend this, although if someone wants to know how, write to Jitsu-Disk
 or Simple Nomad. In your request please explain why your life is so
 pathetic that you must crack a password this long.

4. I can't get spoofing/sniffing/DoS attacks in Pandora Online to work. 
   What's wrong?

 Well, there could be several different problems. Here are a few:

 - Network card does not support promiscuous mode. We've personally tested
   with a few cards, and can say that most modern 3Com cards do just fine.
   Let us know about success with others.
 - Make sure you have the packet driver software configured correctly for
   Windows.
 - For Linux you must be running as root.
 - Novell reports that if the SET PACKET SIGNATURE LEVEL=3 line is in the
   AUTOEXEC.NCF after DS.NLM loads, you are vulnerable. If the SET command is
   the first line in the AUTOEXEC.NCF or in the STARTUP.NCF Packet Signature
   will work properly if the DS.NLM version is 5.95 or greater.
 - There are reports that Netware 4.11 SP7 and Netware 5 SP3 fix a number
   of the "holes". Some we have reopened, some we have not.

5. So how do I install the packet driver?

 Simple steps (remember we didn't write the driver, it was free and we're
 using it, alternatives are welcomed):

 - Download and extract the packet drivers into a temp directory.
 - Right click on Network Neighborhood and go to Properties.
 - Click on Protocols.
 - Click on Add, and use the Have Disk option.
 - Browse to the temp directory, and click on the driver listed.

6. Why are you doing this? You are giving crackers tools to break in!

 The NCP exploits were originally explored in v2.0 of Pandora as a direct
 result of hackers using 3.x attack tools against 4.x servers and gaining
 access. Several different hackers in eastern Europe were reporting to
 NMRC about their success, and several administrators wrote in asking for
 help. Simple Nomad discovered several flaws in mid 1997, and Jitsu-Disk
 expanded on these in 1998 for v3.0 of Pandora. Since these exploits were
 already being used in the underground we felt there was a greater harm in
 NOT bringing these things forward. In v4 we added a graphic front end.

 We understand that there will be people that abuse these tools -- we
 also understand these tools will help administrators protect their
 systems. If you must complain, complain to Novell.

7. So Pandora uses bindery-based attacks?

 Yes and no. Many of these attacks will work fine against Netware 3.x
 servers, but will still work against 4.x servers even with bindery
 context not turned on. Novell has mistakenly stated that these are
 bindery-based attacks implying that they will not work against a
 Netware 4.x server that does not have bindery context set. These
 attacks work against flaws in NCP, and many of the same NCP calls that
 work against a Netware 3.x server will still work against a 4.x server.
 Why? This is important: NO BINDERY CONTEXT DOES NOT MEAN NO BINDERY
 CALLS VIA NCP. The problem is with NCP, not the bindery calls used
 during login that need a bindery context to place them in the tree
 at the proper spot.

8. What are the basic steps for fully utilizing Pandora Offline?

 - Acquire NDS files. If you acquire a BACKUP.DS or DSREPAIR.DIB file,
 you can extract the needed info out of there using the menu selection
 File->Extract and Load->NDS&Password which will create the NDS files
 and also create a PASSWORD.NDS file.
 - The accounts extracted will appear in the Input section.
 - Double-click to select a target for attack.
 - Adjust your settings from the menu Crack->Password Crack Settings.
 - Select either Crack->Brute force or Crack->Dictionary attack.
 - Results will appear in the Results section. As you crack a password,
 it will update the Input section as well.
 - You can save the PASSWORD.NDS and Results section.
 - You can start multiple sessions as the program is multi-threaded,
 although it is recommended you do not do multiple dictionary sessions.

9. Why does my machine slow to a crawl when I do a dictionary attack
   against a huge NDS tree?
 Each individual account is spun off with its own thread during the
 dictionary attack. For example, a dictionary attack against 1000
 accounts will spawn 1000 threads (in theory, if your OS will allow it).
 Obviously this will slow general processing down. It is recommended on
 large trees you specify a range of accounts to attack. Go to
 Crack->Password Crack Settings and select "When dictionary attack,
 crack range of objects". Then when you Crack->Dictionary attack, you
 can specify a range of objects based upon the sort order in the Input
 window.

10. I can't get Pandora Online to properly "Hijack admin connection".
    What's wrong?

 You need to be in the proper spot to do the hijacking. Sine you are 
 entering the MAC address of the Admin, you obviously need to be on
 the same Ethernet segment. While it should work in theory across a
 router (using the MAC address of the segment the Admin packets are
 coming from), you still have to be in between the Admin's computer
 and the server. This is also a race of sorts -- it is possible that
 the Admin's computer may beat you on this. Unless you are running a
 sniffer on the same segment of network cabling (and you know how to
 read the results) you may not know why you are failing. Sniffing
 may help in diagnosing any problems.

11. Why isn't there a Pandora Online for Linux?

 There is. As of December 1999 we have a fairly stable version up and
 running. Linux will probably be the primary platform we support from now
 on.

12. So how do I secure my systems from Pandora attacks?

 This can be done in a few simple steps.

 - Remove the ability for anyone to read the NDS tree (check the
   rights for [Root], they should not be public).
 - Isolate servers on one Ethernet segment, admins on another, and
   end users elsewhere, or go to switched Ethernet.
 - Use Packet Signature at the highest settings on servers and
   workstations at all times.
 - Use the latest patches on servers and workstations. Novell is
   always dropping in security fixes in maintenance patches and
   not telling anyone about it. So patch up.
 - The SET PACKET SIGNATURE line should be in the STARTUP.NCF, not
   the AUTOEXEC.NCF.
 - Build an NDS account named SUPERVISOR, give it no rights and
   disable it.
 - Give the bindery Supervisor account a huge password.
 - Make sure the server object is not in the same container as the
   Admin account.
 - Turn on Intruder Detection on every container.
 - Minimum password length should be 8 for most users, LAN
   administrators should have an even longer password.
 - Never use RConsole. Ever. Walk to the damn server, or use an
   out-of-band method for access if it is truly in a remote
   location.


