                                Pandora Toolbox API
                         (c) Nomad Mobile Research Center
                                   www.nmrc.org


_I_     What is all this about ?
_II_    Credits
_III_   Pandora API architecture
_IV_    The mother of all : Pan_glob.h
_V_     Ripped off ! Pan_file.h
_VI_    The hash and the pendulum. Pan_hash.h
_VII_   Netware, Bravo, do you copy ? Pan_com.h

_A_     Appendix A : error codes
_B_     Appendix B : physical file structures


_I_ What is all this about ?

        Project Pandora was developped by o O O Simple Nomad O O o at the
        NMRC to hack Novell premier product : Netware NDS. The project
        initially permitted dictionary attacks and brute force attacks on
        password's hash extracted from the NDS. Then more attacks were
        added, involving Netware Core Protocol, and it became clear that
        an API was needed to reduce the redundancy in the code, facilitate
        algorithm emprovments, expand the project and permit others to
        share the fun...


_II_ Credits

This API was made possible thanks to the work of many, that was carefuly
gathered and assembled here. Therefore the NMRC team, Imnsho - Jitsu-Disk -
Knobster - Simple Nomad - Up-uat, wishes to thanks the following people for
their (sometime unconscious) contributions...

                        o O O Eleete O O o

                           Greg Miller
                              Itsme

                    o O O Ideas & Support  O O o

                             Al Grant
                             Denis. L
                              gOObER
                            Richard. P
                               Rx2
                          Thomas Lackner

                      o O O NCP Insight O O o

                          Adrian Cunnely
                   Eugene Illenchko & Gusev Igor
                           Fauzan Mirza
                        Sven B. Schreiber

                o O O Low level IPX/DOS coding O O o

                        John R. McCawley III
                          Cap'n Hardgeus
                           Hotwarez LLC


_III_ Pandora API architecture

The Pandora API is fully written in C code using the free GNU compiler. It
supports big and little endian platforms, and requires DJGPP free GNU C to
compile under DOS/WIN/OS2 environment (available at www.delorie.com).

It is build as a set of shared libraries, each of them specialized in a
certain type of attack. As of Pandora v3 release the libraries are :

Pan_file.h : for manipulation of the NDS files and password hash extraction
Pan_hash.h : to play all sort of crypto games with the extracted hash
Pan_com.h  : used to communicate on the network using NCP/IPX/Packet transport

In addition there is a common library which defines common types and routines 
to all shared libraries : Pan_glob.h

Pan_file.h, Pan_hash.h and Pan_com.h are the headers you want to include in
your programs if you need to manipulate NDS/decipher/communicate with netware.
These files are only declaration headers, the source code is located in
subdirectories affiliated to them :

main-dir    header file      sub-dir         source files
--------    -----------      -------         ------------
         |  Pan_file.h |---> p_file  |-----> file_lib.c   (Pandora interface)
         |                                   file_med.h   (file manipul. code)
         |                                   file_low.h   (NDS files struct)
         |
         |  Pan_hash.h |---> p_hash  |-----> hash_lib.c   (Pandora interface)
         |                                   hash_med.h   (crypto routines)
         |                                   hash_low.h   (crypto algo)
 pandora |
         |  Pan_com.h  |---> p_com   |-----> com_lib.c    (Pandora interafce)
         |                                   com_med.h    (TODO:IPX struct)
         |                            low  | com_dos.h    (com for DOS only)
         |                            level| com_lin.h    (TODO:com for LINUX)
         |
         |  Pan_glob.h |---> p_glob  |-----> pandora.c    (Pandora structures)
         |                                   globals.c    (endian & unicode)

We separated in each library the code of the API functions themselves
(Pandora interafce) from the routines those API rely upon (_med and _low).
The separation of what is considered a "low" level code and "medium" level
code is arbitrary. If this looks a bit tortuous, a glance at a typical
makefile might help ;-)

--------------------------------<makefile>------------------------------------
# this makefile illustrate the use of all libraries in one prog.
# the prog is supposed to be in a directory under which we find the
# "pandora" directory and all its subordinates.

CC       =  gcc  # your favorite compiler
CFLAGS   =  -O3 -funroll-all-loops -fforce-mem # Optimization options

# following declarations will cause the compiler to build the libraries
# if not already compiled
PAN_GLOB   =  pandora\\p_glob\\pandora.o pandora\\p_glob\\globals.o
PAN_HASH   =  pandora\\p_hash\\hash_lib.o
PAN_FILE   =  pandora\\p_file\\file_lib.o
PAN_COM    =  pandora\\p_com\\com_lib.o

# invoking 'make' or 'make myprog' will build nwhack
myprog: nwhack
all: nwhack

# compil macro
.c.o:
	$(CC) $(CFLAGS) $(DEFINES) -c $< -o $@

# your stuff that requires all libraries
nwhack: nwhack.o $(PAN_FILE) $(PAN_HASH) $(PAN_COM) $(PAN_GLOB)
        nwhack.o: nwhack.c

#sample :
#
#myprog: myprog.o [$(__PAN__HEADER_I_USED__) ...] $(PAN_GLOB)
#        myprog.o: myprog.c
#
# this makefile is found in the directory: mydirectory      
# project pandora files are found under mydirectory\pandora
# linking $(PAN_GLOB) is always required since used by all shared lib
-------------------------------------><---------------------------------------


The start of nwhack.c source as you may expect ...

--------------------------------<nwhack.c>------------------------------------
#include "pandora\pan_file.h"
#include "pandora\pan_hash.h"
#include "pandora\pan_com.h"
/* include "pandora\pan_glob.h" not required since already included
   by above shared libraries */
...
------------------------------------><----------------------------------------


Also note that a special care was taken to wrap all C headers so you could
include them in C++ progs (if you dare ;-) ).

O.K now you have a pretty good idea on how to build your prog with Pandora
facility, so lets get into real trouble and see what exactly you can do with
it...

First off we need to talk about Pan_glob.h .


_IV_ The mother of all : Pan_glob.h

Initially project Pandora was designed to extract users info and password
hash from Novell's NDS files and permit password recovery through brute force
or dictionary attack (see inside.txt). 

The ripped info from NDS being saved in a file called PASSWORD.NDS, and the
"save state" of a brute force attempt in RESTORE.PAN; thus permitting via
manipulation (manipul8) to spread the attack over multiple computers.

The API offers two memory structure that duplicates the contents of these
files, in order to avoid the boredom of dealing with the physical access in
each program. Also those structures permit to pass info to and from the
functions of the API.

Some variables have been added in comparison to v2, so to take care
(hopefully) of new and future needs. This is a very sensitive part of the
API since all modification renders Pandora files incompatible between two
versions (not ment to be a database) but you could write a prog to
convert the files between the various versions if you really need to.

------------------------------<Global Structures>-----------------------------
typedef unsigned char uint8;   /* one byte */
typedef unsigned short uint16; /* one 16bit word */
typedef unsigned long uint32;  /* one 32bit word */
typedef unsigned int  unicode; /* depends on system may be 16 or 32 bit */

typedef struct pan_passlist
{
 uint32                 bind;           /* Bindery type of object */
 uint32                 id;             /* Object ID from ENTRY */
 uint32                 parentID;       /* Parent ID */
 uint32                 objectID;       /* Object ID from Private Key */
 uint32                 pwlen_known;    /* TRUE or FALSE */
 uint32                 pwlen;          /* Password length of user account */
 uint32                 pwhash_known;   /* TRUE or FALSE */
 uint8                  hash[16];       /* One-way hash */
 uint8                  userOU[40];     /* OU of User, stored in unicode */
 uint8                  userCN[258];    /* User common name, unicode */
 struct pan_passlist    *next;
} *Pan_PassList;

typedef struct pan_passhack
{
 uint32 bind;                   /* Bindery type of object */
 uint32 id;                     /* Object ID from ENTRY */
 uint32 parentID;               /* Parent ID */
 uint32 objectID;               /* Object ID from Private Key */
 uint32 pwlen;                  /* Password length currently tested */
 uint8  pw_first[128];          /* Passwd used to initialize the hack */
 uint8  pw_current[128];        /* Current attempt */
 uint8  pw_last;                /* Max for pw_current[0] */
 uint8  hash[16];               /* One-way hash if set to 0 => unknown */
 uint8  userOU[40];             /* OU of User, stored in unicode */
 uint8  userCN[258];            /* User common name, stored in unicode */
} Pan_PassHack;
------------------------------------><----------------------------------------


Pan_PassList declaration : Pan_PassList pPassList;

All variables are pretty self explainatory, just for the record :

 'bind' contains the bindery type of the object (if exist) and is stored in
        big endian format since we exclusively use it when communicating with
        a server which requires that format. Here are listed some common
        bindery types, not all types holds a password though :

        Description                 Value             'bind' value
        ----------------------------------------------------------
        Unknown                     0                 0x0000
        User                        1                 0x0100
        User Group (container)      2                 0x0200
        Print Queue                 3                 0x0300
        File Server                 4                 0x0400
        Job Server                  5                 0x0500
        Gateway                     6                 0x0600
        Print Server                7                 0x0700
        Archive Queue               8                 0x0800
        Archive Server              9                 0x0900
        Job Queue                   10                0x0a00
        Administration              11                0x0b00
        Remote Bridge Server        38                0x2600
        Advertising Print Server    71                0x4700
        Btrieve Server              75                0x4B00
        RSPCX Server (Rconsole)     263               0x0701
        HP Jet-Printer              780               0x0C03
        Cheyenne ArcServe           1100              0x4c04
        Reserved up to              32768             0x0080
        Wild                        -1                0xffff

 'pwlen_known' is set to YES when the lengh of the real password is known.
 'pwhash_known' is set to YES when we know the real hash of a user.

Also you've probably noticed that pPassList is a chained list and therefore
requires memory allocation, and memory release when done, see Global Functions
for this. Adding a new element or searching a new element in the list is very
simple, for illustration check the code in nds_io.c/manipul8.c . Here's a
simple sketch that represents how PASSLIST records are stored in memory :

                         Pan_PassList pPassList;
                                    *
                                    *
   ---------------------------------------------------------------------
  |        <root>    <first-rec>                   <last-rec>           |
  |                                                                     |
  |        pPassList                                                    |
  |          |       |bind                                              |
  |          |______>|id          |bind                                 |
  |                  |parentID    |id             |                     |
  |                  |objectID    |parentID       |                     |
  |                  |...         |objectID       |                     |
  |                  |next------->|...            |                     |
  |                               |next------->...|                     |
  |                                               |next------->(NULL)   |
  |_____________________________________________________________________|


Pan_PassHack declaration : Pan_PassHack pPassHack;

This is a regular structure, it is use for brute force and for passing info
from function to function, depending on the function you're calling not all
fields are required. Check Global Functions for passing info from a pointer
on pPassList to a pPassHack structure.

The pw* variables are worhty a word of explaination :

 'pwlen' contains the current testing size of for the password may it be the
         real one or not, 'pw_first' and 'pw_current' must be of that size.

 'pw_first' is the initializing password, and is also the "upper-limit" when
            used in the brute force.

 'pw_current' is the last saved attempt in a brute force and the starting
              point of a restored brute force. It allows to spread a brute
              force over multiple computers. 'pw_current' canno't be "before"
              'pw_first' in regards of the following key order :

  ************************************************************************
  * ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,./<>?;':\"[]{}`~!@#$%^&*()_-+=| *
  ************************************************************************

 'pw_last' is only one character and gives the "lower_limit" to pw_current[0]

 for instance if we're doing a brute force that pwlen=5, pw_first=AAAAA,
 pw_current=<not set>, pw_last=Z and brute force range is ALPHANUMERIC,
 the first attempt will be AAAAA and the last possible attempt is Z9999.
              
-----------------------------<Global Functions>-------------------------------
 /* Dump unicode to screen, for DOS/Shell use only
 name is a pointer on the unicode string, j the unicode lengh.
 */

 void printUnicodeName(char *name, int j);

 /* Endian conversion routines, for shared lib use. These routines are usefull
 in two situations : when sending WORDS over the wire and when dealing with
 little endian/big endian problem.
 */

 uint32 swap_uint32(uint32 n); /* uint32 BIG<->LITTLE Endian */
 uint16 swap_uint16(uint16 n); /* uint16 BIG<->LITTLE Endian */


 /* Memory alloc/desalloc routinesfor Pan_PassList chained list */

 /* Usage : Pan_PassList pPassList=Pan_PassList_alloc();
 allocates memory for 1 record; to acces information use for ex.
 pPassList->bind, to create a new record (q being a pointer on the last
 record) q->next=Pan_PassList_alloc();
 */

 Pan_PassList Pan_PassList_alloc(void);

 /* Usage : Pan_PassList_free(pPassList);
 free the memory of a PassList structure starting from the specified
 pointed record (usually set on root).
 */

 void Pan_PassList_free(Pan_PassList pPassList);


 /* Pan_PassList / Pan_PassHack exchange of information */

 /* Usage : Pan_PassList_to_PassHack(pPassList,&pPassHack);
 fill a PassHack record with current PassList pointed info, PassHack fields
 that dosen't exist in PassList are kept unchanged.
 */

 void Pan_PassList_to_PassHack(Pan_PassList pPassList,Pan_PassHack *pPassHack);
-------------------------------------><---------------------------------------


As an illustration lets comment a simple routine that reads from a "PASSWORD"
file containing the extracted NDS info, that checks for a specific name, and
finally that stores the matching record in a "PASSHACK" structure :

----------------------------------<Ex_1.c>------------------------------------
/*Some function calls uses the Pan_file.h library described below*/

Pan_PassList pPassList,q;
Pan_PassHack pPassHack;

...

 /*read from the PASSWORD file previously build using the NDS files*/
 /*and copy the file into the Pan_PassList chained-list structure*/

 err=Pan_PassList_read("PASSWORD.NDS",&pPassList);
 if (err) {printf("err : %d",err); /*check the return code*/
           exit(-1);
          }

 /*check records one after the other until the name is found or the end of*/
 /*the list is reached. We use a temporary pointer so not to screw up our*/
 /*root-list (pPassList) pointer*/

 for (q=pPassList;q!=NULL;q=q->next)
  {FOUND=TRUE;
   for (i=0;i<strlen(account);i++)
    {t=i*2+6; /*takes care of Unicode format. Skips 'C N = ' */
     if (account[i]!=q->userCN[t]) FOUND=FALSE;
    }
   if (FOUND==TRUE) break;
  }

 /*checks for the result : if q==NULL, we've reached the end of the list*/
 /*without finding what we looked for*/

 if (!q)
  {printf("%s not found in password file.\n",account);
   Pan_PassList_free(pPassList);
   exit(1);
  }

 /*From hereon we won't use the pPassList structure anymore, so we free the*/
 /*memory it's using. The record we found is copied in a Pan_PassHack*/
 /*structure*/

 Pan_PassList_to_PassHack(q,&pPassHack);
 Pan_PassList_free(pPassList);

...
-------------------------------------><---------------------------------------


If you want to develop with the Pandora Toolbox it is essential that you
really master the Pan_glob.h functions and prototypes since the same system
is applied throughout the project. Read the code...

Now that the plot is set, it's about time to see what the shared lib can
really do for us.


__V__ Ripped off ! Pan_file.h

The aim of this library is a twofold : extract info from the NDS files and
save&read from the Pandora files. For the first issue check 'inside.txt'.

The Pandora files are of two types : one is a list of all users extracted
from the original NDS files (physical companion to Pan_PassList called
PASSLIST), and the other represent the "save-state" of a current "work" on a
specific user (physical equivalent to Pan_PassHack called PASSHACK).

When extracting information from the NDS files, data are stored in a
Pan_PassList structure, this list can then be saved to disk; with the
exeption of 'Pan_Convert(...)' which converts a BACKUP.DS file into the
original '.NDS' files, no function in the shared lib makes direct disk access
to the Pandora files (except for the R/W functions of those files, of course).


Pan_PassList related functions :

 - Pan_Extract_NDS(...) extracts all NDS objects of type USER which *have* a
                        hash in the .NDS files                        

 - Pan_Extract_Bindery(...) extracts all NDS objects of type BINDERY which
                            *have* a hash in the NDS files (ex. SUPERVISOR)

 - Pan_PassList_read(...) reads the content of a physical PassList file into a
                          Pan_PassList structure. The structure need Not be
                          initialized (mem alloc) before the call.

 - Pan_PassList_write(...) writes the content of a PassList starting from a
                           given pointer in the list, if the given file name
                           already exists, the file is overwritten.                           


Pan_PassHack related functions :

 - Pan_PassHack_read(...) reads the content of of physical PassHack record
                          into a PassHack structure.

 - Pan_PassHack_write(...) writes the content of a PassHack structure in a
                           given file (if exists, is overwritten)


If you have compiled your program and the libraries with -DBIG_ENDIAN switch
because you have a big endian processor, you can still use and exchange
Pandora files produced on little endian platforms, conversion is taken care
of automatically.

For return codes see Apendix A.

-----------------------------<Files Functions>-------------------------------
 /* Read/Write the NDS related information */

 /* Usage : err=Pan_Convert("f:\system\")
 convert BACKUP.DS in ENTRY.NDS, VALUE.NDS, PARTITIO.NDS, BLOCK.NDS
 return an error if a problem occured, .DS/.NDS files in specified dir by
 the path parameter. Closing back-slash is required, current directory is
 specified by : ".\"
 */

 int Pan_Convert_DS(char *path);

 /* Usage : err=Pan_Extract_NDS(&pPassList,"f:\nds\")
 return an error if a problem occured, read NDS information from the .NDS
 files in the specified dir; the chained records are stored in pPassList,
 the last record has 'next==NULL'. The same rules applies for the path
 parameter as in Pan_Convert_DS(...).
 */

 int Pan_Extract_NDS(Pan_PassList *pPassList, char *path);

 /* Usage : err=Pan_Extract_Bindery(&pPassList,"f:\nds\")
 return an error if a problem occured, read Bindery information from the .NDS
 files in the specified dir; the chained records are stored in pPassList,
 the last record has 'next==NULL'. The same rules applies for the path
 parameter as in Pan_Convert_DS(...).
 */

 int Pan_Extract_Bindery(Pan_PassList *pPassList, char *path);


 /* Pandora files I/O */

 /* Usage : err=Pan_PassList_read("PASSNAME.EXT",&pPassList)
 Read and copy the records in a PASSLIST file to Pan_PassList structure.
 The Pan_PassList structure (pPassList) need not be initialized.
 */

 int Pan_PassList_read(char *readfile,Pan_PassList *pPassList);

 /* Usage : err=Pan_PassList_write("PASSNAME.NDS",pPassList)
 Writes the content of a Pan_PassList structure to a PASSLIST file.
 The last 'PassList' record in the list MUST have 'next=NULL'.
 */

 int Pan_PassList_write(char *writefile,Pan_PassList pPassList);

 /* Usage : err=Pan_PassHack_read("WHATEVER.EXT",&pPassHack)
 Read and copy the record of a PASSHACK file to Pan_PassHack structure.
 */

 int Pan_PassHack_read(char *readfile,Pan_PassHack *pPassHack);

 /* Usage : err=Pan_PassHack_write("WHATEVER.EXT",&pPassHack)
 Writes the content of a Pan_PassHack structure to a PASSLIST file record.
 */

 int Pan_PassHack_write(char *writefile,Pan_PassHack *pPassHack);
-------------------------------------><---------------------------------------


_VI_    The hash and the pendulum. Pan_hash.h

Novell private hash routine was a glorious attempt to build a proprietary
algorithm that was meant to provide all sorts of tricks : a secure way to
store passwords, a secure algorithm to wrap new cyphers with old cyphers when
changing password and a non-trivial yet fast random-like generator (for packet
signature for instance). The algorithm provided all of the above, but yet
wasn't exempt, due to its concept or implementation, of serious weakness
some we try to exploit here. For a more detailed discussion on the core
algorithm see crypto.txt.

Although Novell has introduced RSA in Netware 4.xx as part of the
authentification scheme, many games can still be played using old bindery
calls, and yet the core algorithm for hash generation remains the same.

Five routines are provided here, two for password hacking and three for hash
generation.

Pan_Brute_Force(...) will attempt to recover someone's password given his
hash and object ID by testing all possible passwords in a given test range.
Note that due to the hashing algorithm, we do not make use of lower-case
caracters (and this makes me wonder how possibly Novell can advertise the use
both lower-case and upper-case caracters as a security improvement to your
password secrecy, see : http://www.novell.com/products/nds/hacks2.html).
Since we use a fast-hash generator, lengh of password to recover canno't
exeed 16 caracters.

Pan_Dict_Attack(...) this routine also attempts to recover a password given
a user's object ID and hash, by testing the hash against all words of a
determined lengh in a 'dictionary' file. This routine also make use of the
fast-hash generator, thus lengh of password to recover canno't exeed 16
caracters.

Pan_Hash_Gen(...) this routine permit to generate a password hash given the
clear-text password and the user's object ID. The routine accepts passwords
up to the maximum legal lengh : 128 caracters.

Pan_Challenge_Response(...) this routine, given a Login Key and a user's
password, computes the resulting Challenge Response. The password can be
given either plaintext with the user's object ID or pre-processed as the
password hash. This routine is used whenever a password must be transmitted
over the wire to a Netware server.  For details on the Challenge Response
scheme see the Netware Hack FAQ.

Pan_3hash_cipher(...) this routine is used when changing a password : the user
old password hash (16bytes) is cut in two halves (8bytes) and each halves is
processed in a mathematical function such as :
 Func(old-pass-half1,new-pass-half1)=cipher-half1;
 Func(old-pass-half2,new-pass-half2)=cipher-half2;
So that when both cipher-halves are transmited, the server can process :
 Reverse-Func(cipher-half1,old-pass-half1)=new-pass-half1;
 Reverse-Func(cipher-half2,old-pass-half2)=new-pass-half2;
It looks like a simple XOR Func could do the trick, but Novell used a complex
algorithm, probably so that nothing could be deducted knowing the cipher and
the new password hash alone.

They are a few more algorithms used by Netware servers, keep tuned ...

For return codes see Apendix A.

------------------------------<Hash Functions>--------------------------------
 /* Password Hacking */

 /* Usage : err=Pan_Brute_Force(&pPassHack,PAN_ASCII,&retpw,"RESTORE.PAN");
 The first argument is the pPassHack structure that MUST contain valid
 values for the following :

  objectID, object ID of user
  0< pwlen <=16, lengh of password to generate (brute force only lengh<=16)
  pw_first, the 'seed' password to start the brute force with

 If pw_last is not set, it is given the value of pw_first[0] thus ensuring
 that we try all possible combination for that given password lengh.

 The second argument allows to 'segment' the brute force by telling how many
 attempts the routine should perform, regardless of pPassHack settings,
 before the brute-force routine returns to the calling program. Once
 returned the brute force can be restored transparently since the last
 attempt is stored in pw_current. This permits to give a status on the brute
 force on a regular basis, and to fine tune how often things should be saved
 to disk for instance.

 The third parameter will contain the real password if found. It is not
 required to initialize it (memory alloc), but it should be freed after use.

 The last parameter is the "limit" in the word-list for the brute force,
 the word list being :
 ************************************************************************
 * ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,./<>?;':\"[]{}`~!@#$%^&*()_-+=| *
 ************************************************************************
 for instance if we're doing a brute force that pwlen=5, pw_first=AAAAA,
 pw_current=<not set>, pw_last=Z and brute force range is ALPHANUMERIC,
 the first attempt will be AAAAA and the last possible attempt is Z9999.

 Finally the return value here may be other things than errors : if it
 contains (NULL) password was found, -105 if not found, -106 if time to save
 (parameter two 'maxtry' reached).
 */

 #define PAN_ASCII 25
 #define PAN_ALPHANUM 35
 #define PAN_KEYSPACE 66
 int Pan_Brute_Force(Pan_PassHack *pPassHack,
                     int maxtry,
                     char **retpw,
                     uint32 limit
                    );

 /* Usage : err=Pan_Dict_Attack(&pPassHack,&retpw,dict);
 The first argument is the pPassHack structure that MUST contain valid
 values for the following :

  objectID, object ID of user
  0< pwlen <=16, lengh of password to try from dictionary, since we use the
                 same fast-hash test as in the brute force, lengh is limited
                 to 16 characters.

 The second parameter will contain the real password if found. It is not
 required to initialize it (memory alloc), but it should be freed after use.

 The last argument is the dictionary file to read from, if no path is
 specified, current directory is assumed.

 If the return value is (NULL) the password was found.
 */

 int Pan_Dict_Attack(Pan_PassHack *pPassHack,char **retpw,char *readfile);


 /* Password Generation */

 /* Usage : err=Pan_Hash_Gen(&pPassHack);
 The argument is the pPassHack structure that MUST contain valid values for
 the following :

  objectID, object ID of user
  0<= pwlen <=128, lengh of password in pw_first (netware max lengh : 128)
  pw_first, password to hash for the specified objectID

 If the hash generation was succesfull, (NULL) is returned and
 pPassHack.hash holds the password's hash.
 */

 int Pan_Hash_Gen(Pan_PassHack *pPassHack);

 /* Usage : err=Pan_Challenge_Response(&pPassHack,TRUE,&logkey,&dst);
 The first argument is the pPassHack structure that MUST contain valid values
 for the following :

  objectID, object ID of user

  |If argument two is FASLE
  | 0<= pwlen <=128, lengh of password in pw_first (netware max lengh : 128)
  | pw_first, password to use to generate hash for the specified objectID
  OR
  |If argument two is TRUE
  | hash, the hash to use for that objectID

 The third argument is the login key returned by the server, which is used to
 generate the second hash from the first hash.

 That second hash, which is the challenge response, is stored in the fourth
 argument, a uint8 [8]. If no problem occured, the return value is (NULL).
 */

 int Pan_Challenge_Response
  (Pan_PassHack *Info,int hash_known,uint8 *logkey, uint8 *dst);

 /* Usage : err=Pan_3hash_cipher(oldcipher,newcipher,newcipher);
 oldcrpw : current password hash
 newcrpw : new password hash
 cipherpw : the returned cipher such as reverse-func(cipher,oldcrpw)=newcrpw
 */
 int Pan_3hash_cipher(uint8 *oldcrpw,uint8 *newcrpw,uint8 *cipherpw);

-------------------------------------><---------------------------------------


_VII_   Netware, Bravo, do you copy ? Pan_com.h

In Networking Software, there is obviously Network ;-) And many funny tricks
can be build over the wire. The routines presented here gives a crude but
working interface to your progams for the following : sending packet-level
information (allows spoofing), sending NCP requests/replies, connecting to a
Netware server.

At the time this doc is written full IPX send/receive support is in the
process of being implemented.

The programs code released with Pandora gives unvaluable information, that
was collected from the work of many hackers, on the way to communicate with
a Netware server. Sparse but good documentation on how to perform specific
NCP/IPX requests/replies can be found electronically and in specialised
libraries; And for the sake of it, lets briefly describe what a typical NCP
request looks like in a Ethernet 802.3 frame format :

Description                                   bytes     byte order
-----------------------------------------|------------|------------
>802.3 frame header<                     |            |
                                         |            |
 MAC adress of dest. (router/server)     |  0  -> 5   |   Normal
 MAC adress of origin (station)          |  6  -> 11  |   Normal
 Physical lengh of packet (end-14)       |  12 -> 13  |   Reversed
                                         |            |
>Internetwork Packet Exchange<           |            |
                                         |            |
 Checksum (0xffff=no checksum)           |  14 -> 15  |   ??
 Packet total lengh (=Physical lengh-1)  |  16 -> 17  |   Reversed
 Hop count (nb of routers btw org/serv)  |  18        |   Normal
 Packet type (=0x11 is NCP, 0x17 is NDS) |  19        |   Normal
 Destination IPX net (server net)        |  20 -> 23  |   Normal
 Destination IPX adress (server adress)  |  24 -> 29  |   Normal
 Destination socket (=0x0451 is NCP)     |  30 -> 31  |   Normal
 Originator IPX net                      |  32 -> 35  |   Normal
 Originator IPX adress                   |  36 -> 41  |   Normal
 Originator socket  (=0x40?? usually)    |  42 -> 43  |   Normal
                                         |            |
>NCP request/reply header<               |            |
                                         |            |
 Request type (=0x2222 req./=0x3333 rep.)|  44 -> 45  |   Normal
 Sequence num (+1 each for req., 0<->255)|  46        |   Normal
 Connection number LOW                   |  47        |   N/A
 Task number (for internal use of org.)  |  48        |   Normal
 Connection number HIGH (0 if conn.<255) |  49        |   N/A
 Function code (=0x68 IPX/=other NCP ??) |  50        |   Normal
                                         |            |
---------------------Ex. if Function code is NCP-------------------
                                         |            |
>NCP data<                               |            |
                                         |            |
 Subfunction lengh (0x0001 usually)      |  51 -> 52  |   Normal
 Subfunction code (action to perform)    |  53        |   Normal
 Data (if exists)                        |  54 ->end_1|   Usually
                                         |            |    reversed
---------------------Ex. if Function code is IPX-------------------
                                         |            |
>IPX data<                               |            |
                                         |            |
 Request (=0x02 is fragmented req./rep.) |  51        |   Normal
 Fragment handle (=0xffffffff if null)   |  52 -> 55  |   ??
 Max frag. size (=0x02020000 usually)    |  56 -> 59  |   Reversed
 Total data lengh (incl. all frag.)      |  60 -> 63  |   Reversed
 Fragment flag (=0x00000000 if null)     |  64 -> 67  |   ??
 Verb number (action to perform)         |  68 -> 71  |   Reversed
 Reply buffer size (=0x00000000 if null) |  72 -> 75  |   Reversed
 Data (if exists)                        |  76 ->end_1|   Usually
                                         |            |    reversed
-------------------------------------------------------------------
                                         |            |
>Packet signature<                       |            |
                                         |            |
 If signature is level_1 Wild-Pad        |end_1 -> end|
 0xffffffffffffffff is accepted          |end=end_1+7 |
 If signature is level_2 or higher       |  (8 bytes) |
 real signature is base on user hash     |            |


The function you want to use to send packet like this is : Pan_NCP_Spoof(...)
of course, other type than NCP packet can be sent and you're not obliged to
spoof your adress, but the name was kinda cool ;-) This function is only
available if you have installed a packet driver on interrupt 0x60, don't
forget the '-n' switch if you use Novell 802.3 frame format.

If you need to send a regular NCP request/reply, use Pan_NCP_Transmit(...),
examples to use Pan_NCP_Transmit(...) can be found inside the Pandora code,
the "function code" to call is the first parameter, the second parameter is
the data to send (seen above as >NCP data< or >IPX data<).

A function called Pan_NCP_connect(...) is also provided to connect to a
Netware server (although you could do it through the appropriate call with
Pan_NCP_transmit(...)).

Our aim here is not to describe all possible NCP/IPX packets that can be
generated. Just be aware that for NCP, Function code+Subfunction code defines
the request, for IPX, Request+Verb number defines the request. As you have
noticed, IPX requests are encapsulated in NCP headers, this is probably due
to the fact that NCP stuff existed on Netware servers before IPX which was
later used for requests that had to be spread over multiple packets.

Below is a list of well none NCP Function/Subfunction codes, this list is NOT
exhaustive and dosen't include IPX requests. Detailed parameters for most of
these function calls can be found in the NCP interrup list document at :
http://www.tsu.ru/~eugene/netware/archive/index.html

NCP call description                                   Function     Subfunc.
                                                       (hex)        (hex)
----------------------------------------------------------------------------
ABORT SERVICING QUEUE JOB AND FILE                   | 17         | 84
ABORT SERVICING QUEUE JOB AND FILE OLD               | 17         | 73
ADD AUDIT PROPERTY                                   | 58         | 02
ADD BINDERY OBJECT TO SET                            | 17         | 41
ADD TRUSTEE SET TO NS ENTRY                          | 57         | 0A
ADD TRUSTEE TO DIRECTORY                             | 16         | 0D
AFP ALLOC TEMPORARY DIR HANDLE                       | 23         | 0B
AFP CREATE DIRECTORY                                 | 23         | 01
AFP CREATE FILE                                      | 23         | 02
AFP DELETE                                           | 23         | 03
AFP GET ENTRY ID FROM NAME                           | 23         | 04
AFP GET ENTRY ID FROM NETWARE HANDLE                 | 23         | 06
AFP GET ENTRY ID FROM PATH NAME                      | 23         | 0C
AFP GET FILE INFORMATION                             | 23         | 05
AFP OPEN FILE FORK                                   | 23         | 08
AFP RENAME                                           | 23         | 07
AFP SCAN FILE INFORMATION                            | 23         | 0A
AFP SET FILE INFORMATION                             | 23         | 09
AFP 20 CREATE DIRECTORY                              | 23         | 0D
AFP 20 CREATE FILE                                   | 23         | 0E
AFP 20 GET DOS NAME ENTRY ID                         | 23         | 12
AFP 20 GET FILE                                      | 23         | 0F
AFP 20 GET MACINTOSH INFO ON DELETED FILE            | 23         | 13
AFP 20 SCAN FILE INFORMATION                         | 23         | 11
AFP 20 SET FILE INFORMATION                          | 23         | 10
ALLOCATE PERMANENT DIRECTORY HANDLE                  | 16         | 12
ALLOCATE RESOURCE                                    | 0F         | 00
ALLOCATE SPECIAL TEMPORARY DIRECTORY HANDLE          | 16         | 16
ALLOCATE TEMP NS DIR HANDLE                          | 57         | 0C
ALLOCATE TEMPORARY DIRECTORY HANDLE                  | 16         | 13
ALLOW TASK ACCESS TO FILE                            | 4E         | 00
ATTACH QUEUE SERVER TO QUEUE                         | 17         | 6F
BROADCAST TO CONSOLE                                 | 15         | 09
CHANGE AUDIT LEVEL TWO PASSWORD                      | 58         | 12
CHANGE AUDITOR PASSWORD                              | 58         | 04
CHANGE BINDERY OBJECT PASSWORD                       | 17         | 40
CHANGE BINDERY OBJECT PASSWORD ENCRYPTED             | 17         | 4B
CHANGE BINDERY OBJECT SECURITY                       | 17         | 38
CHANGE CONNECTION STATE                              | 17         | 1D
CHANGE PROPERTY SECURITY                             | 17         | 3B
CHANGE QUEUE JOB ENTRY                               | 17         | 7B
CHANGE QUEUE JOB ENTRY OLD                           | 17         | 6D
CHANGE QUEUE JOB POSITION                            | 17         | 7C
CHANGE QUEUE JOB POSITION OLD                        | 17         | 6E
CHANGE QUEUE JOB PRIORITY                            | 17         | 82
CHANGE TO CLIENT RIGHTS                              | 17         | 85
CHANGE TO CLIENT RIGHTS OLD                          | 17         | 74
CHANGE USER PASSWORD                                 | 17         | 01
CHECK AUDIT ACCESS                                   | 58         | 05
CHECK AUDIT LEVEL TWO ACCESS                         | 58         | 16
CHECK CONSOLE PRIVILEGES                             | 17         | C8
CHECK PIPE STATUS                                    | 15         | 08
CLEAR CONNECTION NUMBER                              | 17         | FE
CLEAR CONNECTION NUMBER OLD                          | 17         | D2
CLEAR FILE                                           | 07         | 00
CLEAR FILE SET                                       | 08         | 00
CLEAR LOGICAL RECORD                                 | 0B         | 00
CLEAR LOGICAL RECORD SET                             | 0E         | 00
CLEAR PHYSICAL RECORD                                | 1E         | 00
CLEAR PHYSICAL RECORD SET                            | 1F         | 00
CLEAR VOLUME RESTRICTIONS                            | 16         | 22
CLOSE AND QUEUE CAPTURE FILE                         | 11         | 01
CLOSE BINDERY                                        | 17         | 44
CLOSE EXTENDED ATTRIBUTE HANDLE                      | 56         | 01
CLOSE FILE AND START JOB QUEUE                       | 17         | 7F
CLOSE FILE AND START JOB QUEUE OLD                   | 17         | 69
CLOSE MESSAGE PIPE                                   | 15         | 07
CLOSE OLD AUDITING FILE                              | 58         | 14
CLOSE SEMAPHORE OLD                                  | 20         | 04
CLOSE SEMAPHORE                                      | 6F         | 04
COMMIT FILE                                          | 3B         | 00
CONVERT PATH TO DIRECTORY ENTRY                      | 17         | F4
CREATE BINDERY OBJECT                                | 17         | 32
CREATE DIRECTORY                                     | 16         | 0A
CREATE NEW FILE                                      | 4D         | 00
CREATE PROPERTY                                      | 17         | 39
CREATE QUEUE                                         | 17         | 64
CREATE QUEUE JOB AND FILE                            | 17         | 79
CREATE QUEUE JOB AND FILE OLD                        | 17         | 68
DEALLOCATE DIRECTORY HANDLE                          | 16         | 14
DEALLOCATE RESOURCE                                  | 10         | 00
DELETE BINDERY OBJECT                                | 17         | 33
DELETE BINDERY OBJECT FROM SET                       | 17         | 42
DELETE DIRECTORY                                     | 16         | 0B
DELETE NS ENTRY                                      | 57         | 08
DELETE OLD AUDITING FILE                             | 58         | 15
DELETE OLD AUDITING FILE 2                           | 58         | 1A
DELETE PROPERTY                                      | 17         | 3A
DELETE TRUSTEE                                       | 16         | 2B
DELETE TRUSTEE FROM DIRECTORY                        | 16         | 0E
DELETE TRUSTEE SET FROM NS ENTRY                     | 57         | 0B
DESTROY QUEUE                                        | 17         | 65
DETACH QUEUE SERVER FROM QUEUE                       | 17         | 70
DISABLE AUDITING ON VOLUME                           | 58         | 07
DISABLE STATION BROADCASTS                           | 15         | 02
DISABLE FILE SERVER LOGIN                            | 17         | CB
DISABLE TRANSACTION TRACKING                         | 17         | CF
DOWN FILE SERVER                                     | 17         | D3
DS CHANGE AUDIT LEVEL TWO PASSWORD                   | 68         | D7
DS CHANGE AUDITOR PASSWORD                           | 68         | CB
DS CHANGE OBJECT AUDITED                             | 68         | DD
DS CHECK AUDIT ACCESS                                | 68         | CC
DS CHECK AUDIT LEVEL TWO ACCESS                      | 68         | DB
DS CHECK OBJECT AUDITED                              | 68         | DC
DS CLOSE FRAGMENT                                    | 68         | 03
DS CLOSE OLD AUDITING FILE                           | 68         | D9
DS DELETE OLD AUDITING FILE                          | 68         | DA
DS DELETE OLD AUDITING FILE 2                        | 68         | E1
DS DISABLE AUDITING ON CONTAINER                     | 68         | CE
DS ENABLE AUDITING ON CONTAINER                      | 68         | CF
DS GET AUDIT FILE LIST                               | 68         | DE
DS GET AUDITING FLAGS                                | 68         | D8
DS GET DS STATISTICS                                 | 68         | 06
DS GET CONTAINER AUDIT STATUS                        | 68         | C8
DS INIT AUDIT FILE READ                              | 68         | DF
DS LOGIN AS CONTAINER AUDITOR                        | 68         | CA
DS LOGOUT AS CONTAINER AUDITOR                       | 68         | D3
DS MONITOR CONNECTION                                | 68         | 05
DS PING FOR NDS NCP                                  | 68         | 01
DS READ AUDIT CONFIG HEADER                          | 68         | D1
DS READ AUDITING FILE                                | 68         | D2
DS READ AUDITING FILE 2                              | 68         | E0
DS READ AUDITING FILES                               | 68         | 15
DS RELOAD                                            | 68         | 08
DS RESET AUDIT HISTORY FILE                          | 68         | D5
DS RESET AUDITING FILE                               | 68         | D4
DS RESET DS COUNTERS                                 | 68         | 07
DS RETURN BINDERY CONTEXT                            | 68         | 04
DS SEND FRAGMENTED REQUEST REPLY                     | 68         | 02
DS SET AUDIT PASSWORD                                | 68         | E5
DS WRITE AUDIT CONFIG HEADER                         | 68         | D6
DUPLICATE EXTENDED ATTRIBUTE                         | 56         | 05
ENABLE AUDITING ON VOLUME                            | 58         | 08
ENABLE STATION BROADCASTS                            | 15         | 03
ENABLE FILE SERVER LOGIN                             | 17         | CC
ENABLE TRANSACTION TRACKING                          | 17         | D0
END OF JOB                                           | 18         | 00 
ENTER LOGIN AREA                                     | 17         | 0A
ENUMERATE EXTENDED ATTRIBUTE                         | 56         | 04
ERASE FILES                                          | 44         | 00
EXAMINE SEMAPHORE OLD                                | 20         | 01
EXAMINE SEMAPHORE                                    | 6F         | 01
FILE CLOSE                                           | 42         | 00
FILE COMMIT                                          | 3D         | 00
FILE COPY                                            | 4A         | 00 
FILE CREATE                                          | 43         | 00
FILE DM REQUEST                                      | 5A         | 96
FILE OPEN                                            | 41         | 00
FILE READ                                            | 48         | 00
FILE RELEASE LOCK                                    | 02         | 00
FILE RENAME                                          | 45         | 00 
FILE SEARCH CONTINUE                                 | 3F         | 00
FILE SEARCH INITIALIZE                               | 3E         | 00 
FILE SET LOCK                                        | 01         | 00
FILE WRITE                                           | 49         | 00
FILL NAME SPACE BUFFER                               | 16         | 2F
FINISH SERVICING QUEUE JOB AND FILE                  | 17         | 83
FINISH SERVICING QUEUE JOB AND FILE OLD              | 17         | 72
GET ACCOUNT STATUS                                   | 17         | 96
GET ACTIVE CONNECTION LIST BY TYPE                   | 7B         | 0E
GET ACTIVE LAN BOARD LIST                            | 7B         | 14
GET ACTIVE PROTOCOL STACKS                           | 7B         | 28
GET AUDIT FILE LIST                                  | 58         | 17
GET AUDITING FLAGS                                   | 58         | 13
GET BIG PACKET NCP MAX PACKET SIZE                   | 61         | 00
GET BINDERY ACCESS LEVEL                             | 17         | 46
GET BINDERY OBJECT ACCESS LEVEL                      | 17         | 48
GET BINDERY OBJECT DISK SPACE LEFT                   | 17         | E6
GET BINDERY OBJECT ID                                | 17         | 35
GET BINDERY OBJECT NAME                              | 17         | 36
GET BROADCAST MESSAGE                                | 15         | 01
GET BROADCAST MESSAGE EX                             | 15         | 0B
GET CACHE INFORMATION                                | 7B         | 01
GET CONNECTION LIST FROM OBJECT                      | 17         | 1F
GET CONNECTION OPEN FILES                            | 17         | EB
GET CONNECTION OPEN FILES OLD                        | 17         | DB
GET CONNECTION SEMAPHORES                            | 17         | F1
GET CONNECTION SEMAPHORES OLD                        | 17         | E1
GET CONNECTION TASK INFORMATION                      | 17         | EA
GET CONNECTION TASK INFORMATION OLD                  | 17         | DA
GET CONNECTION USAGE STATISTICS                      | 17         | E5
GET CONNECTIONS USING A FILE                         | 17         | EC
GET CONNECTIONS USING A FILE OLD                     | 17         | DC
GET CPU INFORMATION                                  | 7B         | 08
GET DIR ENTRY                                        | 16         | 1F
GET DIR INFO                                         | 16         | 2D
GET DIRECTORY BASE                                   | 57         | 16
GET DIRECTORY CACHE INFORMATION                      | 7B         | 0C
GET DIRECTORY PATH                                   | 16         | 01
GET DISK CACHE STATISTICS                            | 17         | D6
GET DISK CHANNEL STATISTICS                          | 17         | D9
GET DISK UTILIZATION                                 | 17         | 0E
GET DM INFO                                          | 5A         | 01
GET DM FILE INFO                                     | 5A         | 81
GET DM STATUS INFO                                   | 5A         | 83
GET DM SUPPORT MODULE INFO                           | 5A         | 84
GET DRIVE MAPPING TABLE                              | 17         | D7
GET EFFECTIVE DIRECTORY RIGHTS                       | 16         | 03
GET EFFECTIVE NS DIRECTORY RIGHTS                    | 57         | 1D
GET EFFECTIVE RIGHTS                                 | 16         | 2A
GET ENCRYPTION KEY                                   | 17         | 17
GET EXTENDED VOLUME INFO                             | 16         | 33
GET FILE BIT MAP                                     | 55         | 00
GET FILE SERVER DATE AND TIME                        | 14         | 00 
GET FILE SERVER DESCRIPTION STRINGS                  | 17         | C9
GET FILE SERVER INFORMATION                          | 17         | 11
GET FILE SERVER INFORMATION EX                       | 7B         | 02
GET FILE SERVER LAN IO STATISTICS                    | 17         | E7
GET FILE SERVER LOGIN STATUS                         | 17         | CD
GET FILE SERVER MISC INFORMATION                     | 17         | E8
GET FILE SIZE                                        | 47         | 00 
GET FILE SYSTEM STATISTICS                           | 17         | D4
GET GARBAGE COLLECTION INFORMATION                   | 7B         | 07
GET GENERAL ROUTER AND SAP INFORMATION               | 7B         | 32
GET INTERNET ADDRESS                                 | 17         | 1A
GET INTERNET ADDRESS OLD                             | 17         | 13
GET IPX SPX INFORMATION                              | 7B         | 06
GET KNOWN NETWORKS INFORMATION                       | 7B         | 35
GET KNOWN SERVERS INFORMATION                        | 7B         | 38
GET LAN COMMON COUNTERS INFORMATION                  | 7B         | 16
GET LAN CONFIG STRINGS                               | 7B         | 18
GET LAN CONFIGURATION INFORMATION                    | 7B         | 15
GET LAN CUSTOM COUNTERS INFORMATION                  | 7B         | 17
GET LAN DRIVER CONFIGURATION INFORMATION             | 17         | E3
GET LOADED MEDIA NUMBER LIST                         | 7B         | 2F
GET LOGICAL RECORD INFORMATION                       | 17         | F0
GET LOGICAL RECORD INFORMATION OLD                   | 17         | E0
GET LOGICAL RECORDS BY CONNECTION                    | 17         | EF
GET LOGICAL RECORDS BY CONNECTION OLD                | 17         | DF
GET LSL INFORMATION                                  | 7B         | 19
GET LSL LOGICAL BOARD STATISTICS                     | 7B         | 1A
GET MEDIA MANAGER OBJECT CHILDREN LIST               | 7B         | 20
GET MEDIA MANAGER OBJECT INFORMATION                 | 7B         | 1E
GET MEDIA MANAGER OBJECT LIST                        | 7B         | 1F
GET MEDIA NAME BY MEDIA NUMBER                       | 7B         | 2E
GET MEMBER SET OF GROUP                              | 17         | 09
GET NAME SPACE ENTRY                                 | 16         | 30
GET NCP EXTENSION INFO                               | 24         | 05
GET NCP EXTENSIONS LIST                              | 24         | 04
GET NETWARE FILE SYSTEMS INFORMATION                 | 7B         | 03
GET NETWORK ROUTER INFORMATION                       | 7B         | 33
GET NETWORK ROUTERS INFORMATION                      | 7B         | 34
GET NETWORK SERIAL NUMBER                            | 17         | 12
GET NLM INFORMATION                                  | 7B         | 0B
GET NLM LOADED LIST                                  | 7B         | 0A
GET NLMS RESOURCE TAG LIST                           | 7B         | 0F
GET NS DIR HANDLE PATH                               | 57         | 15
GET NS ENTRY INFO                                    | 57         | 06
GET NS INFO FORMAT                                   | 57         | 17
GET NS LOADED LIST                                   | 57         | 18
GET NS PATH                                          | 57         | 1C
GET NUMBER NCP EXTENSIONS                            | 24         | 03
GET OBJECT CONNECTION NUMBERS                        | 17         | 1B
GET OBJECT CONNECTION NUMBERS OLD                    | 17         | 15
GET OBJECT DISK RESTRICTIONS                         | 16         | 29
GET OBJECT EFFECTIVE RIGHTS                          | 16         | 32
GET OS VERSION INFORMATION                           | 7B         | 0D
GET PACKET BURST INFORMATION                         | 7B         | 05
GET PATH FROM DIRECTORY BASE                         | 17         | F3
GET PATH FROM DIRECTORY ENTRY                        | 16         | 1A
GET PERSONAL MESSAGE                                 | 15         | 05
GET PHYSICAL DISK STATISTICS                         | 17         | D8
GET PHYSICAL RECORD LOCKS BY CONNECTION AND FILE     | 17         | ED
GET PHYSICAL RECORD LOCKS BY CONNECTION AND FILE OLD | 17         | DD
GET PHYSICAL RECORD LOCKS BY FILE                    | 17         | EE
GET PHYSICAL RECORD LOCKS BY FILE OLD                | 17         | DE
GET PRINTER QUEUE                                    | 11         | 0A
GET PRINTER STATUS                                   | 11         | 06
GET PROTOCOL STACK CONFIGURATION INFORMATION         | 7B         | 29
GET PROTOCOL STACK CUSTOM INFORMATION                | 7B         | 2B
GET PROTOCOL STACK NUMBERS BY LAN BOARD NUMBER       | 7B         | 2D
GET PROTOCOL STACK NUMBERS BY MEDIA NUMBER           | 7B         | 2C
GET PROTOCOL STACK STATISTICS INFORMATION            | 7B         | 2A
GET QUEUE JOB LIST                                   | 17         | 81
GET QUEUE JOB LIST OLD                               | 17         | 6B
GET QUEUE JOB FILE SIZE                              | 17         | 87
GET QUEUE JOB FILE SIZE OLD                          | 17         | 78
GET QUEUE JOBS FROM LIST                             | 17         | 89
GET REFERENCE COUNT FROM DIRECTORY HANDLE            | 5A         | 0B
GET REFERENCE COUNT FROM DIRECTORY NUMBER            | 5A         | 0A
GET RELATIONOF AN OBJECT                             | 17         | 4C
GET SEMAPHORE INFORMATION                            | 17         | F2
GET SEMAPHORE INFORMATION OLD                        | 17         | E2
GET SERVER INFORMATION                               | 7B         | 36
GET SERVER SET CATEGORIES                            | 7B         | 3D
GET SERVER SET COMMANDS INFORMATION                  | 7B         | 3C
GET SERVER SOURCES INFORMATION                       | 7B         | 37
GET SET VOLUME DM STATUS                             | 5A         | 86
GET SPOOL QUEUE ENTRY                                | 11         | 04
GET STATION NUMBER                                   | 13         | 00
GET STATION LOGGED INFORMATION                       | 17         | 1C
GET STATION LOGGED INFORMATION OLD                   | 17         | 16
GET STATION LOGGED INFORMATION EX                    | 17         | 05
GET USER INFORMATION                                 | 7B         | 04
GET UTC TIME                                         | 72         | 01
GET VOLUME AUDIT STATISTICS                          | 58         | 01
GET VOLUME DM STATUS                                 | 5A         | 82
GET VOLUME INFO WITH HANDLE                          | 16         | 15
GET VOLUME INFO WITH NUMBER                          | 12         | 00
GET VOLUME INFORMATION                               | 17         | E9
GET VOLUME INFORMATION BY LEVEL                      | 7B         | 22
GET VOLUME NAME                                      | 16         | 06
GET VOLUME NUMBER                                    | 16         | 05
GET VOLUME SEGMENT LIST                              | 7B         | 21
GET VOLUME SWITCH INFORMATION                        | 7B         | 09
GET VOLUME USAGE                                     | 16         | 2C
INIT AUDIT FILE READ                                 | 58         | 18
INITIALIZE NS SCAN                                   | 57         | 02
IS BINDERY OBJECT IN SET                             | 17         | 43
IS STATION A MANAGER                                 | 17         | 49
IS USER AUDITED                                      | 58         | 09
LOCK FILE SET OLD                                    | 04         | 00
LOCK FILE SET                                        | 6A         | 00 
LOCK LOGICAL RECORD SET OLD                          | 0A         | 00
LOCK LOGICAL RECORD SET                              | 6C         | 00
LOCK PHYSICAL RECORD SET OLD                         | 1B         | 00
LOCK PHYSICAL RECORD SET                             | 6E         | 00
LOG FILE OLD                                         | 03         | 00
LOG FILE                                             | 69         | 00
LOG LOGICAL RECORD OLD                               | 09         | 00
LOG LOGICAL RECORD                                   | 6B         | 00
LOG NETWORK MESSAGE                                  | 17         | 0D
LOG PHYSICAL RECORD OLD                              | 1A         | 00
LOG PHYSICAL RECORD                                  | 6D         | 00
LOGIN AS VOLUME AUDITOR                              | 58         | 03
LOGIN OBJECT                                         | 17         | 14
LOGIN OBJECT ENCRYPTED                               | 17         | 18
LOGIN USER OBJECT                                    | 17         | 00
LOGOUT                                               | 19         | 00 
LOGOUT AS VOLUME AUDITOR                             | 58         | 0D
MAP DIRECTORY NUMBER TO PATH                         | 16         | F3
MAP GROUP NAME TO NUMBER                             | 17         | 07
MAP NUMBER TO GROUP NAME                             | 17         | 08
MAP NUMBER TO USER NAME                              | 17         | 04
MAP USER NAME TO NUMBER                              | 17         | 03
MAP USER TO STATION SET                              | 17         | 02
MODIFY MAXIMUM RIGHTS MASK                           | 16         | 04
MOVE ENTRY                                           | 16         | 2E
MOVE FILE FROM DM                                    | 5A         | 85
MOVE FILE TO DM                                      | 5A         | 80
MOVE QUEUE JOB                                       | 17         | 88
NEGOTIATE BUFFER                                     | 21         | 00
OPEN BINDERY                                         | 17         | 45
OPEN CREATE FILE                                     | 54         | 00
OPEN CREATE NS ENTRY                                 | 57         | 01
OPEN CREATE NS FILE OR DIRECTORY                     | 57         | 1E
OPEN DATA STREAM                                     | 16         | 31
OPEN FILE                                            | 4C         | 00
OPEN MESSAGE PIPE                                    | 15         | 06
OPEN SEMAPHORE OLD                                   | 20         | 00
OPEN SEMAPHORE                                       | 6F         | 00
PACKET BURST CONNECTION REQUEST                      | 65         | 00 
PURGE ALL ERASED FILES                               | 17         | CE
PURGE ERASED FILES                                   | 16         | 10
PURGE NS SALVAGEABLE FILE                            | 57         | 12
PURGE SALVAGEABLE FILE                               | 16         | 1D
READ AUDIT CONFIG HEADER                             | 58         | 0B
READ AUDITING BIT MAP                                | 58         | 0A
READ AUDITING FILE                                   | 58         | 0C
READ AUDITING FILE 2                                 | 58         | 19
READ EXTENDED ATTRIBUTE                              | 56         | 03
READ EXTENDED NS INFO                                | 57         | 1A
READ NS INFO                                         | 57         | 13
READ PROPERTY VALUE                                  | 17         | 3D
READ QUEUE CURRENT STATUS                            | 17         | 7D
READ QUEUE CURRENT STATUS OLD                        | 17         | 66
READ QUEUE JOB ENTRY                                 | 17         | 7A
READ QUEUE JOB ENTRY OLD                             | 17         | 6C
READ QUEUE SERVER CURRENT STATUS                     | 17         | 86
READ QUEUE SERVER CURRENT STATUS OLD                 | 17         | 76
RECOVER NS SALVAGEABLE FILE                          | 57         | 11
RECOVER SALVAGEABLE FILE                             | 16         | 1C
RELEASE A RESOURCE                                   | 17         | FC
RELEASE FILE                                         | 05         | 00
RELEASE FILE SET                                     | 06         | 00
RELEASE LOGICAL RECORD                               | 0C         | 00
RELEASE LOGICAL RECORD SET                           | 0D         | 00
RELEASE PHYSICAL RECORD                              | 1C         | 00
RELEASE PHYSICAL RECORD SET                          | 1D         | 00
REMOVE AUDIT PROPERTY                                | 58         | 06
REMOVE ENTRY FROM SPOOL QUEUE                        | 11         | 05
REMOVE JOB FROM QUEUE                                | 17         | 80
REMOVE JOB FROM QUEUE OLD                            | 17         | 6A
RENAME BINDERY OBJECT                                | 17         | 34
RENAME DIRECTORY                                     | 16         | 0F
RENAME NS ENTRY                                      | 57         | 04
RESET AUDIT HISTORY FILE                             | 58         | 0F
RESET AUDITING FILE                                  | 58         | 0E
RESTART VOLUME AUDITING                              | 58         | 1E
RESTORE DIRECTORY HANDLE                             | 16         | 18
RESTORE ERASED FILE                                  | 16         | 11
RESTORE QUEUE SERVER RIGHTS                          | 17         | 75
SAVE DIRECTORY HANDLE                                | 16         | 17
SCAN BINDERY OBJECT                                  | 17         | 37
SCAN BINDERY OBJECT TRUSTEE PATHS                    | 17         | 47
SCAN DIR ENTRY                                       | 16         | 1E
SCAN DIR RESTRICTIONS                                | 16         | 23
SCAN DIRECTORY FOR TRUSTEES                          | 16         | 0C
SCAN DIRECTORY INFORMATION                           | 16         | 02
SCAN ENTRY FOR TRUSTEES                              | 16         | 26
SCAN FILE INFORMATION                                | 17         | 0F
SCAN FILE PHYSICAL                                   | 16         | 28
SCAN NCP EXTENSIONS                                  | 24         | 00
SCAN NCP EXTENSIONS BY NAME                          | 24         | 02
SCAN NS ENTRY FOR TRUSTEES                           | 57         | 05
SCAN NS ENTRY INFO                                   | 57         | 03
SCAN NS NEXT SET                                     | 57         | 14
SCAN NS SALVAGEABLE FILES                            | 57         | 10
SCAN PROPERTY                                        | 17         | 3C
SCAN SALVAGEABLE FILES                               | 16         | 1B
SCAN VOLUME FOR RESTRICTIONS                         | 16         | 20
SEARCH FILE                                          | 40         | 00
SEND BROADCAST MESSAGE                               | 15         | 00
SEND BROADCAST MESSAGE EX                            | 15         | 0A
SEND CONSOLE BROADCAST                               | 17         | FD
SEND CONSOLE BROADCAST OLD                           | 17         | D1
SEND PERSONAL MESSAGE                                | 15         | 04
SEND REMOTE CONSOLE OPERATION                        | 83         | ??
SERVICE QUEUE JOB AND OPEN FILE OLD                  | 17         | 71
SERVICE QUEUE JOB LIST                               | 17         | 8A
SET AUDIT PASSWORD                                   | 58         | 1F
SET COMP FILE SIZE                                   | 5A         | 0C
SET DIR RESTRICTION                                  | 16         | 24
SET DIRECTORY HANDLE                                 | 16         | 00
SET DIRECTORY INFORMATION                            | 16         | 19
SET ENTRY                                            | 16         | 25
SET EXTENDED FILE ATTRIBUTES                         | 4F         | 00
SET FILE ATTRIBUTES                                  | 46         | 00
SET FILE INFORMATION                                 | 17         | 10
SET FILE SERVER DATE AND TIME                        | 17         | CA
SET FILE TIME AND DATE                               | 4B         | 00
SET NS ENTRY DOS INFO                                | 57         | 07
SET QUEUE CURRENT STATUS                             | 17         | 7E
SET QUEUE CURRENT STATUS OLD                         | 17         | 67
SET QUEUE SERVER CURRENT STATUS                      | 17         | 77
SET SPOOL FLAGS                                      | 11         | 02
SET TEMP NS DIR HANDLE                               | 57         | 09
SET TRUSTEE                                          | 16         | 27
SET VOLUME RESTRICTIONS                              | 16         | 21
SET WATCHDOG DELAY INTERVAL                          | 17         | 1E
SIGNAL SEMAPHORE OLD                                 | 20         | 03
SIGNAL SEMAPHORE                                     | 6F         | 03
SPECIFY CAPTURE FILE                                 | 11         | 09
SPOOL DATA TO A CAPTURE FILE                         | 11         | 00
SPOOL EXISTING FILE                                  | 11         | 03
SUBMIT ACCOUNT CHARGE                                | 17         | 97
SUBMIT ACCOUNT HOLD                                  | 17         | 98
SUBMIT ACCOUNT NOTE                                  | 17         | 99
SYNCHRONIZE SCHEMA                                   | 27         | 00
TTS ABORT TRANSACTION                                | 22         | 03
TTS BEGIN TRANSACTION                                | 22         | 01
TTS END TRANSACTION                                  | 22         | 02
TTS GET APPLICATION THRESHOLDS                       | 22         | 05
TTS GET CONTROL FLAGS                                | 22         | 09
TTS GET STATISTICS                                   | 17         | D5
TTS GET WORKSTATION THRESHOLDS                       | 22         | 07
TTS IS AVAILABLE                                     | 22         | 00
TTS SET APPLICATION THRESHOLDS                       | 22         | 06
TTS SET CONTROL FLAGS                                | 22         | 0A
TTS SET WORKSTATION THRESHOLDS                       | 22         | 08
TTS TRANSACTION STATUS                               | 22         | 04
VERIFY BINDERY OBJECT PASSWORD                       | 17         | 3F
VERIFY BINDERY OBJECT PASSWORD ENCRYPTED             | 17         | 4A
VERIFY NETWORK SERIAL NUMBER                         | 17         | 0C
WAIT ON SEMAPHORE OLD                                | 20         | 02
WAIT ON SEMAPHORE                                    | 6F         | 02
WRITE AUDIT CONFIG HEADER                            | 58         | 11
WRITE AUDITING BIT MAP                               | 58         | 10
WRITE EXTENDED ATTRIBUTE                             | 56         | 02
WRITE EXTENDED NS INFO                               | 57         | 1B
WRITE NS INFO                                        | 57         | 19
WRITE PROPERTY VALUE                                 | 17         | 3E

Again, our aim here is NOT to recode Client32, however a (very little)
library of usefull NCP calls can be found under the "exploit" directory, look
for the file "panrcp.h"; besides the ncpfs project (ncpfs-2.0.0) for Linux
already provides a GNU port of Netware Client.

This listing wouldn't be complete without the return code list of Netware
severs. This list was ripped off the "Netware C library" manual by Adrian
Cunnelly (adrian@amcsoft.demon.co.uk), whose "Netware C library" shareware
version is available on the SimTel site, check for netclb35.zip.

ͻ
Hex Meaning                           Hex Meaning                        
͹
00h Action Successful                 9Ah Renaming Across Volumes        
    Server Not In Use                 9Bh Bad Directory Handle           
    TTS Not Available                 9Ch Invalid Path                   
01h Server In Use                         No more Trustees               
    Semaphore Overflow                9Dh No More Directory Handles      
    TTS Available                     9Eh Invalid Filename               
02h DOS File Not Found                9Fh Directory Active               
03h DOS Path Not Found                A0h Directory Not Empty            
04h DOS Too Many Open Files           A1h Directory IO Error             
05h DOS Access Denied                 A2h Read File With Record Locked   
06h DOS Invalid File Handle           BBh No Netware shell loaded        
07h DOS Memory Blocks Destroyed       C0h No Account Privileges          
08h DOS Insufficient Memory           C1h Login Denied -                 
09h DOS Invalid Memory Block Address      No Account Balance             
0Ah DOS Invalid Environment           C2h Account Credit limit Exceeded  
0Bh DOS Invalid Format                    Login Denied - No credit       
0Ch DOS Invalid Access Code           C3h Account - Too many Holds       
0Dh DOS Invalid Data                  C5h Intruder Detection Lock        
0Fh DOS Invalid Drive Specified       C6h Not Console Operator           
10h DOS Attempt To Delete Current Dir D0h Queue Error                    
11h DOS Not Same Device               D1h No Queue                       
12h DOS No More Files                 D2h No Queue Server                
20h DOS Sharing Violation             D3h No Queue Rights                
21h DOS Lock Violation                D4h Queue Full                     
80h File In User Error                D5h No Queue Job                   
81h No More File Handles              D6h No Job Rights                  
82h No Open Privileges                D7h Password Not Unique            
83h IO Error Network Disk                 Queue Servicing                
84h No Create Privileges              D8h Password Too Short             
85h No Delete Privileges                  Queue Not Active               
86h Create File Exists Read Only      D9h Login Denied - No connection   
87h Wild Cards in Create File Name        Station Not Server             
88h Invalid File Handle               DAh Unauthorized login time -      
89h No Search Privileges                  Queue Halted                   
8Ah No Delete Privileges              DBh Unauthorized login station -   
8Bh No Rename Privileges                  Max Queue Servers              
8Ch No Modify Privileges              DCh Account Disabled               
8Dh Some Files Affected In Use        DEh Password has expired - No Grace
8Eh No Files Affected In Use          DFh Password has expired           
8Fh Some Files Affected Read Only     E8h Not Item Property -            
90h No Files Affected Read Only           Write Property to Group        
91h Some Files Renamed - Name Exists  E9h Member Already Exists          
92h No Files Renamed - Name Exists    EAh No Such Member                 
93h No Read Privileges                EBh Not Group Property             
94h No Write Privileges or Read Only  ECh No Such Segment                
95h File Detached                     EDh Property Already Exists        
96h Server Out Of Memory              EEh Object Already Exists          
    Out Of Dynamic Workspace          EFh Invalid Name                   
97h No Disk Space for Spool File      F0h Wild Card Not Allowed          
98h Volume Does Not Exist             F1h Invalid Bindery Security       
99h Directory Full                    F2h No Object Read Privilege       
ͼ

ͻ
Hex Meaning                           Hex Meaning                        
͹
F3h No Object Rename Privilege        FFh Bad Printer Error              
F4h No Object Delete Privilege            Bad Record Offset              
F5h No Object Create Privilege            Close FCB Error                
F6h No Property Delete Privilege          File Extension Error           
    Not Same Local Drive                  File Name Error                
F7h No Property Create Privilege          Hardware Failure               
    Target Drive Not Local                Invalid Drive Number           
F8h Already Attached To Server            Invalid Initial Semaphore Value
    No Property Write Privilege           Invalid Semaphore Handle       
    Not Attached To Server                IO Bound Error                 
F9h No Free Connection Slots              No Files Found Error           
    No Property Read Privilege            No Response From Server        
FAh No More Server Slots                  No Such Object                 
    Temporary Remap Error                 Bad Password                   
FBh Invalid Parameters                    Path Not Locatable             
    No Such Property                      Queue Full Error               
    Unknown Request                       Request Not Outstanding        
FCh Unknown File Server                   Transaction Not Yet Written    
    Message Queue Full                    No More Matching Files         
    No Such Object                        Bindery Failure                
FDh Bad Station Number                    Explicit Transaction Active    
    Unknown Request                       No Explicit Transaction Active 
    Field Already Locked                  No Record Found                
    TTS Disabled                          Output Buffer Full             
FEh Bindery Locked                                                       
    Directory Locked                                                     
    Invalid Semaphore Name Length                                        
    Server Bindery Locked                                                
    Spool Directory Error                                                
    Supervisor has disabled login                                        
    Timeout Failure                                                      
    Transaction ends Record Lock                                         
    Implicit Transaction Active                                          
ͼ


And we're only talking 'Offical NCP calls' here, so just imagine if you add
undocumented stuff and NDS/IPX specific calls... Anyway, here are the
communication API :

-------------------------<Communication Functions>----------------------------
 /* Connect and Transmit NCP requests */

 /* Usage : ret=Pan_NCP_connect(server);
 'server' is the file server number ?? setting server to 0 connects you
 to the default server. The value returned if negative is a Pandora API
 error, otherwise it's the ax value see table above.
 */

 int Pan_NCP_connect(int socket);

 /* Usage : ret=Pan_NCP_transmit(function,request,r_lengh,answer,a_lengh);
 Use this to transmit an NCP packet via Novell Driver, parameters :

 - func is the NCP Function code (subfunc. is located in request data);
 - req is a pointer on a bloc of bytes (uint8) containing the request data
   (subfunc., ...);
 - rlengh is the lengh of the request data pointed by req;
 - ans is a pointer on an initialized bloc of bytes (uint8) which will
   contain the answer from the server to the request (if any);
 - alengh is the lengh of the expected returned data.

 The value returned if negative is a Pandora API error, otherwise it's the
 ax register value see NCP error table.
 */

 int Pan_NCP_transmit(int func,uint8 *req,int rlengh,uint8 *ans,int alengh);

 /* Usage : ret=Pan_NCP_spoof(packet,lengh);
 This function requires a packet driver on interrupt 0x60, and permits to
 send fully customized packets (Network and Transport layer). Parameters :

 - packet is a pointer on a bloc of bytes (uint8) containing the data to send;
 - packlengh if the Total Physical Lengh of packet (Network and Transport);

 This code is experimental : it works but will be replaced by something more
 elaborate and more "compatible" ...
 */

 int Pan_NCP_spoof(uint8 *packet,int packlengh);
-------------------------------------><---------------------------------------


_A_     Appendix A : error codes

Return code   Description
------------------------------------------------------------------------------
(NULL)      | Operation successfull
-100        | Password lengh exeed maximum (16 chars for Brute_Force & Dict_)
            |                              (128 chars for Hash_Gen)
-101        | pw_first/pw_last mismatch
-102        | pw_current/pw_last mismatch
-103        | pw_first contains unauthorized chars OR pw_first/pwlen mismatch
-104        | pw_current contains unauthorized chs OR pw_curr./pwlen mismatch
-105        | Password not found (see Hash functions)
-106        | Maxtry reached (see Hash functions)
-107        | Hash is unknown
            |
-200        | Error opening .NDS/.DS files
-201        | Out of memory
-202        | Out of DOS memory
-203        | NDS needs repair : cross reference encountered
            |
-300        | Error opening file (Pandora/.NDS)
-301        | File read/write failure OR invalid file


_B_     Appendix B : physical file structures

For an explanation of the .NDS file structure see Inside.txt.

The two following structures are the physical equivalent to Pan_PassHack
(<-> PASSHACK) and Pan_PassList (<-> PASSLIST). We decided the use of uint8[]
blocs, this permits to write all numbers in the form of ASCII strings, thus
bypassing any Endian problem and platform dependant data representation.
Also note that all fields are multiples of 4 in bytes lengh, this is done for
the same reasons. It's ugly but effective, yet we're open to suggestions...

----------------------------<Physical Structures>-----------------------------
typedef struct passlist
{
 uint8 bind[8];         /* Type of bindery object in little-endian format */
 uint8 id[8];           /* Object ID from ENTRY */
 uint8 parentID[8];     /* Parent ID */
 uint8 objectID[8];     /* Object ID from Private Key */
 uint8 pwlen_known[8];  /* TRUE or FALSE */
 uint8 pwlen[8];        /* Real password length of user account */
 uint8 pwhash_known[8]; /* TRUE or FALSE */
 uint8 hash[16];        /* Real one-way hash of the user's password */
 uint8 userOU[40];      /* OU of User in unicode format */
 uint8 userCN[258];     /* User common name in unicode format */
} PASSLIST; /* size=370 */

typedef struct passhack
{
 uint8 bind[8];         /* Type of bindery object in little-endian format */
 uint8 id[8];           /* Object ID from ENTRY */
 uint8 parentID[8];     /* Parent ID */
 uint8 objectID[8];     /* Object ID from Private Key */
 uint8 pwlen[8];        /* Lengh of password currently tested */
  uint8 pw_first[128];   /* Password used to initialize the hack */
 uint8 pw_current[128]; /* Password used when restoring a hack */
 uint8 pw_last[4];      /* Limit for pw_current[0] */
 uint8 hash[16];        /* One-way hash, if set to 0 => unknown */
 uint8 userOU[40];      /* OU of User in unicode format*/
 uint8 userCN[258];     /* User common name in unicode format */
} PASSHACK; /* size=614 */
-------------------------------------><---------------------------------------


A final word. You are very welcome and encouraged to contribute to the
project; Moreover, since this is GNU licensed, it is courteous ( if not
required ;-) ) to notify us with any changes you make to or tools you build
with the Pandora API.

Happy Coding !

                         (c) Nomad Mobile Research Center
                                   www.nmrc.org

