				Pandora Toolbox API
			 (c) Nomad Mobile Research Center
				   www.nmrc.org


_I_     What is all this about ?
_II_    Credits
_III_   Pandora API architecture
_IV_    The mother of all : Pan_glob.h
_V_     Ripped off ! Pan_file.h
_VI_    The hash and the pendulum. Pan_hash.h
_VII_   Netware, Bravo, do you copy ? Pan_com.h

_A_     Appendix A : error codes
_B_     Appendix B : physical file structures


_I_ What is all this about ?

	Project Pandora was developped by o O O Simple Nomad O O o at the
	NMRC to hack Novell premier product : Netware NDS. The project
	initially permitted dictionary attacks and brute force attacks on
	password's hash extracted from the NDS. Then more attacks were
	added, involving Netware Core Protocol, and it became clear that
	an API was needed to reduce the redundancy in the code, facilitate
	algorithm emprovments, expand the project and permit others to
	share the fun...


_II_ Credits

This API was made possible thanks to the work of many, that was carefuly
gathered and assembled here. Therefore the NMRC team, Imnsho - Jitsu-Disk -
Knobster - Simple Nomad - Up-uat, wishes to thanks the following people for
their (sometime unconscious) contributions...

		   o O O Special Thanks O O o

      DJ Delorie [www.delorie.com] [GNU C DOS Compiler]
 Vincenzo Morello [volftp.tin.it/italiani/MORELLO/index_e.htm] [MGUI GUI lib]
  Rainer Schnitker [www.mathematik.uni-bielefeld.de/~rainer/] [RSX Win32 C]

		       o O O Eleete O O o

			  Greg Miller
			     Itsme

		   o O O Ideas & Support  O O o

			    Al Grant
			    Denis. L
			     gOObER
			   Richard. P
			      Rx2
			 Thomas Lackner
		    Netware Hack Mailing List

		   o O O Cryptography O O o

			   TheRuiner
		     
		     o O O NCP Insight O O o

			 Adrian Cunnelly
		  Eugene Ilchenko & Igor Gusev
			  Fauzan Mirza
		       Sven B. Schreiber

	       o O O Linux Novell GNU Client O O o

			 Volker Lendecke
			
	       o O O Low level IPX/DOS coding O O o

		       John R. McCawley III
			 Cap'n Hardgeus
			  Hotwarez LLC

	       o O O Packet Driver For  NT/95 O O o

			   The L0Pht
			   Weld Pond
			     Mudge
			  Piero Viano

		      o O O C00lness O O o

			      Tan
			   Gary Hein
			   Gabe Nault


_III_ Pandora API architecture

The Pandora API is fully written in C code using the free GNU compiler. It
supports big and little endian platforms, and requires DJGPP free GNU C to
compile under DOS/WIN/OS2 environment (available at www.delorie.com). Since
Pandora rel 4, the API is now thread safe and succesfully compiles under 
most Unices, you only need to define PAN_UNIX in your makefile CFlags.

It is build as a set of shared libraries, each of them specialized in a
certain type of attack. As of Pandora v4 release the libraries are :

Pan_file.h : for manipulation of the NDS files and password hash extraction
Pan_hash.h : to play all sort of crypto games with the hash (and others)
Pan_com.h  : used to communicate on the network using NCP/IPX/Packet transport
	     for DOS only. Sniffing/Spoofing capabilities are built-in the
	     GUI code, see PAN_GUI doc for details.

In addition there is a common library which defines common types and routines 
to all shared libraries : Pan_glob.h

Pan_file.h, Pan_hash.h and Pan_com.h are the headers you want to include in
your programs if you need to manipulate NDS/decipher/communicate with netware.
These files are only declaration headers, the source code is located in
subdirectories affiliated to them :

main-dir    header file      sub-dir         source files
--------    -----------      -------         ------------
	 |  Pan_file.h |---> p_file  |-----> file_lib.c   (Pandora interface)
	 |                                   file_med.h   (file manipul. code)
	 |                                   file_low.h   (NDS files struct)
	 |
	 |  Pan_hash.h |---> p_hash  |-----> hash_lib.c   (Pandora interface)
	 |                                   hash_med.h   (crypto routines)
	 |                                   hash_low.h   (crypto algo)
 pandora |
	 |  Pan_com.h  |---> p_com   |-----> com_lib.c    (Pandora interafce)
	 |                                   com_med.h    (TODO:IPX struct)
	 |                            low  | com_dos.h    (com for DOS only)
	 |                            level| com_lin.h    (TODO:com for LINUX)
	 |
	 |  Pan_glob.h |---> p_glob  |-----> pandora.c    (Pandora structures)
	 |                                   globals.c    (endian & unicode)

We separated in each library the code of the API functions themselves
(Pandora interafce) from the routines those API rely upon (_med and _low).
The separation of what is considered a "low" level code and "medium" level
code is arbitrary. If this looks a bit tortuous, a glance at a typical
makefile might help ;-)

--------------------------------<makefile>------------------------------------
# this makefile illustrate the use of all libraries in one prog.
# the prog is supposed to be in a directory under which we find the
# "pandora" directory and all its subordinates.

CC       =  gcc  # your favorite compiler
CFLAGS   =  -O3 -funroll-all-loops -fforce-mem # Optimization options

# following declarations will cause the compiler to build the libraries
# if not already compiled
PAN_GLOB   =  pandora\\p_glob\\pandora.o pandora\\p_glob\\globals.o
PAN_HASH   =  pandora\\p_hash\\hash_lib.o
PAN_FILE   =  pandora\\p_file\\file_lib.o
PAN_COM    =  pandora\\p_com\\com_lib.o

# invoking 'make' or 'make myprog' will build nwhack
myprog: nwhack
all: nwhack

# compil macro
.c.o:
	$(CC) $(CFLAGS) $(DEFINES) -c $< -o $@

# your stuff that requires all libraries
nwhack: nwhack.o $(PAN_FILE) $(PAN_HASH) $(PAN_COM) $(PAN_GLOB)
	nwhack.o: nwhack.c

#sample :
#
#myprog: myprog.o [$(__PAN__HEADER_I_USED__) ...] $(PAN_GLOB)
#        myprog.o: myprog.c
#
# this makefile is found in the directory: mydirectory      
# project pandora files are found under mydirectory\pandora
# linking $(PAN_GLOB) is always required since used by all shared lib
-------------------------------------><---------------------------------------


The start of nwhack.c source as you may expect ...

--------------------------------<nwhack.c>------------------------------------
#include "pandora\pan_file.h"
#include "pandora\pan_hash.h"
#include "pandora\pan_com.h"
/* include "pandora\pan_glob.h" not required since already included
   by above shared libraries */
...
------------------------------------><----------------------------------------


Also note that a special care was taken to wrap all C headers so you could
include them in C++ progs (if you dare ;-) ).

O.K now you have a pretty good idea on how to build your prog with Pandora
facility, so lets get into real trouble and see what exactly you can do with
it...

First off we need to talk about Pan_glob.h .


_IV_ The mother of all : Pan_glob.h

Initially project Pandora was designed to extract users info and password
hash from Novell's NDS files and permit password recovery through brute force
or dictionary attack (see inside.txt). 

The ripped info from NDS being saved in a file called PASSWORD.NDS, and the
"save state" of a brute force attempt in RESTORE.PAN; thus permitting via
manipulation (manipul8) to spread the attack over multiple computers.

The API offers two memory structure that duplicates the contents of these
files, in order to avoid the boredom of dealing with the physical access in
each program. Also those structures permit to pass info to and from the
functions of the API.

Some variables have been added in comparison to v3, so to take care
(hopefully) of new and future needs. This is a very sensitive part of the
API since all modification renders Pandora files incompatible between two
versions (not ment to be a database) but you could write a prog to
convert the files between the various versions if you really need to.

Since v4 their are also two new structures different than the one that deals 
with passwords hash : one to store "atomic values" from NDS, one to store
live connections informations ripped from the servers.

------------------------------<Global Structures>-----------------------------
typedef unsigned char  uint8;   /* one byte */
typedef unsigned short uint16;  /* one 16bit word */
typedef unsigned long  uint32;  /* one 32bit word */
typedef unsigned int   unicode; /* depends on system may be 16 or 32 bit */

typedef struct pan_passlist
{
 uint32                 bind;           /* Bindery type of object */
 uint32                 id;             /* Object ID from ENTRY */
 uint32                 parentID;       /* Parent ID */
 uint32                 objectID;       /* Object ID from Private Key */
 uint32                 pwlen_known;    /* TRUE or FALSE */
 uint32                 pwlen;          /* Password length of user account */
 uint32                 pwhash_known;   /* TRUE or FALSE */
 uint8                  hash[16];       /* One-way hash */
 uint8                  userOU[40];     /* OU of User */
 uint8                  userCN[258];    /* User common name */
 uint8                  password[258];  /* User password */
 struct pan_passlist    *next;
} *Pan_PassList;

typedef struct pan_passhack
{
 uint32 bind;                      /* Bindery type of object */
 uint32 id;                        /* Object ID from ENTRY */
 uint32 parentID;                  /* Parent ID */
 uint32 objectID;                  /* Object ID from Private Key */
 uint32 pwlen;                     /* Password length currently tested */
 uint8  pw_first[128];             /* Passwd used to initialize the hack */
 uint8  pw_current[128];           /* Last attempt saved */
 uint8  pw_last[128];              /* Last attempt to perform */
 uint8  key_space[PAN_KEYSPACE+1]; /* Key space used for brute force */
 uint8  hash[16];                  /* One-way hash if set to 0 => unknown */
 uint8  userOU[40];                /* OU of User */
 uint8  userCN[258];               /* User common name */
} Pan_PassHack;

typedef struct pan_ndsbrowse
{
 uint32                 objectID;        /* Object ID */
 uint32                 parentID;        /* Parent ID */
 uint32                 typeID;          /* Attribute ID */
 uint8                  parentStr[128];  /* Parent String NOT UNICODE */
 uint8                  objectStr[128];  /* Object String NOT UNICODE */
 uint8                  typeStr[128];    /* Object String NOT UNICODE */
 struct pan_ndsbrowse   *next;
} *Pan_NDSBrowse;
/* WTF didn't we kept Unicode shit here since we kept it everywhere else ??
   Just because this memory structure is not meant (or never should :-) )
   to be dumped to the disk */

typedef struct pan_connections
{
 char                   name[MAXNAMELEN+1];   /* connection name */
 int                    conn_type;            /* server, user, other */
 uint8                  conn_number;          /* connection number */
 uint8                  ipx_net[4];           /* IPX network */
 uint8                  ipx_addr[6];          /* IPX adress */
 uint8                  sock_high;            /* socket high */
 uint8                  sock_low;             /* socket low */
 char                   details[512];         /* comment string to store 
					         connection details */
 struct pan_connections *next;
} *Pan_Connections;
------------------------------------><----------------------------------------


Pan_PassList declaration : Pan_PassList pPassList;

All variables are pretty self explainatory, just for the record :

 'bind' contains the bindery type of the object (if exist) and is stored in
	big endian format since we exclusively use it when communicating with
	a server which requires that format. Here are listed some common
	bindery types, not all types holds a password though :

	Description                 Value             'bind' value
	----------------------------------------------------------
	Unknown                     0                 0x0000
	User                        1                 0x0100
	User Group (container)      2                 0x0200
	Print Queue                 3                 0x0300
	File Server                 4                 0x0400
	Job Server                  5                 0x0500
	Gateway                     6                 0x0600
	Print Server                7                 0x0700
	Archive Queue               8                 0x0800
	Archive Server              9                 0x0900
	Job Queue                   10                0x0a00
	Administration              11                0x0b00
	Remote Bridge Server        38                0x2600
	Advertising Print Server    71                0x4700
	Btrieve Server              75                0x4B00
	RSPCX Server (Rconsole)     263               0x0701
	HP Jet-Printer              780               0x0C03
	Cheyenne ArcServe           1100              0x4c04
	Reserved up to              32768             0x0080
	Wild                        -1                0xffff

        Hence the following "defines" are set in pan_glob.h :
	#define PAN_TYPE_SERVER 0x0400
	#define PAN_TYPE_USER   0X0100
	#define PAN_TYPE_OTHER  0XFFFF

 'pwlen_known' is set to YES when the lengh of the real password is known.
 'pwhash_known' is set to YES when we know the real hash of a user.

Also you've probably noticed that pPassList is a chained list and therefore
requires memory allocation, and memory release when done, see Global Functions
for this. Adding a new element or searching a new element in the list is very
simple, for illustration check the code in manipul8.c . Here's a simple sketch 
that represents how PASSLIST records are stored in memory :

			 Pan_PassList pPassList;
				    *
				    *
   ---------------------------------------------------------------------
  |        <root>    <first-rec>                   <last-rec>           |
  |                                                                     |
  |        pPassList                                                    |
  |          |       |bind                                              |
  |          |______>|id          |bind                                 |
  |                  |parentID    |id             |                     |
  |                  |objectID    |parentID       |                     |
  |                  |...         |objectID       |                     |
  |                  |next------->|...            |                     |
  |                               |next------->...|                     |
  |                                               |next------->(NULL)   |
  |_____________________________________________________________________|


Pan_PassHack declaration : Pan_PassHack pPassHack;

This is a regular structure, it is use for brute force and for passing info
from function to function, depending on the function you're calling not all
fields are required. Check Global Functions for passing info from a pointer
on pPassList to a pPassHack structure.

The pw* variables are worhty a word of explaination :

 'pwlen' contains the current testing size of for the password may it be the
	 real one or not, 'pw_first' and 'pw_current' must be of that size.

 'pw_first' is the initializing password, and is also the "upper-limit" when
	    used in the brute force.

 'pw_current' is the last saved attempt in a brute force and the starting
	      point of a restored brute force. It allows to spread a brute
	      force over multiple computers. 'pw_current' canno't be "before"
	      'pw_first' in regards of the key_space order.

 'pw_last' is the last word to try, it gives the "lower_limit" to 
	   pw_current; pw_last has to be of the size if pwlen

 'key_space' contains the characters to be tried in the brute force attempt.
	     The maximum number of characters to try is 68, each character
	     is different.

 for instance if we're doing a brute force that pwlen=5, pw_first=AAAAA,
 pw_current=<not set>, pw_last=ZZZZZ and key_space is A-Z, the first attempt 
 will be AAAAA, the last possible attempt is ZZZZZ and all possible words of
 5 characters length given the alphabet will be tried.


Pan_NDSBrowse declaration : Pan_NDSBrowse pNDSBrowse; 

This strucuture similar to Pan_PassList, is designed to receive in each cell
a matching (ParentID,TypeID,ObjectID) set to permit rapid value retrieval of
the NDS. In association to the Parent/Type/Object ID's, we store their regular
name (up to 48 chars) if we can match them.
In other words this structure allows us to save the NDS "back bone" for later
rapid classification and search of values. See the "NDS Browse" feature of 
Pandora4 for an illustration.


Pan_Connections declaration : Pan_Connections pConnections;
	      
This strucuture similar to Pan_PassList, is designed to store active connections
information usefull for later hacks. This includes : name / connection number 
/ ipx adress / opened socket and a comment string for other info.


Functions to manipulate the structures and do some stuff usefull everywhere
are :

-----------------------------<Global Functions>-------------------------------
 /* !!!OUTDATED!!! void printUnicodeName(char *name, int j); */
 /* replaced by a function that converts Unicode to regular string */
 void sprintUnicodeName(char *output,char *name, int j);
 
 /* Make unicode from string. requires the trailing bytes of the string to
    be initialized (set to '\0') */
 void MakeUnicodeName(char *string);

 /* Return error meaning for given error value*/
 char *Pan_error(int number);

 /* Endian conversion routines, for shared lib use. These routines are usefull
 in two situations : when sending WORDS over the wire and when dealing with
 little endian/big endian problem.
 */
 uint32 swap_uint32(uint32 n); /* uint32 BIG<->LITTLE Endian */
 uint16 swap_uint16(uint16 n); /* uint16 BIG<->LITTLE Endian */

 /* string to anything and versa */
 uint32 str_to_uint32(uint8 *in); /* string to uint32 */
 uint8 str_to_uint8(char *in); /* string to uint8 */
 void uint32_to_str(uint32 in, uint8 *out); /* uint32 to a string */
 void str_to_hex(const char *in,uint8 *out,int size_string); /* string to hex */

 /* Memory alloc/desalloc routinesfor Pan_PassList chained list */

  /* Usage : Pan_X pX=Pan_X_alloc();
     allocates memory for 1 record; to acces information use for ex.
     (q being a pointer on the last record) q->next=Pan_PassList_alloc();
  */
     Pan_PassList Pan_PassList_alloc(void);
     Pan_NDSBrowse Pan_NDSBrowse_alloc(void);
     Pan_Connections Pan_Connections_alloc(void);

  /* Usage : Pan_X_free(pX);
     free the memory of a record and all records under it 
  */  
     void Pan_PassList_free(Pan_PassList pPassList);
     void Pan_NDSBrowse_free(Pan_NDSBrowse pNDSBrowse);
     void Pan_Connections_free(Pan_Connections pConnections);

  /*Usage : Pan_PassList_to_PassHack(pPassList,&pPassHack); */
  /* fill a PassHack record with current PassList pointed info */
 void Pan_PassList_to_PassHack(Pan_PassList pPassList,Pan_PassHack *pPassHack);

  /*Usage : PassHack_in_Pan_PassList(&pPassHack,pPassList); */
  /* fill current pointed PassList record with PassHack values */
 void PassHack_in_Pan_PassList(Pan_PassHack *pPassHack,Pan_PassList pPassList);

  /*Usage : PassHack_to_PassHack(&pPassHack,&pPassHack); */
  /* fill current pointed PassHack record with PassHack values */
 void PassHack_to_PassHack(Pan_PassHack *aPassHack,Pan_PassHack *bPassHack);
-------------------------------------><---------------------------------------


As an illustration lets comment a simple routine that reads from a "PASSWORD"
file containing the extracted NDS info, that checks for a specific name, and
finally that stores the matching record in a "PASSHACK" structure :

----------------------------------<Ex_1.c>------------------------------------
/*Some function calls uses the Pan_file.h library described below*/

Pan_PassList pPassList,q;
Pan_PassHack pPassHack;

...

 /*read from the PASSWORD file previously build using the NDS files*/
 /*and copy the file into the Pan_PassList chained-list structure*/

 err=Pan_PassList_read("PASSWORD.NDS",&pPassList);
 if (err) {printf("err : %d",err); /*check the return code*/
	   exit(-1);
	  }

 /*check records one after the other until the name is found or the end of*/
 /*the list is reached. We use a temporary pointer so not to screw up our*/
 /*root-list (pPassList) pointer*/

 for (q=pPassList;q!=NULL;q=q->next)
  {FOUND=TRUE;
   for (i=0;i<strlen(account);i++)
    {t=i*2+6; /*takes care of Unicode format. Skips 'C N = ' */
     if (account[i]!=q->userCN[t]) FOUND=FALSE;
    }
   if (FOUND==TRUE) break;
  }

 /*checks for the result : if q==NULL, we've reached the end of the list*/
 /*without finding what we looked for*/

 if (!q)
  {printf("%s not found in password file.\n",account);
   Pan_PassList_free(pPassList);
   exit(1);
  }

 /*From hereon we won't use the pPassList structure anymore, so we free the*/
 /*memory it's using. The record we found is copied in a Pan_PassHack*/
 /*structure*/

 Pan_PassList_to_PassHack(q,&pPassHack);
 Pan_PassList_free(pPassList);

...
-------------------------------------><---------------------------------------


In addition we set a few global parameters used through out the project

-----------------------------<Global Parameters>-------------------------------
/* Type of OS */
#ifdef BIG_ENDIAN
  #define PAN_OS "B"
#else
#ifdef PDP_ENDIAN
  #define PAN_OS "P"
#else
  #define PAN_OS "L"
#endif
#endif

/*
 * Global constants
 */
#define TRUE 1
#define FALSE 0 
#define VERS "Project Pandora v.4"
#define MAX_CHARS 128
#undef  NULL
#define NULL 0

/*
 * Paths and files length depends on the system
 */
#if !defined PAN_UNIX
	#include <sys\stat.h>
	#if defined _MSC_VER || defined __WATCOMC__
		#include <stdlib.h>
		#define MAXPATHLEN	_MAX_PATH
		#define MAXFNAMELEN	_MAX_FNAME
	#else
                #include <dir.h>
                #include <values.h> 
		#ifdef __GO32__
			#define MAXPATHLEN	260
			#define MAXFNAMELEN	64
		#else
			#define MAXPATHLEN	MAXPATH
			#define MAXFNAMELEN	(MAXFILE+MAXEXT)
		#endif
	#endif
	#define EXT		"*.*"
#else
	#include <sys/stat.h>
	#define MAXPATHLEN	128
	#define MAXFNAMELEN	64
	#define EXT		"*"
#endif

#define PAN_ASCII 26
#define PAN_ALPHANUM 36
#define PAN_KEYSPACE 68

#define MAXPASSLEN 128
#define MAXNAMELEN 48
#define MAXNCPREPLYLEN 130
-------------------------------------><---------------------------------------


If you want to develop with the Pandora Toolbox it is essential that you
really master the Pan_glob.h functions and prototypes since the same system
is applied throughout the project. Read the code...

Now that the plot is set, it's about time to see what the shared lib can
really do for us.


__V__ Ripped off ! Pan_file.h

The aim of this library is a twofold : extract info from the NDS files and
save&read from the Pandora files. For the first issue check 'inside.txt'.

The Pandora files are of two types : one is a list of all information 
extracted from the original NDS files (for instance the physical companion 
to Pan_PassList called PASSLIST), and the other represent the "save-state" of 
a current "work" in progress (for instance the physical equivalent to 
Pan_PassHack called PASSHACK).

When extracting information from the NDS files, data are stored in a
List structure, this list can then be saved to disk; with the
exeption of 'Pan_Convert(...)' which converts a BACKUP.DS file into the
original '.NDS' files, no function in the shared lib makes direct disk access
to the Pandora files (except for the R/W functions of those files, of course).


Pan_PassList related functions :

 - Pan_Convert_Auto(...) converts NDS backup files to original NDS files

 - Pan_Extract_Auto(...) extracts all NDS objects of type USER and BINDERY 
			 which *have* a hash in the .NDS/.DSD files                        

 - Pan_GetNDSInfo(...) Store the NDS structure itself
 
 - Pan_GetValueInfo(...) Read a specific value from NDS

 - Pan_PassList_read(...) reads the content of a physical PassList file into a
			  Pan_PassList structure. The structure need Not be
			  initialized (mem alloc) before the call.

 - Pan_PassList_write(...) writes the content of a PassList starting from a
			   given pointer in the list, if the given file name
			   already exists, the file is overwritten.                           


Pan_PassHack related functions :

 - Pan_PassHack_read(...) reads the content of of physical PassHack record
			  into a PassHack structure.

 - Pan_PassHack_write(...) writes the content of a PassHack structure in a
			   given file (if exists, is overwritten)


If you have compiled your program and the libraries with -DBIG_ENDIAN switch
because you have a big endian processor, you can still use and exchange
Pandora files produced on little endian platforms, conversion is taken care
of automatically.

For return codes see Apendix A.

-----------------------------<Files Functions>-------------------------------
/* Read/Write the NDS related information */

 /* path, refers to the path where the file is stored */
 /* file, refers to the file name */
 /* ext,  refers to the file extension */

  /*Usage : err=Pan_Convert_Auto("f:\system\",0)*/
   /* convert Backup.DS */
   /* return an error if a problem occured, NDS files in specified dir */
   /* ext == "ds" -> .DS file (before SP5 on Nw4) */
   /* ext == "dib" -> .DIB file (after SP5 on Nw4 and used on Nw5 */
 #define Pan_Convert_DS(a) Pan_Convert_Auto(a, "backup.ds", NULL)
 #define Pan_Convert_DIB(a) Pan_Convert_Auto(a, "dsrepair.dib", NULL)
 int Pan_Convert_Auto(char *path,char *file, char *ext);

  /*Usage : err=Pan_Extract(&pPassList,"f:\nds\")*/
   /* return an error if a problem occured, NDS files in current dir */
   /* chained records in pPassList,last record if : last->next=NULL */
   /* ext == "NDS" -> convert entry.nds, ... */
   /* ext == "DSD" -> convert 1.dsd, ... */
 #define Pan_Extract(a, b) Pan_Extract_Auto(a, b, "NDS")
 int Pan_Extract_Auto(Pan_PassList *pPassList, char *path, char *ext);

 /* retrieve the NDS "back bone" for specified NDS files */
 int Pan_GetNDSInfo(Pan_NDSBrowse *pNDSBrowse, char *path, char *ext);

 /* read in *out, a value set (see "NDS Browse" code in Pandora4) */
 int Pan_GetValueInfo(uint8 **out, uint32 *out_lengh, uint32 *data_lengh,
                      uint32 search_object, uint32 search_attribute,
                      char *path, char *ext);

  /*Usage : err=Pan_PassList_read("PASSNAME.NDS",&pPassList)*/
   /* return an error if a problem occured */
   /* chained list of records in pPassList */
 int Pan_PassList_read(char *readfile,Pan_PassList *pPassList);

  /*Usage : err=Pan_PassList_write("PASSNAME.NDS",pPassList)*/
   /* return an error if a problem occured */
   /* The last Password record in the list MUST have last->next=NULL */
 int Pan_PassList_write(char *writefile,Pan_PassList pPassList);

  /*Usage : err=Pan_PassHack_read("WHATEVER.EXT",&pPassHack)*/
   /* return an error if a problem occured */
 int Pan_PassHack_read(char *readfile,Pan_PassHack *pPassHack);

  /*Usage : err=Pan_PassHack_write("WHATEVER.EXT",&pPassHack)*/
   /* return an error if a problem occured */
 int Pan_PassHack_write(char *writefile,Pan_PassHack *pPassHack);
-------------------------------------><---------------------------------------


_VI_    The hash and the pendulum. Pan_hash.h

Novell private hash routine was a glorious attempt to build a proprietary
algorithm that was meant to provide all sorts of tricks : a secure way to
store passwords, a secure algorithm to wrap new cyphers with old cyphers when
changing password and a non-trivial yet fast random-like generator (for packet
signature for instance). The algorithm provided all of the above, but yet
wasn't exempt, due to its concept or implementation, of serious weakness
some we try to exploit here. For a more detailed discussion on the core
algorithm see crypto.txt.

Although Novell has introduced RSA in Netware 4.xx as part of the
authentification scheme, many games can still be played using old bindery
calls, and yet the core algorithm for hash generation remains the same.

Six routines are provided here, Three for password hacking and three for hash
generation.

Pan_SBrute_Force(...) will attempt to recover someone's password given his
hash and object ID by testing all possible passwords in a given test range.
Note that due to the hashing algorithm, we do not make use of lower-case
caracters (and this makes me wonder how possibly Novell can advertise the use
both lower-case and upper-case caracters as a security improvement to your
password secrecy, see : http://www.novell.com/products/nds/hacks2.html).
Since we use a fast-hash generator, lengh of password to recover canno't
exeed 16 caracters.

Pan_Dict_Attack(...) this routine also attempts to recover a password given
a user's object ID and hash, by testing the hash against all words of a
determined lengh in a 'dictionary' file. This routine also make use of the
fast-hash generator, thus lengh of password to recover canno't exeed 16
caracters.

Pan_Hash_Gen(...) this routine permit to generate a password hash given the
clear-text password and the user's object ID. The routine accepts passwords
up to the maximum legal lengh : 128 caracters.

Pan_Challenge_Response(...) this routine, given a Login Key and a user's
password, computes the resulting Challenge Response. The password can be
given either plaintext with the user's object ID or pre-processed as the
password hash. This routine is used whenever a password must be transmitted
over the wire to a Netware server.  For details on the Challenge Response
scheme see the Netware Hack FAQ.

Pan_3hash_cipher(...) this routine is used when changing a password : the user
old password hash (16bytes) is cut in two halves (8bytes) and each halves is
processed in a mathematical function such as :
 Func(old-pass-half1,new-pass-half1)=cipher-half1;
 Func(old-pass-half2,new-pass-half2)=cipher-half2;
So that when both cipher-halves are transmited, the server can process :
 Reverse-Func(cipher-half1,old-pass-half1)=new-pass-half1;
 Reverse-Func(cipher-half2,old-pass-half2)=new-pass-half2;
It looks like a simple XOR Func could do the trick, but Novell used a complex
algorithm, probably so that nothing could be deducted knowing the cipher and
the new password hash alone.

Pan_Decipher_RemoteNLM(...) this routine by courtesy of TheRuiner, will decipher
instantaneously any encrypted remote.nlm password you provide. See crypt.txt
for details.

They are a few more algorithms used by Netware servers, keep tuned ... hehehee
if we managed to get working what is planned for Pandora5, it will be MAJOR...

For return codes see Apendix A.

------------------------------<Hash Functions>--------------------------------
 /* Password Hacking */

 /* Usage : err=Pan_Brute_Force(&pPassHack,PAN_ASCII,&retpw,"RESTORE.PAN");
 The first argument is the pPassHack structure that MUST contain valid
 values for the following :

  objectID, object ID of user
  0< pwlen <=16, lengh of password to generate (brute force only lengh<=16)
  pw_first, the 'seed' password to start the brute force with

 If pw_last is not set, it is given the value of pw_first thus ensuring
 that we try all possible combination for that given password lengh.

 The second argument allows to 'segment' the brute force by telling how many
 attempts the routine should perform, regardless of pPassHack settings,
 before the brute-force routine returns to the calling program. Once
 returned the brute force can be restored transparently since the last
 attempt is stored in pw_current. This permits to give a status on the brute
 force on a regular basis, and to fine tune how often things should be saved
 to disk for instance.

 The third parameter will contain the real password if found. It is not
 required to initialize it (memory alloc), but it should be freed after use.

 The last parameter is the "limit" in the word-list for the brute force.

 Finally the return value here may be other things than errors : if it
 contains (NULL) password was found, -105 if not found, -106 if time to save
 (parameter two 'maxtry' reached).
 */
 /* Since we added the ability to customize the key_space, we now have a new
    replacement function : Pan_SBrute_Force, see below 
 */
  /* Usage : err=Pan_SBrute_Force(&pPassHack,PAN_ASCII,&retpw,"RESTORE.PAN",NULL);*/
  /* contains NULL if no error, -105 if not found, -106 if time to save */
  /* if _key_space is not specified, then the maxtry is used along with default set */
 #define Pan_Brute_Force(a, b, c, d) strcpy(a->key_space,"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,./<>?;':\"[]{}`~!@#$%^&*()_-+=|"); Pan_SBrute_Force(a, c, d);

 int Pan_SBrute_Force(Pan_PassHack *pPassHack,
                      char **retpw,
                      uint32 limit
                     );

  /*Usage : err=Pan_Dict_Attack(&pPassHack,&retpw,dict);*/
  /*->pwlen:lengh to try,return:password in retpw or error,readfile:dict*/
 int Pan_Dict_Attack(Pan_PassHack *pPassHack,char **retpw,char *readfile);

  /*Usage : err=Pan_Hash_Gen(&pPassHack);*/
  /*->pw_first:password to use,->pwlen:lengh,return ->hash or an error*/
 int Pan_Hash_Gen(Pan_PassHack *pPassHack);

  /*Usage : err=Pan_Challenge_Response(&pPassHack,TRUE,&logkey,&dst)*/
  /*Info must contain ObjectID and pw_first for hash_gen if hash_known=FALSE*/
  /*If hash_known=TRUE info must contain ObjectID and hash*/
 int Pan_Challenge_Response
  (Pan_PassHack *Info,int hash_known,uint8 *logkey, uint8 *dst);


  /*Usage : err=Pan_3hash_cipher(oldcipher,newcipher,newcipher)*/
  /*p1[8] : half of current password hash*/
  /*p2[8] : half of new password hash*/
  /*p3[8] : half-pattern such as H(p1,p2)=p3 and F(p1,p3)=p2, H() is Pan_*/
 int Pan_3hash_cipher(uint8 *oldcrpw,uint8 *newcrpw,uint8 *cipherpw);

  /*Usage : err=Pan_Decipher_RemoteNLM(cipher,decipher)*/
  /*cipher contains the ciphered output of remote NLM encryption*/
  /*decipher will contain result, memory must be allocated beforehand*/
 int Pan_Decipher_RemoteNLM(char *cipher, char *decipher);

-------------------------------------><---------------------------------------


_VII_   Netware, Bravo, do you copy ? Pan_com.h

In Networking Software, there is obviously Network ;-) And many funny tricks
can be build over the wire. The routines presented here gives a crude but
working interface to your progams for the following : sending packet-level
information (allows spoofing), sending NCP requests/replies, connecting to a
Netware server.

At the time this doc is written full IPX send/receive support is in the
process of being implemented. (well ahem.. we'll use linux IPX support from
now one ;-) ).

Pandora4 is the first and last GUI release for the Wintel platforms. Pandora5
will run Linux. One of the reason being the obscure coding and hard licensing
language of Novell 32-bit API. Besides sbiffing and spoofing under windows is
a major pain in the ass. This explains that NCP calls under Pandora4 GUI are 
served by an "NCP server", DOS based, and independant of all vendors API.
For the snifing/spoofing we used M.Viano 32 bits packet driver, see the
packet32 directory in the source code.

The programs code released with Pandora gives unvaluable information, that
was collected from the work of many hackers, on the way to communicate with
a Netware server. Sparse but good documentation on how to perform specific
NCP/NDS requests/replies can be found electronically and in specialised
libraries; And for the sake of it, lets briefly describe what a typical NCP
request looks like in a Ethernet 802.3 frame format :

Description                                   bytes     byte order
-----------------------------------------|------------|------------
>802.3 frame header<                     |            |
					 |            |
 MAC adress of dest. (router/server)     |  0  -> 5   |   Normal
 MAC adress of origin (station)          |  6  -> 11  |   Normal
 Physical lengh of packet (end-14)       |  12 -> 13  |   Reversed
					 |            |
>Internetwork Packet Exchange<           |            |
					 |            |
 Checksum (0xffff=no checksum)           |  14 -> 15  |   ??
 Packet total lengh (=Physical lengh-1)  |  16 -> 17  |   Reversed
 Hop count (nb of routers btw org/serv)  |  18        |   Normal
 Packet type (=0x11 is NCP, 0x17 is NDS) |  19        |   Normal
 Destination IPX net (server net)        |  20 -> 23  |   Normal
 Destination IPX adress (server adress)  |  24 -> 29  |   Normal
 Destination socket (=0x0451 is NCP)     |  30 -> 31  |   Normal
 Originator IPX net                      |  32 -> 35  |   Normal
 Originator IPX adress                   |  36 -> 41  |   Normal
 Originator socket  (=0x40?? usually)    |  42 -> 43  |   Normal
					 |            |
>NCP request/reply header<               |            |
					 |            |
 Request type (=0x2222 req./=0x3333 rep.)|  44 -> 45  |   Normal
 Sequence num (+1 each for req., 0<->255)|  46        |   Normal
 Connection number LOW                   |  47        |   N/A
 Task number (for internal use of org.)  |  48        |   Normal
 Connection number HIGH (0 if conn.<255) |  49        |   N/A
 Function code (=0x68 IPX/=other NCP)    |  50        |   Normal
					 |            |
---------------------Ex. if Function code is NCP 0x17---------------
					 |            |
>NCP data<                               |            |
					 |            |
 Reply fragment requested (0x00 usual.)  |  51        |   Normal
 NCP data length from bytes 53           |  52        |   Normal
 Subfunction code (action to perform)    |  53        |   Normal
 Data (if exists)                        |  54 ->end_1|   Usually
					 |            |    reversed
---------------------Ex. if Function code is NCP 0X68 (NDS)---------
					 |            |
>NCP data<                               |            |
					 |            |
 Request (=0x02 is fragmented req./rep.) |  51        |   Normal
 Fragment handle (=0xffffffff if null)   |  52 -> 55  |   ??
 Max frag. size (=0x02020000 usually)    |  56 -> 59  |   Reversed
 Total data lengh (incl. all frag.)      |  60 -> 63  |   Reversed
 Fragment flag (=0x00000000 if null)     |  64 -> 67  |   ??
 Verb number (action to perform)         |  68 -> 71  |   Reversed
 Reply buffer size (=0x00000000 if null) |  72 -> 75  |   Reversed
 Data (if exists)                        |  76 ->end_1|   Usually
					 |            |    reversed
-------------------------------------------------------------------
					 |            |
>Packet signature<                       |            |
					 |            |
 If signature is level_1 Wild-Pad        |end_1 -> end|
 0xffffffffffffffff is accepted          |end=end_1+7 |
 If signature is level_2 or higher       |  (8 bytes) |
 real signature is base on user hash     |            |


The function you want to use to send packet like this is : Pan_NCP_Spoof(...)
of course, other type than NCP packet can be sent and you're not obliged to
spoof your adress, but the name was kinda cool ;-) This function is only
available if you have installed a packet driver on interrupt 0x60, don't
forget the '-n' switch if you use Novell 802.3 frame format.

If you need to send a regular NCP request/reply, use Pan_NCP_Transmit(...),
examples to use Pan_NCP_Transmit(...) can be found inside the Pandora code,
the "function code" to call is the first parameter, the second parameter is
the data to send (seen above as >NCP data< or >NDS data<). For Win32 sniff and
spoof see packet32 and pandora4-online code.

A function called Pan_NCP_connect(...) is also provided to connect to a
Netware server (although you could do it through the appropriate call with
Pan_NCP_transmit(...)).

Our aim here is not to describe all possible NCP/NDS packets that can be
generated. Just be aware that for NCP, Function code+Subfunction code defines
the request, for NDS, Request+Verb number defines the request. As you have
noticed, NDS requests are encapsulated in NCP headers, this is probably due
to the fact that NCP stuff existed on Netware servers before NDS which was
later used for requests that had to be spread over multiple packets.

Below is a list of well none NCP Function/Subfunction codes, this list is NOT
exhaustive and dosen't include IPX requests. Detailed parameters for most of
these function calls can be found in the NCP interrup list document at :
http://www.tsu.ru/~eugene/netware/archive/index.html

NCP call description                                   Function     Subfunc.
						       (hex)        (hex)
----------------------------------------------------------------------------
ABORT SERVICING QUEUE JOB AND FILE                   | 17         | 84
ABORT SERVICING QUEUE JOB AND FILE OLD               | 17         | 73
ADD AUDIT PROPERTY                                   | 58         | 02
ADD BINDERY OBJECT TO SET                            | 17         | 41
ADD TRUSTEE SET TO NS ENTRY                          | 57         | 0A
ADD TRUSTEE TO DIRECTORY                             | 16         | 0D
AFP ALLOC TEMPORARY DIR HANDLE                       | 23         | 0B
AFP CREATE DIRECTORY                                 | 23         | 01
AFP CREATE FILE                                      | 23         | 02
AFP DELETE                                           | 23         | 03
AFP GET ENTRY ID FROM NAME                           | 23         | 04
AFP GET ENTRY ID FROM NETWARE HANDLE                 | 23         | 06
AFP GET ENTRY ID FROM PATH NAME                      | 23         | 0C
AFP GET FILE INFORMATION                             | 23         | 05
AFP OPEN FILE FORK                                   | 23         | 08
AFP RENAME                                           | 23         | 07
AFP SCAN FILE INFORMATION                            | 23         | 0A
AFP SET FILE INFORMATION                             | 23         | 09
AFP 20 CREATE DIRECTORY                              | 23         | 0D
AFP 20 CREATE FILE                                   | 23         | 0E
AFP 20 GET DOS NAME ENTRY ID                         | 23         | 12
AFP 20 GET FILE                                      | 23         | 0F
AFP 20 GET MACINTOSH INFO ON DELETED FILE            | 23         | 13
AFP 20 SCAN FILE INFORMATION                         | 23         | 11
AFP 20 SET FILE INFORMATION                          | 23         | 10
ALLOCATE PERMANENT DIRECTORY HANDLE                  | 16         | 12
ALLOCATE RESOURCE                                    | 0F         | 00
ALLOCATE SPECIAL TEMPORARY DIRECTORY HANDLE          | 16         | 16
ALLOCATE TEMP NS DIR HANDLE                          | 57         | 0C
ALLOCATE TEMPORARY DIRECTORY HANDLE                  | 16         | 13
ALLOW TASK ACCESS TO FILE                            | 4E         | 00
ATTACH QUEUE SERVER TO QUEUE                         | 17         | 6F
BROADCAST TO CONSOLE                                 | 15         | 09
CHANGE AUDIT LEVEL TWO PASSWORD                      | 58         | 12
CHANGE AUDITOR PASSWORD                              | 58         | 04
CHANGE BINDERY OBJECT PASSWORD                       | 17         | 40
CHANGE BINDERY OBJECT PASSWORD ENCRYPTED             | 17         | 4B
CHANGE BINDERY OBJECT SECURITY                       | 17         | 38
CHANGE CONNECTION STATE                              | 17         | 1D
CHANGE PROPERTY SECURITY                             | 17         | 3B
CHANGE QUEUE JOB ENTRY                               | 17         | 7B
CHANGE QUEUE JOB ENTRY OLD                           | 17         | 6D
CHANGE QUEUE JOB POSITION                            | 17         | 7C
CHANGE QUEUE JOB POSITION OLD                        | 17         | 6E
CHANGE QUEUE JOB PRIORITY                            | 17         | 82
CHANGE TO CLIENT RIGHTS                              | 17         | 85
CHANGE TO CLIENT RIGHTS OLD                          | 17         | 74
CHANGE USER PASSWORD                                 | 17         | 01
CHECK AUDIT ACCESS                                   | 58         | 05
CHECK AUDIT LEVEL TWO ACCESS                         | 58         | 16
CHECK CONSOLE PRIVILEGES                             | 17         | C8
CHECK PIPE STATUS                                    | 15         | 08
CLEAR CONNECTION NUMBER                              | 17         | FE
CLEAR CONNECTION NUMBER OLD                          | 17         | D2
CLEAR FILE                                           | 07         | 00
CLEAR FILE SET                                       | 08         | 00
CLEAR LOGICAL RECORD                                 | 0B         | 00
CLEAR LOGICAL RECORD SET                             | 0E         | 00
CLEAR PHYSICAL RECORD                                | 1E         | 00
CLEAR PHYSICAL RECORD SET                            | 1F         | 00
CLEAR VOLUME RESTRICTIONS                            | 16         | 22
CLOSE AND QUEUE CAPTURE FILE                         | 11         | 01
CLOSE BINDERY                                        | 17         | 44
CLOSE EXTENDED ATTRIBUTE HANDLE                      | 56         | 01
CLOSE FILE AND START JOB QUEUE                       | 17         | 7F
CLOSE FILE AND START JOB QUEUE OLD                   | 17         | 69
CLOSE MESSAGE PIPE                                   | 15         | 07
CLOSE OLD AUDITING FILE                              | 58         | 14
CLOSE SEMAPHORE OLD                                  | 20         | 04
CLOSE SEMAPHORE                                      | 6F         | 04
COMMIT FILE                                          | 3B         | 00
CONVERT PATH TO DIRECTORY ENTRY                      | 17         | F4
CREATE BINDERY OBJECT                                | 17         | 32
CREATE DIRECTORY                                     | 16         | 0A
CREATE NEW FILE                                      | 4D         | 00
CREATE PROPERTY                                      | 17         | 39
CREATE QUEUE                                         | 17         | 64
CREATE QUEUE JOB AND FILE                            | 17         | 79
CREATE QUEUE JOB AND FILE OLD                        | 17         | 68
DEALLOCATE DIRECTORY HANDLE                          | 16         | 14
DEALLOCATE RESOURCE                                  | 10         | 00
DELETE BINDERY OBJECT                                | 17         | 33
DELETE BINDERY OBJECT FROM SET                       | 17         | 42
DELETE DIRECTORY                                     | 16         | 0B
DELETE NS ENTRY                                      | 57         | 08
DELETE OLD AUDITING FILE                             | 58         | 15
DELETE OLD AUDITING FILE 2                           | 58         | 1A
DELETE PROPERTY                                      | 17         | 3A
DELETE TRUSTEE                                       | 16         | 2B
DELETE TRUSTEE FROM DIRECTORY                        | 16         | 0E
DELETE TRUSTEE SET FROM NS ENTRY                     | 57         | 0B
DESTROY QUEUE                                        | 17         | 65
DETACH QUEUE SERVER FROM QUEUE                       | 17         | 70
DISABLE AUDITING ON VOLUME                           | 58         | 07
DISABLE STATION BROADCASTS                           | 15         | 02
DISABLE FILE SERVER LOGIN                            | 17         | CB
DISABLE TRANSACTION TRACKING                         | 17         | CF
DOWN FILE SERVER                                     | 17         | D3
DS CHANGE AUDIT LEVEL TWO PASSWORD                   | 68         | D7
DS CHANGE AUDITOR PASSWORD                           | 68         | CB
DS CHANGE OBJECT AUDITED                             | 68         | DD
DS CHECK AUDIT ACCESS                                | 68         | CC
DS CHECK AUDIT LEVEL TWO ACCESS                      | 68         | DB
DS CHECK OBJECT AUDITED                              | 68         | DC
DS CLOSE FRAGMENT                                    | 68         | 03
DS CLOSE OLD AUDITING FILE                           | 68         | D9
DS DELETE OLD AUDITING FILE                          | 68         | DA
DS DELETE OLD AUDITING FILE 2                        | 68         | E1
DS DISABLE AUDITING ON CONTAINER                     | 68         | CE
DS ENABLE AUDITING ON CONTAINER                      | 68         | CF
DS GET AUDIT FILE LIST                               | 68         | DE
DS GET AUDITING FLAGS                                | 68         | D8
DS GET DS STATISTICS                                 | 68         | 06
DS GET CONTAINER AUDIT STATUS                        | 68         | C8
DS INIT AUDIT FILE READ                              | 68         | DF
DS LOGIN AS CONTAINER AUDITOR                        | 68         | CA
DS LOGOUT AS CONTAINER AUDITOR                       | 68         | D3
DS MONITOR CONNECTION                                | 68         | 05
DS PING FOR NDS NCP                                  | 68         | 01
DS READ AUDIT CONFIG HEADER                          | 68         | D1
DS READ AUDITING FILE                                | 68         | D2
DS READ AUDITING FILE 2                              | 68         | E0
DS READ AUDITING FILES                               | 68         | 15
DS RELOAD                                            | 68         | 08
DS RESET AUDIT HISTORY FILE                          | 68         | D5
DS RESET AUDITING FILE                               | 68         | D4
DS RESET DS COUNTERS                                 | 68         | 07
DS RETURN BINDERY CONTEXT                            | 68         | 04
DS SEND FRAGMENTED REQUEST REPLY                     | 68         | 02
DS SET AUDIT PASSWORD                                | 68         | E5
DS WRITE AUDIT CONFIG HEADER                         | 68         | D6
DUPLICATE EXTENDED ATTRIBUTE                         | 56         | 05
ENABLE AUDITING ON VOLUME                            | 58         | 08
ENABLE STATION BROADCASTS                            | 15         | 03
ENABLE FILE SERVER LOGIN                             | 17         | CC
ENABLE TRANSACTION TRACKING                          | 17         | D0
END OF JOB                                           | 18         | 00 
ENTER LOGIN AREA                                     | 17         | 0A
ENUMERATE EXTENDED ATTRIBUTE                         | 56         | 04
ERASE FILES                                          | 44         | 00
EXAMINE SEMAPHORE OLD                                | 20         | 01
EXAMINE SEMAPHORE                                    | 6F         | 01
FILE CLOSE                                           | 42         | 00
FILE COMMIT                                          | 3D         | 00
FILE COPY                                            | 4A         | 00 
FILE CREATE                                          | 43         | 00
FILE DM REQUEST                                      | 5A         | 96
FILE OPEN                                            | 41         | 00
FILE READ                                            | 48         | 00
FILE RELEASE LOCK                                    | 02         | 00
FILE RENAME                                          | 45         | 00 
FILE SEARCH CONTINUE                                 | 3F         | 00
FILE SEARCH INITIALIZE                               | 3E         | 00 
FILE SET LOCK                                        | 01         | 00
FILE WRITE                                           | 49         | 00
FILL NAME SPACE BUFFER                               | 16         | 2F
FINISH SERVICING QUEUE JOB AND FILE                  | 17         | 83
FINISH SERVICING QUEUE JOB AND FILE OLD              | 17         | 72
GET ACCOUNT STATUS                                   | 17         | 96
GET ACTIVE CONNECTION LIST BY TYPE                   | 7B         | 0E
GET ACTIVE LAN BOARD LIST                            | 7B         | 14
GET ACTIVE PROTOCOL STACKS                           | 7B         | 28
GET AUDIT FILE LIST                                  | 58         | 17
GET AUDITING FLAGS                                   | 58         | 13
GET BIG PACKET NCP MAX PACKET SIZE                   | 61         | 00
GET BINDERY ACCESS LEVEL                             | 17         | 46
GET BINDERY OBJECT ACCESS LEVEL                      | 17         | 48
GET BINDERY OBJECT DISK SPACE LEFT                   | 17         | E6
GET BINDERY OBJECT ID                                | 17         | 35
GET BINDERY OBJECT NAME                              | 17         | 36
GET BROADCAST MESSAGE                                | 15         | 01
GET BROADCAST MESSAGE EX                             | 15         | 0B
GET CACHE INFORMATION                                | 7B         | 01
GET CONNECTION LIST FROM OBJECT                      | 17         | 1F
GET CONNECTION OPEN FILES                            | 17         | EB
GET CONNECTION OPEN FILES OLD                        | 17         | DB
GET CONNECTION SEMAPHORES                            | 17         | F1
GET CONNECTION SEMAPHORES OLD                        | 17         | E1
GET CONNECTION TASK INFORMATION                      | 17         | EA
GET CONNECTION TASK INFORMATION OLD                  | 17         | DA
GET CONNECTION USAGE STATISTICS                      | 17         | E5
GET CONNECTIONS USING A FILE                         | 17         | EC
GET CONNECTIONS USING A FILE OLD                     | 17         | DC
GET CPU INFORMATION                                  | 7B         | 08
GET DIR ENTRY                                        | 16         | 1F
GET DIR INFO                                         | 16         | 2D
GET DIRECTORY BASE                                   | 57         | 16
GET DIRECTORY CACHE INFORMATION                      | 7B         | 0C
GET DIRECTORY PATH                                   | 16         | 01
GET DISK CACHE STATISTICS                            | 17         | D6
GET DISK CHANNEL STATISTICS                          | 17         | D9
GET DISK UTILIZATION                                 | 17         | 0E
GET DM INFO                                          | 5A         | 01
GET DM FILE INFO                                     | 5A         | 81
GET DM STATUS INFO                                   | 5A         | 83
GET DM SUPPORT MODULE INFO                           | 5A         | 84
GET DRIVE MAPPING TABLE                              | 17         | D7
GET EFFECTIVE DIRECTORY RIGHTS                       | 16         | 03
GET EFFECTIVE NS DIRECTORY RIGHTS                    | 57         | 1D
GET EFFECTIVE RIGHTS                                 | 16         | 2A
GET ENCRYPTION KEY                                   | 17         | 17
GET EXTENDED VOLUME INFO                             | 16         | 33
GET FILE BIT MAP                                     | 55         | 00
GET FILE SERVER DATE AND TIME                        | 14         | 00 
GET FILE SERVER DESCRIPTION STRINGS                  | 17         | C9
GET FILE SERVER INFORMATION                          | 17         | 11
GET FILE SERVER INFORMATION EX                       | 7B         | 02
GET FILE SERVER LAN IO STATISTICS                    | 17         | E7
GET FILE SERVER LOGIN STATUS                         | 17         | CD
GET FILE SERVER MISC INFORMATION                     | 17         | E8
GET FILE SIZE                                        | 47         | 00 
GET FILE SYSTEM STATISTICS                           | 17         | D4
GET GARBAGE COLLECTION INFORMATION                   | 7B         | 07
GET GENERAL ROUTER AND SAP INFORMATION               | 7B         | 32
GET INTERNET ADDRESS                                 | 17         | 1A
GET INTERNET ADDRESS OLD                             | 17         | 13
GET IPX SPX INFORMATION                              | 7B         | 06
GET KNOWN NETWORKS INFORMATION                       | 7B         | 35
GET KNOWN SERVERS INFORMATION                        | 7B         | 38
GET LAN COMMON COUNTERS INFORMATION                  | 7B         | 16
GET LAN CONFIG STRINGS                               | 7B         | 18
GET LAN CONFIGURATION INFORMATION                    | 7B         | 15
GET LAN CUSTOM COUNTERS INFORMATION                  | 7B         | 17
GET LAN DRIVER CONFIGURATION INFORMATION             | 17         | E3
GET LOADED MEDIA NUMBER LIST                         | 7B         | 2F
GET LOGICAL RECORD INFORMATION                       | 17         | F0
GET LOGICAL RECORD INFORMATION OLD                   | 17         | E0
GET LOGICAL RECORDS BY CONNECTION                    | 17         | EF
GET LOGICAL RECORDS BY CONNECTION OLD                | 17         | DF
GET LSL INFORMATION                                  | 7B         | 19
GET LSL LOGICAL BOARD STATISTICS                     | 7B         | 1A
GET MEDIA MANAGER OBJECT CHILDREN LIST               | 7B         | 20
GET MEDIA MANAGER OBJECT INFORMATION                 | 7B         | 1E
GET MEDIA MANAGER OBJECT LIST                        | 7B         | 1F
GET MEDIA NAME BY MEDIA NUMBER                       | 7B         | 2E
GET MEMBER SET OF GROUP                              | 17         | 09
GET NAME SPACE ENTRY                                 | 16         | 30
GET NCP EXTENSION INFO                               | 24         | 05
GET NCP EXTENSIONS LIST                              | 24         | 04
GET NETWARE FILE SYSTEMS INFORMATION                 | 7B         | 03
GET NETWORK ROUTER INFORMATION                       | 7B         | 33
GET NETWORK ROUTERS INFORMATION                      | 7B         | 34
GET NETWORK SERIAL NUMBER                            | 17         | 12
GET NLM INFORMATION                                  | 7B         | 0B
GET NLM LOADED LIST                                  | 7B         | 0A
GET NLMS RESOURCE TAG LIST                           | 7B         | 0F
GET NS DIR HANDLE PATH                               | 57         | 15
GET NS ENTRY INFO                                    | 57         | 06
GET NS INFO FORMAT                                   | 57         | 17
GET NS LOADED LIST                                   | 57         | 18
GET NS PATH                                          | 57         | 1C
GET NUMBER NCP EXTENSIONS                            | 24         | 03
GET OBJECT CONNECTION NUMBERS                        | 17         | 1B
GET OBJECT CONNECTION NUMBERS OLD                    | 17         | 15
GET OBJECT DISK RESTRICTIONS                         | 16         | 29
GET OBJECT EFFECTIVE RIGHTS                          | 16         | 32
GET OS VERSION INFORMATION                           | 7B         | 0D
GET PACKET BURST INFORMATION                         | 7B         | 05
GET PATH FROM DIRECTORY BASE                         | 17         | F3
GET PATH FROM DIRECTORY ENTRY                        | 16         | 1A
GET PERSONAL MESSAGE                                 | 15         | 05
GET PHYSICAL DISK STATISTICS                         | 17         | D8
GET PHYSICAL RECORD LOCKS BY CONNECTION AND FILE     | 17         | ED
GET PHYSICAL RECORD LOCKS BY CONNECTION AND FILE OLD | 17         | DD
GET PHYSICAL RECORD LOCKS BY FILE                    | 17         | EE
GET PHYSICAL RECORD LOCKS BY FILE OLD                | 17         | DE
GET PRINTER QUEUE                                    | 11         | 0A
GET PRINTER STATUS                                   | 11         | 06
GET PROTOCOL STACK CONFIGURATION INFORMATION         | 7B         | 29
GET PROTOCOL STACK CUSTOM INFORMATION                | 7B         | 2B
GET PROTOCOL STACK NUMBERS BY LAN BOARD NUMBER       | 7B         | 2D
GET PROTOCOL STACK NUMBERS BY MEDIA NUMBER           | 7B         | 2C
GET PROTOCOL STACK STATISTICS INFORMATION            | 7B         | 2A
GET QUEUE JOB LIST                                   | 17         | 81
GET QUEUE JOB LIST OLD                               | 17         | 6B
GET QUEUE JOB FILE SIZE                              | 17         | 87
GET QUEUE JOB FILE SIZE OLD                          | 17         | 78
GET QUEUE JOBS FROM LIST                             | 17         | 89
GET REFERENCE COUNT FROM DIRECTORY HANDLE            | 5A         | 0B
GET REFERENCE COUNT FROM DIRECTORY NUMBER            | 5A         | 0A
GET RELATIONOF AN OBJECT                             | 17         | 4C
GET SEMAPHORE INFORMATION                            | 17         | F2
GET SEMAPHORE INFORMATION OLD                        | 17         | E2
GET SERVER INFORMATION                               | 7B         | 36
GET SERVER SET CATEGORIES                            | 7B         | 3D
GET SERVER SET COMMANDS INFORMATION                  | 7B         | 3C
GET SERVER SOURCES INFORMATION                       | 7B         | 37
GET SET VOLUME DM STATUS                             | 5A         | 86
GET SPOOL QUEUE ENTRY                                | 11         | 04
GET STATION NUMBER                                   | 13         | 00
GET STATION LOGGED INFORMATION                       | 17         | 1C
GET STATION LOGGED INFORMATION OLD                   | 17         | 16
GET STATION LOGGED INFORMATION EX                    | 17         | 05
GET USER INFORMATION                                 | 7B         | 04
GET UTC TIME                                         | 72         | 01
GET VOLUME AUDIT STATISTICS                          | 58         | 01
GET VOLUME DM STATUS                                 | 5A         | 82
GET VOLUME INFO WITH HANDLE                          | 16         | 15
GET VOLUME INFO WITH NUMBER                          | 12         | 00
GET VOLUME INFORMATION                               | 17         | E9
GET VOLUME INFORMATION BY LEVEL                      | 7B         | 22
GET VOLUME NAME                                      | 16         | 06
GET VOLUME NUMBER                                    | 16         | 05
GET VOLUME SEGMENT LIST                              | 7B         | 21
GET VOLUME SWITCH INFORMATION                        | 7B         | 09
GET VOLUME USAGE                                     | 16         | 2C
INIT AUDIT FILE READ                                 | 58         | 18
INITIALIZE NS SCAN                                   | 57         | 02
IS BINDERY OBJECT IN SET                             | 17         | 43
IS STATION A MANAGER                                 | 17         | 49
IS USER AUDITED                                      | 58         | 09
LOCK FILE SET OLD                                    | 04         | 00
LOCK FILE SET                                        | 6A         | 00 
LOCK LOGICAL RECORD SET OLD                          | 0A         | 00
LOCK LOGICAL RECORD SET                              | 6C         | 00
LOCK PHYSICAL RECORD SET OLD                         | 1B         | 00
LOCK PHYSICAL RECORD SET                             | 6E         | 00
LOG FILE OLD                                         | 03         | 00
LOG FILE                                             | 69         | 00
LOG LOGICAL RECORD OLD                               | 09         | 00
LOG LOGICAL RECORD                                   | 6B         | 00
LOG NETWORK MESSAGE                                  | 17         | 0D
LOG PHYSICAL RECORD OLD                              | 1A         | 00
LOG PHYSICAL RECORD                                  | 6D         | 00
LOGIN AS VOLUME AUDITOR                              | 58         | 03
LOGIN OBJECT                                         | 17         | 14
LOGIN OBJECT ENCRYPTED                               | 17         | 18
LOGIN USER OBJECT                                    | 17         | 00
LOGOUT                                               | 19         | 00 
LOGOUT AS VOLUME AUDITOR                             | 58         | 0D
MAP DIRECTORY NUMBER TO PATH                         | 16         | F3
MAP GROUP NAME TO NUMBER                             | 17         | 07
MAP NUMBER TO GROUP NAME                             | 17         | 08
MAP NUMBER TO USER NAME                              | 17         | 04
MAP USER NAME TO NUMBER                              | 17         | 03
MAP USER TO STATION SET                              | 17         | 02
MODIFY MAXIMUM RIGHTS MASK                           | 16         | 04
MOVE ENTRY                                           | 16         | 2E
MOVE FILE FROM DM                                    | 5A         | 85
MOVE FILE TO DM                                      | 5A         | 80
MOVE QUEUE JOB                                       | 17         | 88
NEGOTIATE BUFFER                                     | 21         | 00
OPEN BINDERY                                         | 17         | 45
OPEN CREATE FILE                                     | 54         | 00
OPEN CREATE NS ENTRY                                 | 57         | 01
OPEN CREATE NS FILE OR DIRECTORY                     | 57         | 1E
OPEN DATA STREAM                                     | 16         | 31
OPEN FILE                                            | 4C         | 00
OPEN MESSAGE PIPE                                    | 15         | 06
OPEN SEMAPHORE OLD                                   | 20         | 00
OPEN SEMAPHORE                                       | 6F         | 00
PACKET BURST CONNECTION REQUEST                      | 65         | 00 
PURGE ALL ERASED FILES                               | 17         | CE
PURGE ERASED FILES                                   | 16         | 10
PURGE NS SALVAGEABLE FILE                            | 57         | 12
PURGE SALVAGEABLE FILE                               | 16         | 1D
READ AUDIT CONFIG HEADER                             | 58         | 0B
READ AUDITING BIT MAP                                | 58         | 0A
READ AUDITING FILE                                   | 58         | 0C
READ AUDITING FILE 2                                 | 58         | 19
READ EXTENDED ATTRIBUTE                              | 56         | 03
READ EXTENDED NS INFO                                | 57         | 1A
READ NS INFO                                         | 57         | 13
READ PROPERTY VALUE                                  | 17         | 3D
READ QUEUE CURRENT STATUS                            | 17         | 7D
READ QUEUE CURRENT STATUS OLD                        | 17         | 66
READ QUEUE JOB ENTRY                                 | 17         | 7A
READ QUEUE JOB ENTRY OLD                             | 17         | 6C
READ QUEUE SERVER CURRENT STATUS                     | 17         | 86
READ QUEUE SERVER CURRENT STATUS OLD                 | 17         | 76
RECOVER NS SALVAGEABLE FILE                          | 57         | 11
RECOVER SALVAGEABLE FILE                             | 16         | 1C
RELEASE A RESOURCE                                   | 17         | FC
RELEASE FILE                                         | 05         | 00
RELEASE FILE SET                                     | 06         | 00
RELEASE LOGICAL RECORD                               | 0C         | 00
RELEASE LOGICAL RECORD SET                           | 0D         | 00
RELEASE PHYSICAL RECORD                              | 1C         | 00
RELEASE PHYSICAL RECORD SET                          | 1D         | 00
REMOVE AUDIT PROPERTY                                | 58         | 06
REMOVE ENTRY FROM SPOOL QUEUE                        | 11         | 05
REMOVE JOB FROM QUEUE                                | 17         | 80
REMOVE JOB FROM QUEUE OLD                            | 17         | 6A
RENAME BINDERY OBJECT                                | 17         | 34
RENAME DIRECTORY                                     | 16         | 0F
RENAME NS ENTRY                                      | 57         | 04
RESET AUDIT HISTORY FILE                             | 58         | 0F
RESET AUDITING FILE                                  | 58         | 0E
RESTART VOLUME AUDITING                              | 58         | 1E
RESTORE DIRECTORY HANDLE                             | 16         | 18
RESTORE ERASED FILE                                  | 16         | 11
RESTORE QUEUE SERVER RIGHTS                          | 17         | 75
SAVE DIRECTORY HANDLE                                | 16         | 17
SCAN BINDERY OBJECT                                  | 17         | 37
SCAN BINDERY OBJECT TRUSTEE PATHS                    | 17         | 47
SCAN DIR ENTRY                                       | 16         | 1E
SCAN DIR RESTRICTIONS                                | 16         | 23
SCAN DIRECTORY FOR TRUSTEES                          | 16         | 0C
SCAN DIRECTORY INFORMATION                           | 16         | 02
SCAN ENTRY FOR TRUSTEES                              | 16         | 26
SCAN FILE INFORMATION                                | 17         | 0F
SCAN FILE PHYSICAL                                   | 16         | 28
SCAN NCP EXTENSIONS                                  | 24         | 00
SCAN NCP EXTENSIONS BY NAME                          | 24         | 02
SCAN NS ENTRY FOR TRUSTEES                           | 57         | 05
SCAN NS ENTRY INFO                                   | 57         | 03
SCAN NS NEXT SET                                     | 57         | 14
SCAN NS SALVAGEABLE FILES                            | 57         | 10
SCAN PROPERTY                                        | 17         | 3C
SCAN SALVAGEABLE FILES                               | 16         | 1B
SCAN VOLUME FOR RESTRICTIONS                         | 16         | 20
SEARCH FILE                                          | 40         | 00
SEND BROADCAST MESSAGE                               | 15         | 00
SEND BROADCAST MESSAGE EX                            | 15         | 0A
SEND CONSOLE BROADCAST                               | 17         | FD
SEND CONSOLE BROADCAST OLD                           | 17         | D1
SEND PERSONAL MESSAGE                                | 15         | 04
SEND REMOTE CONSOLE OPERATION                        | 83         | ??
SERVICE QUEUE JOB AND OPEN FILE OLD                  | 17         | 71
SERVICE QUEUE JOB LIST                               | 17         | 8A
SET AUDIT PASSWORD                                   | 58         | 1F
SET COMP FILE SIZE                                   | 5A         | 0C
SET DIR RESTRICTION                                  | 16         | 24
SET DIRECTORY HANDLE                                 | 16         | 00
SET DIRECTORY INFORMATION                            | 16         | 19
SET ENTRY                                            | 16         | 25
SET EXTENDED FILE ATTRIBUTES                         | 4F         | 00
SET FILE ATTRIBUTES                                  | 46         | 00
SET FILE INFORMATION                                 | 17         | 10
SET FILE SERVER DATE AND TIME                        | 17         | CA
SET FILE TIME AND DATE                               | 4B         | 00
SET NS ENTRY DOS INFO                                | 57         | 07
SET QUEUE CURRENT STATUS                             | 17         | 7E
SET QUEUE CURRENT STATUS OLD                         | 17         | 67
SET QUEUE SERVER CURRENT STATUS                      | 17         | 77
SET SPOOL FLAGS                                      | 11         | 02
SET TEMP NS DIR HANDLE                               | 57         | 09
SET TRUSTEE                                          | 16         | 27
SET VOLUME RESTRICTIONS                              | 16         | 21
SET WATCHDOG DELAY INTERVAL                          | 17         | 1E
SIGNAL SEMAPHORE OLD                                 | 20         | 03
SIGNAL SEMAPHORE                                     | 6F         | 03
SPECIFY CAPTURE FILE                                 | 11         | 09
SPOOL DATA TO A CAPTURE FILE                         | 11         | 00
SPOOL EXISTING FILE                                  | 11         | 03
SUBMIT ACCOUNT CHARGE                                | 17         | 97
SUBMIT ACCOUNT HOLD                                  | 17         | 98
SUBMIT ACCOUNT NOTE                                  | 17         | 99
SYNCHRONIZE SCHEMA                                   | 27         | 00
TTS ABORT TRANSACTION                                | 22         | 03
TTS BEGIN TRANSACTION                                | 22         | 01
TTS END TRANSACTION                                  | 22         | 02
TTS GET APPLICATION THRESHOLDS                       | 22         | 05
TTS GET CONTROL FLAGS                                | 22         | 09
TTS GET STATISTICS                                   | 17         | D5
TTS GET WORKSTATION THRESHOLDS                       | 22         | 07
TTS IS AVAILABLE                                     | 22         | 00
TTS SET APPLICATION THRESHOLDS                       | 22         | 06
TTS SET CONTROL FLAGS                                | 22         | 0A
TTS SET WORKSTATION THRESHOLDS                       | 22         | 08
TTS TRANSACTION STATUS                               | 22         | 04
VERIFY BINDERY OBJECT PASSWORD                       | 17         | 3F
VERIFY BINDERY OBJECT PASSWORD ENCRYPTED             | 17         | 4A
VERIFY NETWORK SERIAL NUMBER                         | 17         | 0C
WAIT ON SEMAPHORE OLD                                | 20         | 02
WAIT ON SEMAPHORE                                    | 6F         | 02
WRITE AUDIT CONFIG HEADER                            | 58         | 11
WRITE AUDITING BIT MAP                               | 58         | 10
WRITE EXTENDED ATTRIBUTE                             | 56         | 02
WRITE EXTENDED NS INFO                               | 57         | 1B
WRITE NS INFO                                        | 57         | 19
WRITE PROPERTY VALUE                                 | 17         | 3E

Again, our aim here is NOT to recode Client32, however a (very little)
library of usefull NCP calls can be found under the "online" directory, look
for the file "panrcp.h"; besides the ncpfs project for Linux already provides 
a GNU port of Netware Client.

This listing wouldn't be complete without the return code list of Netware
severs. This list was ripped off the "Netware C library" manual by Adrian
Cunnelly (adrian@amcsoft.demon.co.uk), whose "Netware C library" shareware
version is available on the SimTel site, check for netclb35.zip. 

All error codes listed below, are generated by the Pan_error function in
Pan_Glog.h

ͻ
Hex Meaning                           Hex Meaning                        
͹
00h Action Successful                 9Ah Renaming Across Volumes        
    Server Not In Use                 9Bh Bad Directory Handle           
    TTS Not Available                 9Ch Invalid Path                   
01h Server In Use                         No more Trustees               
    Semaphore Overflow                9Dh No More Directory Handles      
    TTS Available                     9Eh Invalid Filename               
02h DOS File Not Found                9Fh Directory Active               
03h DOS Path Not Found                A0h Directory Not Empty            
04h DOS Too Many Open Files           A1h Directory IO Error             
05h DOS Access Denied                 A2h Read File With Record Locked   
06h DOS Invalid File Handle           BBh No Netware shell loaded        
07h DOS Memory Blocks Destroyed       C0h No Account Privileges          
08h DOS Insufficient Memory           C1h Login Denied -                 
09h DOS Invalid Memory Block Address      No Account Balance             
0Ah DOS Invalid Environment           C2h Account Credit limit Exceeded  
0Bh DOS Invalid Format                    Login Denied - No credit       
0Ch DOS Invalid Access Code           C3h Account - Too many Holds       
0Dh DOS Invalid Data                  C5h Intruder Detection Lock        
0Fh DOS Invalid Drive Specified       C6h Not Console Operator           
10h DOS Attempt To Delete Current Dir D0h Queue Error                    
11h DOS Not Same Device               D1h No Queue                       
12h DOS No More Files                 D2h No Queue Server                
20h DOS Sharing Violation             D3h No Queue Rights                
21h DOS Lock Violation                D4h Queue Full                     
80h File In User Error                D5h No Queue Job                   
81h No More File Handles              D6h No Job Rights                  
82h No Open Privileges                D7h Password Not Unique            
83h IO Error Network Disk                 Queue Servicing                
84h No Create Privileges              D8h Password Too Short             
85h No Delete Privileges                  Queue Not Active               
86h Create File Exists Read Only      D9h Login Denied - No connection   
87h Wild Cards in Create File Name        Station Not Server             
88h Invalid File Handle               DAh Unauthorized login time -      
89h No Search Privileges                  Queue Halted                   
8Ah No Delete Privileges              DBh Unauthorized login station -   
8Bh No Rename Privileges                  Max Queue Servers              
8Ch No Modify Privileges              DCh Account Disabled               
8Dh Some Files Affected In Use        DEh Password has expired - No Grace
8Eh No Files Affected In Use          DFh Password has expired           
8Fh Some Files Affected Read Only     E8h Not Item Property -            
90h No Files Affected Read Only           Write Property to Group        
91h Some Files Renamed - Name Exists  E9h Member Already Exists          
92h No Files Renamed - Name Exists    EAh No Such Member                 
93h No Read Privileges                EBh Not Group Property             
94h No Write Privileges or Read Only  ECh No Such Segment                
95h File Detached                     EDh Property Already Exists        
96h Server Out Of Memory              EEh Object Already Exists          
    Out Of Dynamic Workspace          EFh Invalid Name                   
97h No Disk Space for Spool File      F0h Wild Card Not Allowed          
98h Volume Does Not Exist             F1h Invalid Bindery Security       
99h Directory Full                    F2h No Object Read Privilege       
ͼ

ͻ
Hex Meaning                           Hex Meaning                        
͹
F3h No Object Rename Privilege        FFh Bad Printer Error              
F4h No Object Delete Privilege            Bad Record Offset              
F5h No Object Create Privilege            Close FCB Error                
F6h No Property Delete Privilege          File Extension Error           
    Not Same Local Drive                  File Name Error                
F7h No Property Create Privilege          Hardware Failure               
    Target Drive Not Local                Invalid Drive Number           
F8h Already Attached To Server            Invalid Initial Semaphore Value
    No Property Write Privilege           Invalid Semaphore Handle       
    Not Attached To Server                IO Bound Error                 
F9h No Free Connection Slots              No Files Found Error           
    No Property Read Privilege            No Response From Server        
FAh No More Server Slots                  No Such Object                 
    Temporary Remap Error                 Bad Password                   
FBh Invalid Parameters                    Path Not Locatable             
    No Such Property                      Queue Full Error               
    Unknown Request                       Request Not Outstanding        
FCh Unknown File Server                   Transaction Not Yet Written    
    Message Queue Full                    No More Matching Files         
    No Such Object                        Bindery Failure                
FDh Bad Station Number                    Explicit Transaction Active    
    Unknown Request                       No Explicit Transaction Active 
    Field Already Locked                  No Record Found                
    TTS Disabled                          Output Buffer Full             
FEh Bindery Locked                                                       
    Directory Locked                                                     
    Invalid Semaphore Name Length                                        
    Server Bindery Locked                                                
    Spool Directory Error                                                
    Supervisor has disabled login                                        
    Timeout Failure                                                      
    Transaction ends Record Lock                                         
    Implicit Transaction Active                                          
ͼ


And we're only talking 'Offical NCP calls' here, so just imagine if you add
undocumented stuff and NDS/IPX specific calls... Anyway, here are the
communication API :

-------------------------<Communication Functions>----------------------------
 /* Connect and Transmit NCP requests */

 /* Usage : ret=Pan_NCP_connect(server);
 'server' is the file server number ?? setting server to 0 connects you
 to the default server. The value returned if negative is a Pandora API
 error, otherwise it's the ax value see table above.
 */

 int Pan_NCP_connect(int socket);

 /* Usage : ret=Pan_NCP_transmit(function,request,r_lengh,answer,a_lengh);
 Use this to transmit an NCP packet via Novell Driver, parameters :

 - func is the NCP Function code (subfunc. is located in request data);
 - req is a pointer on a bloc of bytes (uint8) containing the request data
   (subfunc., ...);
 - rlengh is the lengh of the request data pointed by req;
 - ans is a pointer on an initialized bloc of bytes (uint8) which will
   contain the answer from the server to the request (if any);
 - alengh is the lengh of the expected returned data.

 The value returned if negative is a Pandora API error, otherwise it's the
 ax register value see NCP error table.
 */

 int Pan_NCP_transmit(int func,uint8 *req,int rlengh,uint8 *ans,int alengh);

 /* Usage : ret=Pan_NCP_spoof(packet,lengh);
 This function requires a packet driver on interrupt 0x60, and permits to
 send fully customized packets (Network and Transport layer). Parameters :

 - packet is a pointer on a bloc of bytes (uint8) containing the data to send;
 - packlengh if the Total Physical Lengh of packet (Network and Transport);

 This code is experimental : it works but will be replaced by something more
 elaborate and more "compatible" ...
 */

 int Pan_NCP_spoof(uint8 *packet,int packlengh);
-------------------------------------><---------------------------------------


_A_     Appendix A : error codes

Return code   Description
------------------------------------------------------------------------------
--------------------------<Server Return Codes>-------------------------------
 1         | Server In Use,Semaphore Overflow,TTS Available
 2         | DOS File Not Found
 3         | DOS Path Not Found
 4         | DOS Too Many Open Files
 5         | DOS Access Denied
 6         | DOS Invalid File Handle
 7         | DOS Memory Blocks Destroyed
 8         | DOS Insufficient Memory
 9         | DOS Invalid Memory Block Address
 10        | DOS Invalid Environment
 11        | DOS Invalid Format
 13        | DOS Invalid Access Code
 14        | DOS Invalid Data
 15        | DOS Invalid Drive Specified
 16        | DOS Attempt To Delete Current Dir
 17        | DOS Not Same Device
 18        | DOS No More Files
 32        | DOS Sharing Violation
 33        | DOS Lock Violation
 128       | File In User Error
 129       | No More File Handles
 130       | No Open Privileges
 131       | IO Error Network Disk
 132       | No Create Privileges
 133       | No Delete Privileges
 134       | Create File Exists Read Only
 135       | Wild Cards in Create File Name
 136       | Invalid File Handle
 137       | No Search Privileges
 138       | No Delete Privileges
 139       | No Rename Privileges
 140       | No Modify Privileges
 141       | Some Files Affected In Use
 142       | No Files Affected In Use
 143       | Some Files Affected Read Only
 144       | No Files Affected Read Only
 145       | Some Files Renamed - Name Exists
 146       | No Files Renamed - Name Exists
 147       | No Read Privileges
 148       | No Write Privileges or Read Only
 149       | File Detached
 150       | Server Out Of Memory,Out Of Dynamic Workspace
 151       | No Disk Space for Spool File
 152       | Volume Does Not Exist
 153       | Directory Full
 154       | Renaming Across Volumes
 155       | Bad Directory Handle
 156       | Invalid Path,No more Trustees
 157       | No More Directory Handles
 158       | Invalid Filename
 159       | Directory Active
 160       | Directory Not Empty
 161       | Directory IO Error
 162       | Read File With Record Locked
 163       | No Netware shell loaded
 192       | No Account Privileges
 193       | Login Denied,No Account Balance
 194       | Account Credit limit Exceeded,Login Denied,No credit
 195       | Account,Too many Holds
 197       | Intruder Detection, Account is Locked
 198       | Not Console Operator
 208       | Queue Error
 209       | No Queue
 210       | No Queue Server
 211       | No Queue Rights
 212       | Queue Full
 213       | No Queue Job
 214       | No Job Rights
 215       | Password Not Unique,Queue Servicing
 216       | Password Too Short,Queue Not Active
 217       | Login Denied,No connection,Station Not Server
 218       | Unauthorized login time,Queue Halted
 219       | Unauthorized login station,Max Queue Servers
 220       | Account Disabled
 222       | Password has expired - No Grace
 223       | Password has expired
 232       | Not Item Property,Write Property to Group
 233       | Member Already Exists
 234       | No Such Member
 235       | Not Group Property
 236       | No Such Segment
 237       | Property Already Exists
 238       | Object Already Exists
 239       | Invalid Name
 240       | Wild Card Not Allowed
 241       | Invalid Bindery Security
 242       | No Object Read Privilege
 243       | No Object Rename Privilege
 244       | No Object Delete Privilege
 245       | No Object Create Privilege
 246       | No Property Delete Privilege,Not Same Local Drive
 247       | No Property Create Privilege,Target Drive Not Local
 248       | Already or Not Attached To Server,No Property Write Privilege
 249       | No Free Connection Slots,No Property Read Privilege
 250       | No More Server Slots,Temporary Remap Error
 251       | Invalid Parameters,No Such Property,Unknown Request
 252       | Unknown File Server,Message Queue Full,No Such Object
 253       | Bad Station Number,Unknown Request,Field Already Locked,TTS Disabled
 254       | Bind/NDS Locked/Err,Bad Sem Name Len,Login disable,Timeout,Trans err
 255       | Bad Printer/Offset/FCB/Name/Ext/Hrdwre/Drive/Sem/File/Passwd/Req/IO
-------------------------<Pandora specific error codes>-----------------------
 (NULL)	   | Ok
 -1        | unknown error
 -100      | Password lengh exeed maximum (16 chars for Brute_Force & Dict (128 chars for Hash_Gen))
 -101      | pw_first/pw_last mismatch
 -102      | pw_current/pw_last mismatch
 -103      | pw_first contains unauthorized chars OR pw_first/pwlen mismatch
 -104      | pw_current contains unauthorized chs OR pw_curr./pwlen mismatch
 -105      | Password not found with given words
 -106      | Maximum tries reached
 -107      | Hash is unknown
 -108      | Invalid hash
 -110      | Password is NULL
 -199      | File MUST be named, BACKUP.DS or BACKUP.NDS or DSREPAIR.DIB
 -200      | Error opening .NDS/.DS/.DIB files
 -201      | Out of memory
 -202      | Out of DOS memory
 -203      | NDS needs repair, cross reference encountered
 -204      | Value not found for this object/attribute pair
 -205      | Attribute not defined
 -206      | Unable to open Adapter
 -300      | Error opening file (Pandora/.NDS)
 -301      | File read/write failure OR invalid file"}


_B_     Appendix B : physical file structures

For an explanation of the .NDS file structure see Inside.txt.

The two following structures are the physical equivalent to Pan_PassHack
(<-> PASSHACK) and Pan_PassList (<-> PASSLIST). We decided the use of uint8[]
blocs, this permits to write all numbers in the form of ASCII strings, thus
bypassing any Endian problem and platform dependant data representation.
Also note that all fields are multiples of 4 in bytes lengh, this is done for
the same reasons. It's ugly but effective, yet we're open to suggestions...

----------------------------<Physical Structures>-----------------------------
typedef struct passlist
{
 uint8 bind[8];         /* Type of bindery object, see end of file */
 uint8 id[8];           /* Object ID from ENTRY */
 uint8 parentID[8];     /* Parent ID */
 uint8 objectID[8];     /* Object ID from Private Key */
 uint8 pwlen_known[8];  /* TRUE or FALSE */
 uint8 pwlen[8];        /* Password length of user account */
 uint8 pwhash_known[8]; /* TRUE or FALSE */
 uint8  hash[16];       /* One-way hash */
 uint8  userOU[40];     /* OU of User */
 uint8  userCN[258];    /* User common name */
 uint8  password[258];  /* User password */
} PASSLIST; /* size=628 */

typedef struct passhack
{
 uint8 bind[8];         /* Type of bindery object, see end of file */
 uint8 id[8];           /* Object ID from ENTRY */
 uint8 parentID[8];     /* Parent ID */
 uint8 objectID[8];     /* Object ID from Private Key */
 uint8 pwlen[8];        /* Password length currently tested */
 uint8  pw_first[128];  /* Passwd used to initialize the hack */
 uint8  pw_current[128];/* Last attempt saved */
 uint8  pw_last[128];   /* Last attempt to perform */
 uint8  key_space[PAN_KEYSPACE+1]; /* Key space used for brute force */
 uint8  hash[16];       /* One-way hash if set to 0 => unknown */
 uint8  userOU[40];     /* OU of User */
 uint8  userCN[258];    /* User common name */
} PASSHACK; /* size=807 */

-------------------------------------><---------------------------------------


A final word. You are very welcome and encouraged to contribute to the
project; Moreover, since this is GNU licensed, it is courteous ( if not
required ;-) ) to notify us with any changes you make to or tools you build
with the Pandora API; AND THESE TOOLS MUST REMAIN FREE WITH SOURCE CODE 
ACCESSIBLE.

Happy Coding !

			 (c) Nomad Mobile Research Center
				   www.nmrc.org

