				Pandora Toolbox API

			 (c) Nomad Mobile Research Center

				   www.nmrc.org





_I_     What is all this about ?

_II_    Credits

_III_   Pandora API architecture

_IV_    The mother of all : Pan_glob.h

_V_     Ripped off ! Pan_file.h

_VI_    The hash and the pendulum. Pan_hash.h

_VII_   Netware, Bravo, do you copy ? Pan_com.h



_A_     Appendix A : error codes

_B_     Appendix B : physical file structures





_I_ What is all this about ?



	Project Pandora was developped by o O O Simple Nomad O O o at the

	NMRC to hack Novell premier product : Netware NDS. The project

	initially permitted dictionary attacks and brute force attacks on

	password's hash extracted from the NDS. Then more attacks were

	added, involving Netware Core Protocol, and it became clear that

	an API was needed to reduce the redundancy in the code, facilitate

	algorithm emprovments, expand the project and permit others to

	share the fun...





_II_ Credits



This API was made possible thanks to the work of many, that was carefuly

gathered and assembled here. Therefore the NMRC team, Imnsho - Jitsu-Disk -

Knobster - Simple Nomad - Up-uat, wishes to thanks the following people for

their (sometime unconscious) contributions...



		   o O O Special Thanks O O o



      DJ Delorie [www.delorie.com] [GNU C DOS Compiler]

 Vincenzo Morello [volftp.tin.it/italiani/MORELLO/index_e.htm] [MGUI GUI lib]

  Rainer Schnitker [www.mathematik.uni-bielefeld.de/~rainer/] [RSX Win32 C]



		       o O O Eleete O O o



			  Greg Miller

			     Itsme



		   o O O Ideas & Support  O O o



			    Al Grant

			    Denis. L

			     gOObER

			   Richard. P

			      Rx2

			 Thomas Lackner

		    Netware Hack Mailing List



		   o O O Cryptography O O o



			   TheRuiner

		     

		     o O O NCP Insight O O o



			 Adrian Cunnelly

		  Eugene Ilchenko & Igor Gusev

			  Fauzan Mirza

		       Sven B. Schreiber



	       o O O Linux Novell GNU Client O O o



			 Volker Lendecke

			

	       o O O Low level IPX/DOS coding O O o



		       John R. McCawley III

			 Cap'n Hardgeus

			  Hotwarez LLC



	       o O O Packet Driver For  NT/95 O O o



			   The L0Pht

			   Weld Pond

			     Mudge

			  Piero Viano



		      o O O C00lness O O o



			      Tan

			   Gary Hein

			   Gabe Nault





_III_ Pandora API architecture



The Pandora API is fully written in C code using the free GNU compiler. It

supports big and little endian platforms, and requires DJGPP free GNU C to

compile under DOS/WIN/OS2 environment (available at www.delorie.com). Since

Pandora rel 4, the API is now thread safe and succesfully compiles under 

most Unices, you only need to define PAN_UNIX in your makefile CFlags.



It is build as a set of shared libraries, each of them specialized in a

certain type of attack. As of Pandora v4 release the libraries are :



Pan_file.h : for manipulation of the NDS files and password hash extraction

Pan_hash.h : to play all sort of crypto games with the hash (and others)

Pan_com.h  : used to communicate on the network using NCP/IPX/Packet transport

	     for DOS only. Sniffing/Spoofing capabilities are built-in the

	     GUI code, see PAN_GUI doc for details.



In addition there is a common library which defines common types and routines 

to all shared libraries : Pan_glob.h



Pan_file.h, Pan_hash.h and Pan_com.h are the headers you want to include in

your programs if you need to manipulate NDS/decipher/communicate with netware.

These files are only declaration headers, the source code is located in

subdirectories affiliated to them :



main-dir    header file      sub-dir         source files

--------    -----------      -------         ------------

	 |  Pan_file.h |---> p_file  |-----> file_lib.c   (Pandora interface)

	 |                                   file_med.h   (file manipul. code)

	 |                                   file_low.h   (NDS files struct)

	 |

	 |  Pan_hash.h |---> p_hash  |-----> hash_lib.c   (Pandora interface)

	 |                                   hash_med.h   (crypto routines)

	 |                                   hash_low.h   (crypto algo)

 pandora |

	 |  Pan_com.h  |---> p_com   |-----> com_lib.c    (Pandora interafce)

	 |                                   com_med.h    (TODO:IPX struct)

	 |                            low  | com_dos.h    (com for DOS only)

	 |                            level| com_lin.h    (TODO:com for LINUX)

	 |

	 |  Pan_glob.h |---> p_glob  |-----> pandora.c    (Pandora structures)

	 |                                   globals.c    (endian & unicode)



We separated in each library the code of the API functions themselves

(Pandora interafce) from the routines those API rely upon (_med and _low).

The separation of what is considered a "low" level code and "medium" level

code is arbitrary. If this looks a bit tortuous, a glance at a typical

makefile might help ;-)



--------------------------------<makefile>------------------------------------

# this makefile illustrate the use of all libraries in one prog.

# the prog is supposed to be in a directory under which we find the

# "pandora" directory and all its subordinates.



CC       =  gcc  # your favorite compiler

CFLAGS   =  -O3 -funroll-all-loops -fforce-mem # Optimization options



# following declarations will cause the compiler to build the libraries

# if not already compiled

PAN_GLOB   =  pandora\\p_glob\\pandora.o pandora\\p_glob\\globals.o

PAN_HASH   =  pandora\\p_hash\\hash_lib.o

PAN_FILE   =  pandora\\p_file\\file_lib.o

PAN_COM    =  pandora\\p_com\\com_lib.o



# invoking 'make' or 'make myprog' will build nwhack

myprog: nwhack

all: nwhack



# compil macro

.c.o:

	$(CC) $(CFLAGS) $(DEFINES) -c $< -o $@



# your stuff that requires all libraries

nwhack: nwhack.o $(PAN_FILE) $(PAN_HASH) $(PAN_COM) $(PAN_GLOB)

	nwhack.o: nwhack.c



#sample :

#

#myprog: myprog.o [$(__PAN__HEADER_I_USED__) ...] $(PAN_GLOB)

#        myprog.o: myprog.c

#

# this makefile is found in the directory: mydirectory      

# project pandora files are found under mydirectory\pandora

# linking $(PAN_GLOB) is always required since used by all shared lib

-------------------------------------><---------------------------------------





The start of nwhack.c source as you may expect ...



--------------------------------<nwhack.c>------------------------------------

#include "pandora\pan_file.h"

#include "pandora\pan_hash.h"

#include "pandora\pan_com.h"

/* include "pandora\pan_glob.h" not required since already included

   by above shared libraries */

...

------------------------------------><----------------------------------------





Also note that a special care was taken to wrap all C headers so you could

include them in C++ progs (if you dare ;-) ).



O.K now you have a pretty good idea on how to build your prog with Pandora

facility, so lets get into real trouble and see what exactly you can do with

it...



First off we need to talk about Pan_glob.h .





_IV_ The mother of all : Pan_glob.h



Initially project Pandora was designed to extract users info and password

hash from Novell's NDS files and permit password recovery through brute force

or dictionary attack (see inside.txt). 



The ripped info from NDS being saved in a file called PASSWORD.NDS, and the

"save state" of a brute force attempt in RESTORE.PAN; thus permitting via

manipulation (manipul8) to spread the attack over multiple computers.



The API offers two memory structure that duplicates the contents of these

files, in order to avoid the boredom of dealing with the physical access in

each program. Also those structures permit to pass info to and from the

functions of the API.



Some variables have been added in comparison to v3, so to take care

(hopefully) of new and future needs. This is a very sensitive part of the

API since all modification renders Pandora files incompatible between two

versions (not ment to be a database) but you could write a prog to

convert the files between the various versions if you really need to.



Since v4 their are also two new structures different than the one that deals 

with passwords hash : one to store "atomic values" from NDS, one to store

live connections informations ripped from the servers.



------------------------------<Global Structures>-----------------------------

typedef unsigned char  uint8;   /* one byte */

typedef unsigned short uint16;  /* one 16bit word */

typedef unsigned long  uint32;  /* one 32bit word */

typedef unsigned int   unicode; /* depends on system may be 16 or 32 bit */



typedef struct pan_passlist

{

 uint32                 bind;           /* Bindery type of object */

 uint32                 id;             /* Object ID from ENTRY */

 uint32                 parentID;       /* Parent ID */

 uint32                 objectID;       /* Object ID from Private Key */

 uint32                 pwlen_known;    /* TRUE or FALSE */

 uint32                 pwlen;          /* Password length of user account */

 uint32                 pwhash_known;   /* TRUE or FALSE */

 uint8                  hash[16];       /* One-way hash */

 uint8                  userOU[40];     /* OU of User */

 uint8                  userCN[258];    /* User common name */

 uint8                  password[258];  /* User password */

 struct pan_passlist    *next;

} *Pan_PassList;



typedef struct pan_passhack

{

 uint32 bind;                      /* Bindery type of object */

 uint32 id;                        /* Object ID from ENTRY */

 uint32 parentID;                  /* Parent ID */

 uint32 objectID;                  /* Object ID from Private Key */

 uint32 pwlen;                     /* Password length currently tested */

 uint8  pw_first[128];             /* Passwd used to initialize the hack */

 uint8  pw_current[128];           /* Last attempt saved */

 uint8  pw_last[128];              /* Last attempt to perform */

 uint8  key_space[PAN_KEYSPACE+1]; /* Key space used for brute force */

 uint8  hash[16];                  /* One-way hash if set to 0 => unknown */

 uint8  userOU[40];                /* OU of User */

 uint8  userCN[258];               /* User common name */

} Pan_PassHack;



typedef struct pan_ndsbrowse

{

 uint32                 objectID;        /* Object ID */

 uint32                 parentID;        /* Parent ID */

 uint32                 typeID;          /* Attribute ID */

 uint8                  parentStr[128];  /* Parent String NOT UNICODE */

 uint8                  objectStr[128];  /* Object String NOT UNICODE */

 uint8                  typeStr[128];    /* Object String NOT UNICODE */

 struct pan_ndsbrowse   *next;

} *Pan_NDSBrowse;

/* WTF didn't we kept Unicode shit here since we kept it everywhere else ??

   Just because this memory structure is not meant (or never should :-) )

   to be dumped to the disk */



typedef struct pan_connections

{

 char                   name[MAXNAMELEN+1];   /* connection name */

 int                    conn_type;            /* server, user, other */

 uint8                  conn_number;          /* connection number */

 uint8                  ipx_net[4];           /* IPX network */

 uint8                  ipx_addr[6];          /* IPX adress */

 uint8                  sock_high;            /* socket high */

 uint8                  sock_low;             /* socket low */

 char                   details[512];         /* comment string to store 

					         connection details */

 struct pan_connections *next;

} *Pan_Connections;

------------------------------------><----------------------------------------





Pan_PassList declaration : Pan_PassList pPassList;



All variables are pretty self explainatory, just for the record :



 'bind' contains the bindery type of the object (if exist) and is stored in

	big endian format since we exclusively use it when communicating with

	a server which requires that format. Here are listed some common

	bindery types, not all types holds a password though :



	Description                 Value             'bind' value

	----------------------------------------------------------

	Unknown                     0                 0x0000

	User                        1                 0x0100

	User Group (container)      2                 0x0200

	Print Queue                 3                 0x0300

	File Server                 4                 0x0400

	Job Server                  5                 0x0500

	Gateway                     6                 0x0600

	Print Server                7                 0x0700

	Archive Queue               8                 0x0800

	Archive Server              9                 0x0900

	Job Queue                   10                0x0a00

	Administration              11                0x0b00

	Remote Bridge Server        38                0x2600

	Advertising Print Server    71                0x4700

	Btrieve Server              75                0x4B00

	RSPCX Server (Rconsole)     263               0x0701

	HP Jet-Printer              780               0x0C03

	Cheyenne ArcServe           1100              0x4c04

	Reserved up to              32768             0x0080

	Wild                        -1                0xffff



        Hence the following "defines" are set in pan_glob.h :

	#define PAN_TYPE_SERVER 0x0400

	#define PAN_TYPE_USER   0X0100

	#define PAN_TYPE_OTHER  0XFFFF



 'pwlen_known' is set to YES when the lengh of the real password is known.

 'pwhash_known' is set to YES when we know the real hash of a user.



Also you've probably noticed that pPassList is a chained list and therefore

requires memory allocation, and memory release when done, see Global Functions

for this. Adding a new element or searching a new element in the list is very

simple, for illustration check the code in manipul8.c . Here's a simple sketch 

that represents how PASSLIST records are stored in memory :



			 Pan_PassList pPassList;

				    *

				    *

   ---------------------------------------------------------------------

  |        <root>    <first-rec>                   <last-rec>           |

  |                                                                     |

  |        pPassList                                                    |

  |          |       |bind                                              |

  |          |______>|id          |bind                                 |

  |                  |parentID    |id             |                     |

  |                  |objectID    |parentID       |                     |

  |                  |...         |objectID       |                     |

  |                  |next------->|...            |                     |

  |                               |next------->...|                     |

  |                                               |next------->(NULL)   |

  |_____________________________________________________________________|





Pan_PassHack declaration : Pan_PassHack pPassHack;



This is a regular structure, it is use for brute force and for passing info

from function to function, depending on the function you're calling not all

fields are required. Check Global Functions for passing info from a pointer

on pPassList to a pPassHack structure.



The pw* variables are worhty a word of explaination :



 'pwlen' contains the current testing size of for the password may it be the

	 real one or not, 'pw_first' and 'pw_current' must be of that size.



 'pw_first' is the initializing password, and is also the "upper-limit" when

	    used in the brute force.



 'pw_current' is the last saved attempt in a brute force and the starting

	      point of a restored brute force. It allows to spread a brute

	      force over multiple computers. 'pw_current' canno't be "before"

	      'pw_first' in regards of the key_space order.



 'pw_last' is the last word to try, it gives the "lower_limit" to 

	   pw_current; pw_last has to be of the size if pwlen



 'key_space' contains the characters to be tried in the brute force attempt.

	     The maximum number of characters to try is 68, each character

	     is different.



 for instance if we're doing a brute force that pwlen=5, pw_first=AAAAA,

 pw_current=<not set>, pw_last=ZZZZZ and key_space is A-Z, the first attempt 

 will be AAAAA, the last possible attempt is ZZZZZ and all possible words of

 5 characters length given the alphabet will be tried.





Pan_NDSBrowse declaration : Pan_NDSBrowse pNDSBrowse; 



This strucuture similar to Pan_PassList, is designed to receive in each cell

a matching (ParentID,TypeID,ObjectID) set to permit rapid value retrieval of

the NDS. In association to the Parent/Type/Object ID's, we store their regular

name (up to 48 chars) if we can match them.

In other words this structure allows us to save the NDS "back bone" for later

rapid classification and search of values. See the "NDS Browse" feature of 

Pandora4 for an illustration.





Pan_Connections declaration : Pan_Connections pConnections;

	      

This strucuture similar to Pan_PassList, is designed to store active connections

information usefull for later hacks. This includes : name / connection number 

/ ipx adress / opened socket and a comment string for other info.





Functions to manipulate the structures and do some stuff usefull everywhere

are :



-----------------------------<Global Functions>-------------------------------

 /* !!!OUTDATED!!! void printUnicodeName(char *name, int j); */

 /* replaced by a function that converts Unicode to regular string */

 void sprintUnicodeName(char *output,char *name, int j);

 

 /* Make unicode from string. requires the trailing bytes of the string to

    be initialized (set to '\0') */

 void MakeUnicodeName(char *string);



 /* Return error meaning for given error value*/

 char *Pan_error(int number);



 /* Endian conversion routines, for shared lib use. These routines are usefull

 in two situations : when sending WORDS over the wire and when dealing with

 little endian/big endian problem.

 */

 uint32 swap_uint32(uint32 n); /* uint32 BIG<->LITTLE Endian */

 uint16 swap_uint16(uint16 n); /* uint16 BIG<->LITTLE Endian */



 /* string to anything and versa */

 uint32 str_to_uint32(uint8 *in); /* string to uint32 */

 uint8 str_to_uint8(char *in); /* string to uint8 */

 void uint32_to_str(uint32 in, uint8 *out); /* uint32 to a string */

 void str_to_hex(const char *in,uint8 *out,int size_string); /* string to hex */



 /* Memory alloc/desalloc routinesfor Pan_PassList chained list */



  /* Usage : Pan_X pX=Pan_X_alloc();

     allocates memory for 1 record; to acces information use for ex.

     (q being a pointer on the last record) q->next=Pan_PassList_alloc();

  */

     Pan_PassList Pan_PassList_alloc(void);

     Pan_NDSBrowse Pan_NDSBrowse_alloc(void);

     Pan_Connections Pan_Connections_alloc(void);



  /* Usage : Pan_X_free(pX);

     free the memory of a record and all records under it 

  */  

     void Pan_PassList_free(Pan_PassList pPassList);

     void Pan_NDSBrowse_free(Pan_NDSBrowse pNDSBrowse);

     void Pan_Connections_free(Pan_Connections pConnections);



  /*Usage : Pan_PassList_to_PassHack(pPassList,&pPassHack); */

  /* fill a PassHack record with current PassList pointed info */

 void Pan_PassList_to_PassHack(Pan_PassList pPassList,Pan_PassHack *pPassHack);



  /*Usage : PassHack_in_Pan_PassList(&pPassHack,pPassList); */

  /* fill current pointed PassList record with PassHack values */

 void PassHack_in_Pan_PassList(Pan_PassHack *pPassHack,Pan_PassList pPassList);



  /*Usage : PassHack_to_PassHack(&pPassHack,&pPassHack); */

  /* fill current pointed PassHack record with PassHack values */

 void PassHack_to_PassHack(Pan_PassHack *aPassHack,Pan_PassHack *bPassHack);

-------------------------------------><---------------------------------------





As an illustration lets comment a simple routine that reads from a "PASSWORD"

file containing the extracted NDS info, that checks for a specific name, and

finally that stores the matching record in a "PASSHACK" structure :



----------------------------------<Ex_1.c>------------------------------------

/*Some function calls uses the Pan_file.h library described below*/



Pan_PassList pPassList,q;

Pan_PassHack pPassHack;



...



 /*read from the PASSWORD file previously build using the NDS files*/

 /*and copy the file into the Pan_PassList chained-list structure*/



 err=Pan_PassList_read("PASSWORD.NDS",&pPassList);

 if (err) {printf("err : %d",err); /*check the return code*/

	   exit(-1);

	  }



 /*check records one after the other until the name is found or the end of*/

 /*the list is reached. We use a temporary pointer so not to screw up our*/

 /*root-list (pPassList) pointer*/



 for (q=pPassList;q!=NULL;q=q->next)

  {FOUND=TRUE;

   for (i=0;i<strlen(account);i++)

    {t=i*2+6; /*takes care of Unicode format. Skips 'C N = ' */

     if (account[i]!=q->userCN[t]) FOUND=FALSE;

    }

   if (FOUND==TRUE) break;

  }



 /*checks for the result : if q==NULL, we've reached the end of the list*/

 /*without finding what we looked for*/



 if (!q)

  {printf("%s not found in password file.\n",account);

   Pan_PassList_free(pPassList);

   exit(1);

  }



 /*From hereon we won't use the pPassList structure anymore, so we free the*/

 /*memory it's using. The record we found is copied in a Pan_PassHack*/

 /*structure*/



 Pan_PassList_to_PassHack(q,&pPassHack);

 Pan_PassList_free(pPassList);



...

-------------------------------------><---------------------------------------





In addition we set a few global parameters used through out the project



-----------------------------<Global Parameters>-------------------------------

/* Type of OS */

#ifdef BIG_ENDIAN

  #define PAN_OS "B"

#else

#ifdef PDP_ENDIAN

  #define PAN_OS "P"

#else

  #define PAN_OS "L"

#endif

#endif



/*

 * Global constants

 */

#define TRUE 1

#define FALSE 0 

#define VERS "Project Pandora v.4"

#define MAX_CHARS 128

#undef  NULL

#define NULL 0



/*

 * Paths and files length depends on the system

 */

#if !defined PAN_UNIX

	#include <sys\stat.h>

	#if defined _MSC_VER || defined __WATCOMC__

		#include <stdlib.h>

		#define MAXPATHLEN	_MAX_PATH

		#define MAXFNAMELEN	_MAX_FNAME

	#else

                #include <dir.h>

                #include <values.h> 

		#ifdef __GO32__

			#define MAXPATHLEN	260

			#define MAXFNAMELEN	64

		#else

			#define MAXPATHLEN	MAXPATH

			#define MAXFNAMELEN	(MAXFILE+MAXEXT)

		#endif

	#endif

	#define EXT		"*.*"

#else

	#include <sys/stat.h>

	#define MAXPATHLEN	128

	#define MAXFNAMELEN	64

	#define EXT		"*"

#endif



#define PAN_ASCII 26

#define PAN_ALPHANUM 36

#define PAN_KEYSPACE 68



#define MAXPASSLEN 128

#define MAXNAMELEN 48

#define MAXNCPREPLYLEN 130

-------------------------------------><---------------------------------------





If you want to develop with the Pandora Toolbox it is essential that you

really master the Pan_glob.h functions and prototypes since the same system

is applied throughout the project. Read the code...



Now that the plot is set, it's about time to see what the shared lib can

really do for us.





__V__ Ripped off ! Pan_file.h



The aim of this library is a twofold : extract info from the NDS files and

save&read from the Pandora files. For the first issue check 'inside.txt'.



The Pandora files are of two types : one is a list of all information 

extracted from the original NDS files (for instance the physical companion 

to Pan_PassList called PASSLIST), and the other represent the "save-state" of 

a current "work" in progress (for instance the physical equivalent to 

Pan_PassHack called PASSHACK).



When extracting information from the NDS files, data are stored in a

List structure, this list can then be saved to disk; with the

exeption of 'Pan_Convert(...)' which converts a BACKUP.DS file into the

original '.NDS' files, no function in the shared lib makes direct disk access

to the Pandora files (except for the R/W functions of those files, of course).





Pan_PassList related functions :



 - Pan_Convert_Auto(...) converts NDS backup files to original NDS files



 - Pan_Extract_Auto(...) extracts all NDS objects of type USER and BINDERY 

			 which *have* a hash in the .NDS/.DSD files                        



 - Pan_GetNDSInfo(...) Store the NDS structure itself

 

 - Pan_GetValueInfo(...) Read a specific value from NDS



 - Pan_PassList_read(...) reads the content of a physical PassList file into a

			  Pan_PassList structure. The structure need Not be

			  initialized (mem alloc) before the call.



 - Pan_PassList_write(...) writes the content of a PassList starting from a

			   given pointer in the list, if the given file name

			   already exists, the file is overwritten.                           





Pan_PassHack related functions :



 - Pan_PassHack_read(...) reads the content of of physical PassHack record

			  into a PassHack structure.



 - Pan_PassHack_write(...) writes the content of a PassHack structure in a

			   given file (if exists, is overwritten)





If you have compiled your program and the libraries with -DBIG_ENDIAN switch

because you have a big endian processor, you can still use and exchange

Pandora files produced on little endian platforms, conversion is taken care

of automatically.



For return codes see Apendix A.



-----------------------------<Files Functions>-------------------------------

/* Read/Write the NDS related information */



 /* path, refers to the path where the file is stored */

 /* file, refers to the file name */

 /* ext,  refers to the file extension */



  /*Usage : err=Pan_Convert_Auto("f:\system\",0)*/

   /* convert Backup.DS */

   /* return an error if a problem occured, NDS files in specified dir */

   /* ext == "ds" -> .DS file (before SP5 on Nw4) */

   /* ext == "dib" -> .DIB file (after SP5 on Nw4 and used on Nw5 */

 #define Pan_Convert_DS(a) Pan_Convert_Auto(a, "backup.ds", NULL)

 #define Pan_Convert_DIB(a) Pan_Convert_Auto(a, "dsrepair.dib", NULL)

 int Pan_Convert_Auto(char *path,char *file, char *ext);



  /*Usage : err=Pan_Extract(&pPassList,"f:\nds\")*/

   /* return an error if a problem occured, NDS files in current dir */

   /* chained records in pPassList,last record if : last->next=NULL */

   /* ext == "NDS" -> convert entry.nds, ... */

   /* ext == "DSD" -> convert 1.dsd, ... */

 #define Pan_Extract(a, b) Pan_Extract_Auto(a, b, "NDS")

 int Pan_Extract_Auto(Pan_PassList *pPassList, char *path, char *ext);



 /* retrieve the NDS "back bone" for specified NDS files */

 int Pan_GetNDSInfo(Pan_NDSBrowse *pNDSBrowse, char *path, char *ext);



 /* read in *out, a value set (see "NDS Browse" code in Pandora4) */

 int Pan_GetValueInfo(uint8 **out, uint32 *out_lengh, uint32 *data_lengh,

                      uint32 search_object, uint32 search_attribute,

                      char *path, char *ext);



  /*Usage : err=Pan_PassList_read("PASSNAME.NDS",&pPassList)*/

   /* return an error if a problem occured */

   /* chained list of records in pPassList */

 int Pan_PassList_read(char *readfile,Pan_PassList *pPassList);



  /*Usage : err=Pan_PassList_write("PASSNAME.NDS",pPassList)*/

   /* return an error if a problem occured */

   /* The last Password record in the list MUST have last->next=NULL */

 int Pan_PassList_write(char *writefile,Pan_PassList pPassList);



  /*Usage : err=Pan_PassHack_read("WHATEVER.EXT",&pPassHack)*/

   /* return an error if a problem occured */

 int Pan_PassHack_read(char *readfile,Pan_PassHack *pPassHack);



  /*Usage : err=Pan_PassHack_write("WHATEVER.EXT",&pPassHack)*/

   /* return an error if a problem occured */

 int Pan_PassHack_write(char *writefile,Pan_PassHack *pPassHack);

-------------------------------------><---------------------------------------





_VI_    The hash and the pendulum. Pan_hash.h



Novell private hash routine was a glorious attempt to build a proprietary

algorithm that was meant to provide all sorts of tricks : a secure way to

store passwords, a secure algorithm to wrap new cyphers with old cyphers when

changing password and a non-trivial yet fast random-like generator (for packet

signature for instance). The algorithm provided all of the above, but yet

wasn't exempt, due to its concept or implementation, of serious weakness

some we try to exploit here. For a more detailed discussion on the core

algorithm see crypto.txt.



Although Novell has introduced RSA in Netware 4.xx as part of the

authentification scheme, many games can still be played using old bindery

calls, and yet the core algorithm for hash generation remains the same.



Six routines are provided here, Three for password hacking and three for hash

generation.



Pan_SBrute_Force(...) will attempt to recover someone's password given his

hash and object ID by testing all possible passwords in a given test range.

Note that due to the hashing algorithm, we do not make use of lower-case

caracters (and this makes me wonder how possibly Novell can advertise the use

both lower-case and upper-case caracters as a security improvement to your

password secrecy, see : http://www.novell.com/products/nds/hacks2.html).

Since we use a fast-hash generator, lengh of password to recover canno't

exeed 16 caracters.



Pan_Dict_Attack(...) this routine also attempts to recover a password given

a user's object ID and hash, by testing the hash against all words of a

determined lengh in a 'dictionary' file. This routine also make use of the

fast-hash generator, thus lengh of password to recover canno't exeed 16

caracters.



Pan_Hash_Gen(...) this routine permit to generate a password hash given the

clear-text password and the user's object ID. The routine accepts passwords

up to the maximum legal lengh : 128 caracters.



Pan_Challenge_Response(...) this routine, given a Login Key and a user's

password, computes the resulting Challenge Response. The password can be

given either plaintext with the user's object ID or pre-processed as the

password hash. This routine is used whenever a password must be transmitted

over the wire to a Netware server.  For details on the Challenge Response

scheme see the Netware Hack FAQ.



Pan_3hash_cipher(...) this routine is used when changing a password : the user

old password hash (16bytes) is cut in two halves (8bytes) and each halves is

processed in a mathematical function such as :

 Func(old-pass-half1,new-pass-half1)=cipher-half1;

 Func(old-pass-half2,new-pass-half2)=cipher-half2;

So that when both cipher-halves are transmited, the server can process :

 Reverse-Func(cipher-half1,old-pass-half1)=new-pass-half1;

 Reverse-Func(cipher-half2,old-pass-half2)=new-pass-half2;

It looks like a simple XOR Func could do the trick, but Novell used a complex

algorithm, probably so that nothing could be deducted knowing the cipher and

the new password hash alone.



Pan_Decipher_RemoteNLM(...) this routine by courtesy of TheRuiner, will decipher

instantaneously any encrypted remote.nlm password you provide. See crypt.txt

for details.



They are a few more algorithms used by Netware servers, keep tuned ... hehehee

if we managed to get working what is planned for Pandora5, it will be MAJOR...



For return codes see Apendix A.



------------------------------<Hash Functions>--------------------------------

 /* Password Hacking */



 /* Usage : err=Pan_Brute_Force(&pPassHack,PAN_ASCII,&retpw,"RESTORE.PAN");

 The first argument is the pPassHack structure that MUST contain valid

 values for the following :



  objectID, object ID of user

  0< pwlen <=16, lengh of password to generate (brute force only lengh<=16)

  pw_first, the 'seed' password to start the brute force with



 If pw_last is not set, it is given the value of pw_first thus ensuring

 that we try all possible combination for that given password lengh.



 The second argument allows to 'segment' the brute force by telling how many

 attempts the routine should perform, regardless of pPassHack settings,

 before the brute-force routine returns to the calling program. Once

 returned the brute force can be restored transparently since the last

 attempt is stored in pw_current. This permits to give a status on the brute

 force on a regular basis, and to fine tune how often things should be saved

 to disk for instance.



 The third parameter will contain the real password if found. It is not

 required to initialize it (memory alloc), but it should be freed after use.



 The last parameter is the "limit" in the word-list for the brute force.



 Finally the return value here may be other things than errors : if it

 contains (NULL) password was found, -105 if not found, -106 if time to save

 (parameter two 'maxtry' reached).

 */

 /* Since we added the ability to customize the key_space, we now have a new

    replacement function : Pan_SBrute_Force, see below 

 */

  /* Usage : err=Pan_SBrute_Force(&pPassHack,PAN_ASCII,&retpw,"RESTORE.PAN",NULL);*/

  /* contains NULL if no error, -105 if not found, -106 if time to save */

  /* if _key_space is not specified, then the maxtry is used along with default set */

 #define Pan_Brute_Force(a, b, c, d) strcpy(a->key_space,"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,./<>?;':\"[]{}`~!@#$%^&*()_-+=|"); Pan_SBrute_Force(a, c, d);



 int Pan_SBrute_Force(Pan_PassHack *pPassHack,

                      char **retpw,

                      uint32 limit

                     );



  /*Usage : err=Pan_Dict_Attack(&pPassHack,&retpw,dict);*/

  /*->pwlen:lengh to try,return:password in retpw or error,readfile:dict*/

 int Pan_Dict_Attack(Pan_PassHack *pPassHack,char **retpw,char *readfile);



  /*Usage : err=Pan_Hash_Gen(&pPassHack);*/

  /*->pw_first:password to use,->pwlen:lengh,return ->hash or an error*/

 int Pan_Hash_Gen(Pan_PassHack *pPassHack);



  /*Usage : err=Pan_Challenge_Response(&pPassHack,TRUE,&logkey,&dst)*/

  /*Info must contain ObjectID and pw_first for hash_gen if hash_known=FALSE*/

  /*If hash_known=TRUE info must contain ObjectID and hash*/

 int Pan_Challenge_Response

  (Pan_PassHack *Info,int hash_known,uint8 *logkey, uint8 *dst);





  /*Usage : err=Pan_3hash_cipher(oldcipher,newcipher,newcipher)*/

  /*p1[8] : half of current password hash*/

  /*p2[8] : half of new password hash*/

  /*p3[8] : half-pattern such as H(p1,p2)=p3 and F(p1,p3)=p2, H() is Pan_*/

 int Pan_3hash_cipher(uint8 *oldcrpw,uint8 *newcrpw,uint8 *cipherpw);



  /*Usage : err=Pan_Decipher_RemoteNLM(cipher,decipher)*/

  /*cipher contains the ciphered output of remote NLM encryption*/

  /*decipher will contain result, memory must be allocated beforehand*/

 int Pan_Decipher_RemoteNLM(char *cipher, char *decipher);



-------------------------------------><---------------------------------------





_VII_   Netware, Bravo, do you copy ? Pan_com.h



In Networking Software, there is obviously Network ;-) And many funny tricks

can be build over the wire. The routines presented here gives a crude but

working interface to your progams for the following : sending packet-level

information (allows spoofing), sending NCP requests/replies, connecting to a

Netware server.



At the time this doc is written full IPX send/receive support is in the

process of being implemented. (well ahem.. we'll use linux IPX support from

now one ;-) ).



Pandora4 is the first and last GUI release for the Wintel platforms. Pandora5

will run Linux. One of the reason being the obscure coding and hard licensing

language of Novell 32-bit API. Besides sbiffing and spoofing under windows is

a major pain in the ass. This explains that NCP calls under Pandora4 GUI are 

served by an "NCP server", DOS based, and independant of all vendors API.

For the snifing/spoofing we used M.Viano 32 bits packet driver, see the

packet32 directory in the source code.



The programs code released with Pandora gives unvaluable information, that

was collected from the work of many hackers, on the way to communicate with

a Netware server. Sparse but good documentation on how to perform specific

NCP/NDS requests/replies can be found electronically and in specialised

libraries; And for the sake of it, lets briefly describe what a typical NCP

request looks like in a Ethernet 802.3 frame format :



Description                                   bytes     byte order

-----------------------------------------|------------|------------

>802.3 frame header<                     |            |

					 |            |

 MAC adress of dest. (router/server)     |  0  -> 5   |   Normal

 MAC adress of origin (station)          |  6  -> 11  |   Normal

 Physical lengh of packet (end-14)       |  12 -> 13  |   Reversed

					 |            |

>Internetwork Packet Exchange<           |            |

					 |            |

 Checksum (0xffff=no checksum)           |  14 -> 15  |   ??

 Packet total lengh (=Physical lengh-1)  |  16 -> 17  |   Reversed

 Hop count (nb of routers btw org/serv)  |  18        |   Normal

 Packet type (=0x11 is NCP, 0x17 is NDS) |  19        |   Normal

 Destination IPX net (server net)        |  20 -> 23  |   Normal

 Destination IPX adress (server adress)  |  24 -> 29  |   Normal

 Destination socket (=0x0451 is NCP)     |  30 -> 31  |   Normal

 Originator IPX net                      |  32 -> 35  |   Normal

 Originator IPX adress                   |  36 -> 41  |   Normal

 Originator socket  (=0x40?? usually)    |  42 -> 43  |   Normal

					 |            |

>NCP request/reply header<               |            |

					 |            |

 Request type (=0x2222 req./=0x3333 rep.)|  44 -> 45  |   Normal

 Sequence num (+1 each for req., 0<->255)|  46        |   Normal

 Connection number LOW                   |  47        |   N/A

 Task number (for internal use of org.)  |  48        |   Normal

 Connection number HIGH (0 if conn.<255) |  49        |   N/A

 Function code (=0x68 IPX/=other NCP)    |  50        |   Normal

					 |            |

---------------------Ex. if Function code is NCP 0x17---------------

					 |            |

>NCP data<                               |            |

					 |            |

 Reply fragment requested (0x00 usual.)  |  51        |   Normal

 NCP data length from bytes 53           |  52        |   Normal

 Subfunction code (action to perform)    |  53        |   Normal

 Data (if exists)                        |  54 ->end_1|   Usually

					 |            |    reversed

---------------------Ex. if Function code is NCP 0X68 (NDS)---------

					 |            |

>NCP data<                               |            |

					 |            |

 Request (=0x02 is fragmented req./rep.) |  51        |   Normal

 Fragment handle (=0xffffffff if null)   |  52 -> 55  |   ??

 Max frag. size (=0x02020000 usually)    |  56 -> 59  |   Reversed

 Total data lengh (incl. all frag.)      |  60 -> 63  |   Reversed

 Fragment flag (=0x00000000 if null)     |  64 -> 67  |   ??

 Verb number (action to perform)         |  68 -> 71  |   Reversed

 Reply buffer size (=0x00000000 if null) |  72 -> 75  |   Reversed

 Data (if exists)                        |  76 ->end_1|   Usually

					 |            |    reversed

-------------------------------------------------------------------

					 |            |

>Packet signature<                       |            |

					 |            |

 If signature is level_1 Wild-Pad        |end_1 -> end|

 0xffffffffffffffff is accepted          |end=end_1+7 |

 If signature is level_2 or higher       |  (8 bytes) |

 real signature is base on user hash     |            |





The function you want to use to send packet like this is : Pan_NCP_Spoof(...)

of course, other type than NCP packet can be sent and you're not obliged to

spoof your adress, but the name was kinda cool ;-) This function is only

available if you have installed a packet driver on interrupt 0x60, don't

forget the '-n' switch if you use Novell 802.3 frame format.



If you need to send a regular NCP request/reply, use Pan_NCP_Transmit(...),

examples to use Pan_NCP_Transmit(...) can be found inside the Pandora code,

the "function code" to call is the first parameter, the second parameter is

the data to send (seen above as >NCP data< or >NDS data<). For Win32 sniff and

spoof see packet32 and pandora4-online code.



A function called Pan_NCP_connect(...) is also provided to connect to a

Netware server (although you could do it through the appropriate call with

Pan_NCP_transmit(...)).



Our aim here is not to describe all possible NCP/NDS packets that can be

generated. Just be aware that for NCP, Function code+Subfunction code defines

the request, for NDS, Request+Verb number defines the request. As you have

noticed, NDS requests are encapsulated in NCP headers, this is probably due

to the fact that NCP stuff existed on Netware servers before NDS which was

later used for requests that had to be spread over multiple packets.



Below is a list of well none NCP Function/Subfunction codes, this list is NOT

exhaustive and dosen't include IPX requests. Detailed parameters for most of

these function calls can be found in the NCP interrup list document at :

http://www.tsu.ru/~eugene/netware/archive/index.html



NCP call description                                   Function     Subfunc.

						       (hex)        (hex)

----------------------------------------------------------------------------

ABORT SERVICING QUEUE JOB AND FILE                   | 17         | 84

ABORT SERVICING QUEUE JOB AND FILE OLD               | 17         | 73

ADD AUDIT PROPERTY                                   | 58         | 02

ADD BINDERY OBJECT TO SET                            | 17         | 41

ADD TRUSTEE SET TO NS ENTRY                          | 57         | 0A

ADD TRUSTEE TO DIRECTORY                             | 16         | 0D

AFP ALLOC TEMPORARY DIR HANDLE                       | 23         | 0B

AFP CREATE DIRECTORY                                 | 23         | 01

AFP CREATE FILE                                      | 23         | 02

AFP DELETE                                           | 23         | 03

AFP GET ENTRY ID FROM NAME                           | 23         | 04

AFP GET ENTRY ID FROM NETWARE HANDLE                 | 23         | 06

AFP GET ENTRY ID FROM PATH NAME                      | 23         | 0C

AFP GET FILE INFORMATION                             | 23         | 05

AFP OPEN FILE FORK                                   | 23         | 08

AFP RENAME                                           | 23         | 07

AFP SCAN FILE INFORMATION                            | 23         | 0A

AFP SET FILE INFORMATION                             | 23         | 09

AFP 20 CREATE DIRECTORY                              | 23         | 0D

AFP 20 CREATE FILE                                   | 23         | 0E

AFP 20 GET DOS NAME ENTRY ID                         | 23         | 12

AFP 20 GET FILE                                      | 23         | 0F

AFP 20 GET MACINTOSH INFO ON DELETED FILE            | 23         | 13

AFP 20 SCAN FILE INFORMATION                         | 23         | 11

AFP 20 SET FILE INFORMATION                          | 23         | 10

ALLOCATE PERMANENT DIRECTORY HANDLE                  | 16         | 12

ALLOCATE RESOURCE                                    | 0F         | 00

ALLOCATE SPECIAL TEMPORARY DIRECTORY HANDLE          | 16         | 16

ALLOCATE TEMP NS DIR HANDLE                          | 57         | 0C

ALLOCATE TEMPORARY DIRECTORY HANDLE                  | 16         | 13

ALLOW TASK ACCESS TO FILE                            | 4E         | 00

ATTACH QUEUE SERVER TO QUEUE                         | 17         | 6F

BROADCAST TO CONSOLE                                 | 15         | 09

CHANGE AUDIT LEVEL TWO PASSWORD                      | 58         | 12

CHANGE AUDITOR PASSWORD                              | 58         | 04

CHANGE BINDERY OBJECT PASSWORD                       | 17         | 40

CHANGE BINDERY OBJECT PASSWORD ENCRYPTED             | 17         | 4B

CHANGE BINDERY OBJECT SECURITY                       | 17         | 38

CHANGE CONNECTION STATE                              | 17         | 1D

CHANGE PROPERTY SECURITY                             | 17         | 3B

CHANGE QUEUE JOB ENTRY                               | 17         | 7B

CHANGE QUEUE JOB ENTRY OLD                           | 17         | 6D

CHANGE QUEUE JOB POSITION                            | 17         | 7C

CHANGE QUEUE JOB POSITION OLD                        | 17         | 6E

CHANGE QUEUE JOB PRIORITY                            | 17         | 82

CHANGE TO CLIENT RIGHTS                              | 17         | 85

CHANGE TO CLIENT RIGHTS OLD                          | 17         | 74

CHANGE USER PASSWORD                                 | 17         | 01

CHECK AUDIT ACCESS                                   | 58         | 05

CHECK AUDIT LEVEL TWO ACCESS                         | 58         | 16

CHECK CONSOLE PRIVILEGES                             | 17         | C8

CHECK PIPE STATUS                                    | 15         | 08

CLEAR CONNECTION NUMBER                              | 17         | FE

CLEAR CONNECTION NUMBER OLD                          | 17         | D2

CLEAR FILE                                           | 07         | 00

CLEAR FILE SET                                       | 08         | 00

CLEAR LOGICAL RECORD                                 | 0B         | 00

CLEAR LOGICAL RECORD SET                             | 0E         | 00

CLEAR PHYSICAL RECORD                                | 1E         | 00

CLEAR PHYSICAL RECORD SET                            | 1F         | 00

CLEAR VOLUME RESTRICTIONS                            | 16         | 22

CLOSE AND QUEUE CAPTURE FILE                         | 11         | 01

CLOSE BINDERY                                        | 17         | 44

CLOSE EXTENDED ATTRIBUTE HANDLE                      | 56         | 01

CLOSE FILE AND START JOB QUEUE                       | 17         | 7F

CLOSE FILE AND START JOB QUEUE OLD                   | 17         | 69

CLOSE MESSAGE PIPE                                   | 15         | 07

CLOSE OLD AUDITING FILE                              | 58         | 14

CLOSE SEMAPHORE OLD                                  | 20         | 04

CLOSE SEMAPHORE                                      | 6F         | 04

COMMIT FILE                                          | 3B         | 00

CONVERT PATH TO DIRECTORY ENTRY                      | 17         | F4

CREATE BINDERY OBJECT                                | 17         | 32

CREATE DIRECTORY                                     | 16         | 0A

CREATE NEW FILE                                      | 4D         | 00

CREATE PROPERTY                                      | 17         | 39

CREATE QUEUE                                         | 17         | 64

CREATE QUEUE JOB AND FILE                            | 17         | 79

CREATE QUEUE JOB AND FILE OLD                        | 17         | 68

DEALLOCATE DIRECTORY HANDLE                          | 16         | 14

DEALLOCATE RESOURCE                                  | 10         | 00

DELETE BINDERY OBJECT                                | 17         | 33

DELETE BINDERY OBJECT FROM SET                       | 17         | 42

DELETE DIRECTORY                                     | 16         | 0B

DELETE NS ENTRY                                      | 57         | 08

DELETE OLD AUDITING FILE                             | 58         | 15

DELETE OLD AUDITING FILE 2                           | 58         | 1A

DELETE PROPERTY                                      | 17         | 3A

DELETE TRUSTEE                                       | 16         | 2B

DELETE TRUSTEE FROM DIRECTORY                        | 16         | 0E

DELETE TRUSTEE SET FROM NS ENTRY                     | 57         | 0B

DESTROY QUEUE                                        | 17         | 65

DETACH QUEUE SERVER FROM QUEUE                       | 17         | 70

DISABLE AUDITING ON VOLUME                           | 58         | 07

DISABLE STATION BROADCASTS                           | 15         | 02

DISABLE FILE SERVER LOGIN                            | 17         | CB

DISABLE TRANSACTION TRACKING                         | 17         | CF

DOWN FILE SERVER                                     | 17         | D3

DS CHANGE AUDIT LEVEL TWO PASSWORD                   | 68         | D7

DS CHANGE AUDITOR PASSWORD                           | 68         | CB

DS CHANGE OBJECT AUDITED                             | 68         | DD

DS CHECK AUDIT ACCESS                                | 68         | CC

DS CHECK AUDIT LEVEL TWO ACCESS                      | 68         | DB

DS CHECK OBJECT AUDITED                              | 68         | DC

DS CLOSE FRAGMENT                                    | 68         | 03

DS CLOSE OLD AUDITING FILE                           | 68         | D9

DS DELETE OLD AUDITING FILE                          | 68         | DA

DS DELETE OLD AUDITING FILE 2                        | 68         | E1

DS DISABLE AUDITING ON CONTAINER                     | 68         | CE

DS ENABLE AUDITING ON CONTAINER                      | 68         | CF

DS GET AUDIT FILE LIST                               | 68         | DE

DS GET AUDITING FLAGS                                | 68         | D8

DS GET DS STATISTICS                                 | 68         | 06

DS GET CONTAINER AUDIT STATUS                        | 68         | C8

DS INIT AUDIT FILE READ                              | 68         | DF

DS LOGIN AS CONTAINER AUDITOR                        | 68         | CA

DS LOGOUT AS CONTAINER AUDITOR                       | 68         | D3

DS MONITOR CONNECTION                                | 68         | 05

DS PING FOR NDS NCP                                  | 68         | 01

DS READ AUDIT CONFIG HEADER                          | 68         | D1

DS READ AUDITING FILE                                | 68         | D2

DS READ AUDITING FILE 2                              | 68         | E0

DS READ AUDITING FILES                               | 68         | 15

DS RELOAD                                            | 68         | 08

DS RESET AUDIT HISTORY FILE                          | 68         | D5

DS RESET AUDITING FILE                               | 68         | D4

DS RESET DS COUNTERS                                 | 68         | 07

DS RETURN BINDERY CONTEXT                            | 68         | 04

DS SEND FRAGMENTED REQUEST REPLY                     | 68         | 02

DS SET AUDIT PASSWORD                                | 68         | E5

DS WRITE AUDIT CONFIG HEADER                         | 68         | D6

DUPLICATE EXTENDED ATTRIBUTE                         | 56         | 05

ENABLE AUDITING ON VOLUME                            | 58         | 08

ENABLE STATION BROADCASTS                            | 15         | 03

ENABLE FILE SERVER LOGIN                             | 17         | CC

ENABLE TRANSACTION TRACKING                          | 17         | D0

END OF JOB                                           | 18         | 00 

ENTER LOGIN AREA                                     | 17         | 0A

ENUMERATE EXTENDED ATTRIBUTE                         | 56         | 04

ERASE FILES                                          | 44         | 00

EXAMINE SEMAPHORE OLD                                | 20         | 01

EXAMINE SEMAPHORE                                    | 6F         | 01

FILE CLOSE                                           | 42         | 00

FILE COMMIT                                          | 3D         | 00

FILE COPY                                            | 4A         | 00 

FILE CREATE                                          | 43         | 00

FILE DM REQUEST                                      | 5A         | 96

FILE OPEN                                            | 41         | 00

FILE READ                                            | 48         | 00

FILE RELEASE LOCK                                    | 02         | 00

FILE RENAME                                          | 45         | 00 

FILE SEARCH CONTINUE                                 | 3F         | 00

FILE SEARCH INITIALIZE                               | 3E         | 00 

FILE SET LOCK                                        | 01         | 00

FILE WRITE                                           | 49         | 00

FILL NAME SPACE BUFFER                               | 16         | 2F

FINISH SERVICING QUEUE JOB AND FILE                  | 17         | 83

FINISH SERVICING QUEUE JOB AND FILE OLD              | 17         | 72

GET ACCOUNT STATUS                                   | 17         | 96

GET ACTIVE CONNECTION LIST BY TYPE                   | 7B         | 0E

GET ACTIVE LAN BOARD LIST                            | 7B         | 14

GET ACTIVE PROTOCOL STACKS                           | 7B         | 28

GET AUDIT FILE LIST                                  | 58         | 17

GET AUDITING FLAGS                                   | 58         | 13

GET BIG PACKET NCP MAX PACKET SIZE                   | 61         | 00

GET BINDERY ACCESS LEVEL                             | 17         | 46

GET BINDERY OBJECT ACCESS LEVEL                      | 17         | 48

GET BINDERY OBJECT DISK SPACE LEFT                   | 17         | E6

GET BINDERY OBJECT ID                                | 17         | 35

GET BINDERY OBJECT NAME                              | 17         | 36

GET BROADCAST MESSAGE                                | 15         | 01

GET BROADCAST MESSAGE EX                             | 15         | 0B

GET CACHE INFORMATION                                | 7B         | 01

GET CONNECTION LIST FROM OBJECT                      | 17         | 1F

GET CONNECTION OPEN FILES                            | 17         | EB

GET CONNECTION OPEN FILES OLD                        | 17         | DB

GET CONNECTION SEMAPHORES                            | 17         | F1

GET CONNECTION SEMAPHORES OLD                        | 17         | E1

GET CONNECTION TASK INFORMATION                      | 17         | EA

GET CONNECTION TASK INFORMATION OLD                  | 17         | DA

GET CONNECTION USAGE STATISTICS                      | 17         | E5

GET CONNECTIONS USING A FILE                         | 17         | EC

GET CONNECTIONS USING A FILE OLD                     | 17         | DC

GET CPU INFORMATION                                  | 7B         | 08

GET DIR ENTRY                                        | 16         | 1F

GET DIR INFO                                         | 16         | 2D

GET DIRECTORY BASE                                   | 57         | 16

GET DIRECTORY CACHE INFORMATION                      | 7B         | 0C

GET DIRECTORY PATH                                   | 16         | 01

GET DISK CACHE STATISTICS                            | 17         | D6

GET DISK CHANNEL STATISTICS                          | 17         | D9

GET DISK UTILIZATION                                 | 17         | 0E

GET DM INFO                                          | 5A         | 01

GET DM FILE INFO                                     | 5A         | 81

GET DM STATUS INFO                                   | 5A         | 83

GET DM SUPPORT MODULE INFO                           | 5A         | 84

GET DRIVE MAPPING TABLE                              | 17         | D7

GET EFFECTIVE DIRECTORY RIGHTS                       | 16         | 03

GET EFFECTIVE NS DIRECTORY RIGHTS                    | 57         | 1D

GET EFFECTIVE RIGHTS                                 | 16         | 2A

GET ENCRYPTION KEY                                   | 17         | 17

GET EXTENDED VOLUME INFO                             | 16         | 33

GET FILE BIT MAP                                     | 55         | 00

GET FILE SERVER DATE AND TIME                        | 14         | 00 

GET FILE SERVER DESCRIPTION STRINGS                  | 17         | C9

GET FILE SERVER INFORMATION                          | 17         | 11

GET FILE SERVER INFORMATION EX                       | 7B         | 02

GET FILE SERVER LAN IO STATISTICS                    | 17         | E7

GET FILE SERVER LOGIN STATUS                         | 17         | CD

GET FILE SERVER MISC INFORMATION                     | 17         | E8

GET FILE SIZE                                        | 47         | 00 

GET FILE SYSTEM STATISTICS                           | 17         | D4

GET GARBAGE COLLECTION INFORMATION                   | 7B         | 07

GET GENERAL ROUTER AND SAP INFORMATION               | 7B         | 32

GET INTERNET ADDRESS                                 | 17         | 1A

GET INTERNET ADDRESS OLD                             | 17         | 13

GET IPX SPX INFORMATION                              | 7B         | 06

GET KNOWN NETWORKS INFORMATION                       | 7B         | 35

GET KNOWN SERVERS INFORMATION                        | 7B         | 38

GET LAN COMMON COUNTERS INFORMATION                  | 7B         | 16

GET LAN CONFIG STRINGS                               | 7B         | 18

GET LAN CONFIGURATION INFORMATION                    | 7B         | 15

GET LAN CUSTOM COUNTERS INFORMATION                  | 7B         | 17

GET LAN DRIVER CONFIGURATION INFORMATION             | 17         | E3

GET LOADED MEDIA NUMBER LIST                         | 7B         | 2F

GET LOGICAL RECORD INFORMATION                       | 17         | F0

GET LOGICAL RECORD INFORMATION OLD                   | 17         | E0

GET LOGICAL RECORDS BY CONNECTION                    | 17         | EF

GET LOGICAL RECORDS BY CONNECTION OLD                | 17         | DF

GET LSL INFORMATION                                  | 7B         | 19

GET LSL LOGICAL BOARD STATISTICS                     | 7B         | 1A

GET MEDIA MANAGER OBJECT CHILDREN LIST               | 7B         | 20

GET MEDIA MANAGER OBJECT INFORMATION                 | 7B         | 1E

GET MEDIA MANAGER OBJECT LIST                        | 7B         | 1F

GET MEDIA NAME BY MEDIA NUMBER                       | 7B         | 2E

GET MEMBER SET OF GROUP                              | 17         | 09

GET NAME SPACE ENTRY                                 | 16         | 30

GET NCP EXTENSION INFO                               | 24         | 05

GET NCP EXTENSIONS LIST                              | 24         | 04

GET NETWARE FILE SYSTEMS INFORMATION                 | 7B         | 03

GET NETWORK ROUTER INFORMATION                       | 7B         | 33

GET NETWORK ROUTERS INFORMATION                      | 7B         | 34

GET NETWORK SERIAL NUMBER                            | 17         | 12

GET NLM INFORMATION                                  | 7B         | 0B

GET NLM LOADED LIST                                  | 7B         | 0A

GET NLMS RESOURCE TAG LIST                           | 7B         | 0F

GET NS DIR HANDLE PATH                               | 57         | 15

GET NS ENTRY INFO                                    | 57         | 06

GET NS INFO FORMAT                                   | 57         | 17

GET NS LOADED LIST                                   | 57         | 18

GET NS PATH                                          | 57         | 1C

GET NUMBER NCP EXTENSIONS                            | 24         | 03

GET OBJECT CONNECTION NUMBERS                        | 17         | 1B

GET OBJECT CONNECTION NUMBERS OLD                    | 17         | 15

GET OBJECT DISK RESTRICTIONS                         | 16         | 29

GET OBJECT EFFECTIVE RIGHTS                          | 16         | 32

GET OS VERSION INFORMATION                           | 7B         | 0D

GET PACKET BURST INFORMATION                         | 7B         | 05

GET PATH FROM DIRECTORY BASE                         | 17         | F3

GET PATH FROM DIRECTORY ENTRY                        | 16         | 1A

GET PERSONAL MESSAGE                                 | 15         | 05

GET PHYSICAL DISK STATISTICS                         | 17         | D8

GET PHYSICAL RECORD LOCKS BY CONNECTION AND FILE     | 17         | ED

GET PHYSICAL RECORD LOCKS BY CONNECTION AND FILE OLD | 17         | DD

GET PHYSICAL RECORD LOCKS BY FILE                    | 17         | EE

GET PHYSICAL RECORD LOCKS BY FILE OLD                | 17         | DE

GET PRINTER QUEUE                                    | 11         | 0A

GET PRINTER STATUS                                   | 11         | 06

GET PROTOCOL STACK CONFIGURATION INFORMATION         | 7B         | 29

GET PROTOCOL STACK CUSTOM INFORMATION                | 7B         | 2B

GET PROTOCOL STACK NUMBERS BY LAN BOARD NUMBER       | 7B         | 2D

GET PROTOCOL STACK NUMBERS BY MEDIA NUMBER           | 7B         | 2C

GET PROTOCOL STACK STATISTICS INFORMATION            | 7B         | 2A

GET QUEUE JOB LIST                                   | 17         | 81

GET QUEUE JOB LIST OLD                               | 17         | 6B

GET QUEUE JOB FILE SIZE                              | 17         | 87

GET QUEUE JOB FILE SIZE OLD                          | 17         | 78

GET QUEUE JOBS FROM LIST                             | 17         | 89

GET REFERENCE COUNT FROM DIRECTORY HANDLE            | 5A         | 0B

GET REFERENCE COUNT FROM DIRECTORY NUMBER            | 5A         | 0A

GET RELATIONOF AN OBJECT                             | 17         | 4C

GET SEMAPHORE INFORMATION                            | 17         | F2

GET SEMAPHORE INFORMATION OLD                        | 17         | E2

GET SERVER INFORMATION                               | 7B         | 36

GET SERVER SET CATEGORIES                            | 7B         | 3D

GET SERVER SET COMMANDS INFORMATION                  | 7B         | 3C

GET SERVER SOURCES INFORMATION                       | 7B         | 37

GET SET VOLUME DM STATUS                             | 5A         | 86

GET SPOOL QUEUE ENTRY                                | 11         | 04

GET STATION NUMBER                                   | 13         | 00

GET STATION LOGGED INFORMATION                       | 17         | 1C

GET STATION LOGGED INFORMATION OLD                   | 17         | 16

GET STATION LOGGED INFORMATION EX                    | 17         | 05

GET USER INFORMATION                                 | 7B         | 04

GET UTC TIME                                         | 72         | 01

GET VOLUME AUDIT STATISTICS                          | 58         | 01

GET VOLUME DM STATUS                                 | 5A         | 82

GET VOLUME INFO WITH HANDLE                          | 16         | 15

GET VOLUME INFO WITH NUMBER                          | 12         | 00

GET VOLUME INFORMATION                               | 17         | E9

GET VOLUME INFORMATION BY LEVEL                      | 7B         | 22

GET VOLUME NAME                                      | 16         | 06

GET VOLUME NUMBER                                    | 16         | 05

GET VOLUME SEGMENT LIST                              | 7B         | 21

GET VOLUME SWITCH INFORMATION                        | 7B         | 09

GET VOLUME USAGE                                     | 16         | 2C

INIT AUDIT FILE READ                                 | 58         | 18

INITIALIZE NS SCAN                                   | 57         | 02

IS BINDERY OBJECT IN SET                             | 17         | 43

IS STATION A MANAGER                                 | 17         | 49

IS USER AUDITED                                      | 58         | 09

LOCK FILE SET OLD                                    | 04         | 00

LOCK FILE SET                                        | 6A         | 00 

LOCK LOGICAL RECORD SET OLD                          | 0A         | 00

LOCK LOGICAL RECORD SET                              | 6C         | 00

LOCK PHYSICAL RECORD SET OLD                         | 1B         | 00

LOCK PHYSICAL RECORD SET                             | 6E         | 00

LOG FILE OLD                                         | 03         | 00

LOG FILE                                             | 69         | 00

LOG LOGICAL RECORD OLD                               | 09         | 00

LOG LOGICAL RECORD                                   | 6B         | 00

LOG NETWORK MESSAGE                                  | 17         | 0D

LOG PHYSICAL RECORD OLD                              | 1A         | 00

LOG PHYSICAL RECORD                                  | 6D         | 00

LOGIN AS VOLUME AUDITOR                              | 58         | 03

LOGIN OBJECT                                         | 17         | 14

LOGIN OBJECT ENCRYPTED                               | 17         | 18

LOGIN USER OBJECT                                    | 17         | 00

LOGOUT                                               | 19         | 00 

LOGOUT AS VOLUME AUDITOR                             | 58         | 0D

MAP DIRECTORY NUMBER TO PATH                         | 16         | F3

MAP GROUP NAME TO NUMBER                             | 17         | 07

MAP NUMBER TO GROUP NAME                             | 17         | 08

MAP NUMBER TO USER NAME                              | 17         | 04

MAP USER NAME TO NUMBER                              | 17         | 03

MAP USER TO STATION SET                              | 17         | 02

MODIFY MAXIMUM RIGHTS MASK                           | 16         | 04

MOVE ENTRY                                           | 16         | 2E

MOVE FILE FROM DM                                    | 5A         | 85

MOVE FILE TO DM                                      | 5A         | 80

MOVE QUEUE JOB                                       | 17         | 88

NEGOTIATE BUFFER                                     | 21         | 00

OPEN BINDERY                                         | 17         | 45

OPEN CREATE FILE                                     | 54         | 00

OPEN CREATE NS ENTRY                                 | 57         | 01

OPEN CREATE NS FILE OR DIRECTORY                     | 57         | 1E

OPEN DATA STREAM                                     | 16         | 31

OPEN FILE                                            | 4C         | 00

OPEN MESSAGE PIPE                                    | 15         | 06

OPEN SEMAPHORE OLD                                   | 20         | 00

OPEN SEMAPHORE                                       | 6F         | 00

PACKET BURST CONNECTION REQUEST                      | 65         | 00 

PURGE ALL ERASED FILES                               | 17         | CE

PURGE ERASED FILES                                   | 16         | 10

PURGE NS SALVAGEABLE FILE                            | 57         | 12

PURGE SALVAGEABLE FILE                               | 16         | 1D

READ AUDIT CONFIG HEADER                             | 58         | 0B

READ AUDITING BIT MAP                                | 58         | 0A

READ AUDITING FILE                                   | 58         | 0C

READ AUDITING FILE 2                                 | 58         | 19

READ EXTENDED ATTRIBUTE                              | 56         | 03

READ EXTENDED NS INFO                                | 57         | 1A

READ NS INFO                                         | 57         | 13

READ PROPERTY VALUE                                  | 17         | 3D

READ QUEUE CURRENT STATUS                            | 17         | 7D

READ QUEUE CURRENT STATUS OLD                        | 17         | 66

READ QUEUE JOB ENTRY                                 | 17         | 7A

READ QUEUE JOB ENTRY OLD                             | 17         | 6C

READ QUEUE SERVER CURRENT STATUS                     | 17         | 86

READ QUEUE SERVER CURRENT STATUS OLD                 | 17         | 76

RECOVER NS SALVAGEABLE FILE                          | 57         | 11

RECOVER SALVAGEABLE FILE                             | 16         | 1C

RELEASE A RESOURCE                                   | 17         | FC

RELEASE FILE                                         | 05         | 00

RELEASE FILE SET                                     | 06         | 00

RELEASE LOGICAL RECORD                               | 0C         | 00

RELEASE LOGICAL RECORD SET                           | 0D         | 00

RELEASE PHYSICAL RECORD                              | 1C         | 00

RELEASE PHYSICAL RECORD SET                          | 1D         | 00

REMOVE AUDIT PROPERTY                                | 58         | 06

REMOVE ENTRY FROM SPOOL QUEUE                        | 11         | 05

REMOVE JOB FROM QUEUE                                | 17         | 80

REMOVE JOB FROM QUEUE OLD                            | 17         | 6A

RENAME BINDERY OBJECT                                | 17         | 34

RENAME DIRECTORY                                     | 16         | 0F

RENAME NS ENTRY                                      | 57         | 04

RESET AUDIT HISTORY FILE                             | 58         | 0F

RESET AUDITING FILE                                  | 58         | 0E

RESTART VOLUME AUDITING                              | 58         | 1E

RESTORE DIRECTORY HANDLE                             | 16         | 18

RESTORE ERASED FILE                                  | 16         | 11

RESTORE QUEUE SERVER RIGHTS                          | 17         | 75

SAVE DIRECTORY HANDLE                                | 16         | 17

SCAN BINDERY OBJECT                                  | 17         | 37

SCAN BINDERY OBJECT TRUSTEE PATHS                    | 17         | 47

SCAN DIR ENTRY                                       | 16         | 1E

SCAN DIR RESTRICTIONS                                | 16         | 23

SCAN DIRECTORY FOR TRUSTEES                          | 16         | 0C

SCAN DIRECTORY INFORMATION                           | 16         | 02

SCAN ENTRY FOR TRUSTEES                              | 16         | 26

SCAN FILE INFORMATION                                | 17         | 0F

SCAN FILE PHYSICAL                                   | 16         | 28

SCAN NCP EXTENSIONS                                  | 24         | 00

SCAN NCP EXTENSIONS BY NAME                          | 24         | 02

SCAN NS ENTRY FOR TRUSTEES                           | 57         | 05

SCAN NS ENTRY INFO                                   | 57         | 03

SCAN NS NEXT SET                                     | 57         | 14

SCAN NS SALVAGEABLE FILES                            | 57         | 10

SCAN PROPERTY                                        | 17         | 3C

SCAN SALVAGEABLE FILES                               | 16         | 1B

SCAN VOLUME FOR RESTRICTIONS                         | 16         | 20

SEARCH FILE                                          | 40         | 00

SEND BROADCAST MESSAGE                               | 15         | 00

SEND BROADCAST MESSAGE EX                            | 15         | 0A

SEND CONSOLE BROADCAST                               | 17         | FD

SEND CONSOLE BROADCAST OLD                           | 17         | D1

SEND PERSONAL MESSAGE                                | 15         | 04

SEND REMOTE CONSOLE OPERATION                        | 83         | ??

SERVICE QUEUE JOB AND OPEN FILE OLD                  | 17         | 71

SERVICE QUEUE JOB LIST                               | 17         | 8A

SET AUDIT PASSWORD                                   | 58         | 1F

SET COMP FILE SIZE                                   | 5A         | 0C

SET DIR RESTRICTION                                  | 16         | 24

SET DIRECTORY HANDLE                                 | 16         | 00

SET DIRECTORY INFORMATION                            | 16         | 19

SET ENTRY                                            | 16         | 25

SET EXTENDED FILE ATTRIBUTES                         | 4F         | 00

SET FILE ATTRIBUTES                                  | 46         | 00

SET FILE INFORMATION                                 | 17         | 10

SET FILE SERVER DATE AND TIME                        | 17         | CA

SET FILE TIME AND DATE                               | 4B         | 00

SET NS ENTRY DOS INFO                                | 57         | 07

SET QUEUE CURRENT STATUS                             | 17         | 7E

SET QUEUE CURRENT STATUS OLD                         | 17         | 67

SET QUEUE SERVER CURRENT STATUS                      | 17         | 77

SET SPOOL FLAGS                                      | 11         | 02

SET TEMP NS DIR HANDLE                               | 57         | 09

SET TRUSTEE                                          | 16         | 27

SET VOLUME RESTRICTIONS                              | 16         | 21

SET WATCHDOG DELAY INTERVAL                          | 17         | 1E

SIGNAL SEMAPHORE OLD                                 | 20         | 03

SIGNAL SEMAPHORE                                     | 6F         | 03

SPECIFY CAPTURE FILE                                 | 11         | 09

SPOOL DATA TO A CAPTURE FILE                         | 11         | 00

SPOOL EXISTING FILE                                  | 11         | 03

SUBMIT ACCOUNT CHARGE                                | 17         | 97

SUBMIT ACCOUNT HOLD                                  | 17         | 98

SUBMIT ACCOUNT NOTE                                  | 17         | 99

SYNCHRONIZE SCHEMA                                   | 27         | 00

TTS ABORT TRANSACTION                                | 22         | 03

TTS BEGIN TRANSACTION                                | 22         | 01

TTS END TRANSACTION                                  | 22         | 02

TTS GET APPLICATION THRESHOLDS                       | 22         | 05

TTS GET CONTROL FLAGS                                | 22         | 09

TTS GET STATISTICS                                   | 17         | D5

TTS GET WORKSTATION THRESHOLDS                       | 22         | 07

TTS IS AVAILABLE                                     | 22         | 00

TTS SET APPLICATION THRESHOLDS                       | 22         | 06

TTS SET CONTROL FLAGS                                | 22         | 0A

TTS SET WORKSTATION THRESHOLDS                       | 22         | 08

TTS TRANSACTION STATUS                               | 22         | 04

VERIFY BINDERY OBJECT PASSWORD                       | 17         | 3F

VERIFY BINDERY OBJECT PASSWORD ENCRYPTED             | 17         | 4A

VERIFY NETWORK SERIAL NUMBER                         | 17         | 0C

WAIT ON SEMAPHORE OLD                                | 20         | 02

WAIT ON SEMAPHORE                                    | 6F         | 02

WRITE AUDIT CONFIG HEADER                            | 58         | 11

WRITE AUDITING BIT MAP                               | 58         | 10

WRITE EXTENDED ATTRIBUTE                             | 56         | 02

WRITE EXTENDED NS INFO                               | 57         | 1B

WRITE NS INFO                                        | 57         | 19

WRITE PROPERTY VALUE                                 | 17         | 3E



Again, our aim here is NOT to recode Client32, however a (very little)

library of usefull NCP calls can be found under the "online" directory, look

for the file "panrcp.h"; besides the ncpfs project for Linux already provides 

a GNU port of Netware Client.



This listing wouldn't be complete without the return code list of Netware

severs. This list was ripped off the "Netware C library" manual by Adrian

Cunnelly (adrian@amcsoft.demon.co.uk), whose "Netware C library" shareware

version is available on the SimTel site, check for netclb35.zip. 



All error codes listed below, are generated by the Pan_error function in

Pan_Glog.h



ͻ

Hex Meaning                           Hex Meaning                        

͹

00h Action Successful                 9Ah Renaming Across Volumes        

    Server Not In Use                 9Bh Bad Directory Handle           

    TTS Not Available                 9Ch Invalid Path                   

01h Server In Use                         No more Trustees               

    Semaphore Overflow                9Dh No More Directory Handles      

    TTS Available                     9Eh Invalid Filename               

02h DOS File Not Found                9Fh Directory Active               

03h DOS Path Not Found                A0h Directory Not Empty            

04h DOS Too Many Open Files           A1h Directory IO Error             

05h DOS Access Denied                 A2h Read File With Record Locked   

06h DOS Invalid File Handle           BBh No Netware shell loaded        

07h DOS Memory Blocks Destroyed       C0h No Account Privileges          

08h DOS Insufficient Memory           C1h Login Denied -                 

09h DOS Invalid Memory Block Address      No Account Balance             

0Ah DOS Invalid Environment           C2h Account Credit limit Exceeded  

0Bh DOS Invalid Format                    Login Denied - No credit       

0Ch DOS Invalid Access Code           C3h Account - Too many Holds       

0Dh DOS Invalid Data                  C5h Intruder Detection Lock        

0Fh DOS Invalid Drive Specified       C6h Not Console Operator           

10h DOS Attempt To Delete Current Dir D0h Queue Error                    

11h DOS Not Same Device               D1h No Queue                       

12h DOS No More Files                 D2h No Queue Server                

20h DOS Sharing Violation             D3h No Queue Rights                

21h DOS Lock Violation                D4h Queue Full                     

80h File In User Error                D5h No Queue Job                   

81h No More File Handles              D6h No Job Rights                  

82h No Open Privileges                D7h Password Not Unique            

83h IO Error Network Disk                 Queue Servicing                

84h No Create Privileges              D8h Password Too Short             

85h No Delete Privileges                  Queue Not Active               

86h Create File Exists Read Only      D9h Login Denied - No connection   

87h Wild Cards in Create File Name        Station Not Server             

88h Invalid File Handle               DAh Unauthorized login time -      

89h No Search Privileges                  Queue Halted                   

8Ah No Delete Privileges              DBh Unauthorized login station -   

8Bh No Rename Privileges                  Max Queue Servers              

8Ch No Modify Privileges              DCh Account Disabled               

8Dh Some Files Affected In Use        DEh Password has expired - No Grace

8Eh No Files Affected In Use          DFh Password has expired           

8Fh Some Files Affected Read Only     E8h Not Item Property -            

90h No Files Affected Read Only           Write Property to Group        

91h Some Files Renamed - Name Exists  E9h Member Already Exists          

92h No Files Renamed - Name Exists    EAh No Such Member                 

93h No Read Privileges                EBh Not Group Property             

94h No Write Privileges or Read Only  ECh No Such Segment                

95h File Detached                     EDh Property Already Exists        

96h Server Out Of Memory              EEh Object Already Exists          

    Out Of Dynamic Workspace          EFh Invalid Name                   

97h No Disk Space for Spool File      F0h Wild Card Not Allowed          

98h Volume Does Not Exist             F1h Invalid Bindery Security       

99h Directory Full                    F2h No Object Read Privilege       

ͼ



ͻ

Hex Meaning                           Hex Meaning                        

͹

F3h No Object Rename Privilege        FFh Bad Printer Error              

F4h No Object Delete Privilege            Bad Record Offset              

F5h No Object Create Privilege            Close FCB Error                

F6h No Property Delete Privilege          File Extension Error           

    Not Same Local Drive                  File Name Error                

F7h No Property Create Privilege          Hardware Failure               

    Target Drive Not Local                Invalid Drive Number           

F8h Already Attached To Server            Invalid Initial Semaphore Value

    No Property Write Privilege           Invalid Semaphore Handle       

    Not Attached To Server                IO Bound Error                 

F9h No Free Connection Slots              No Files Found Error           

    No Property Read Privilege            No Response From Server        

FAh No More Server Slots                  No Such Object                 

    Temporary Remap Error                 Bad Password                   

FBh Invalid Parameters                    Path Not Locatable             

    No Such Property                      Queue Full Error               

    Unknown Request                       Request Not Outstanding        

FCh Unknown File Server                   Transaction Not Yet Written    

    Message Queue Full                    No More Matching Files         

    No Such Object                        Bindery Failure                

FDh Bad Station Number                    Explicit Transaction Active    

    Unknown Request                       No Explicit Transaction Active 

    Field Already Locked                  No Record Found                

    TTS Disabled                          Output Buffer Full             

FEh Bindery Locked                                                       

    Directory Locked                                                     

    Invalid Semaphore Name Length                                        

    Server Bindery Locked                                                

    Spool Directory Error                                                

    Supervisor has disabled login                                        

    Timeout Failure                                                      

    Transaction ends Record Lock                                         

    Implicit Transaction Active                                          

ͼ





And we're only talking 'Offical NCP calls' here, so just imagine if you add

undocumented stuff and NDS/IPX specific calls... Anyway, here are the

communication API :



-------------------------<Communication Functions>----------------------------

 /* Connect and Transmit NCP requests */



 /* Usage : ret=Pan_NCP_connect(server);

 'server' is the file server number ?? setting server to 0 connects you

 to the default server. The value returned if negative is a Pandora API

 error, otherwise it's the ax value see table above.

 */



 int Pan_NCP_connect(int socket);



 /* Usage : ret=Pan_NCP_transmit(function,request,r_lengh,answer,a_lengh);

 Use this to transmit an NCP packet via Novell Driver, parameters :



 - func is the NCP Function code (subfunc. is located in request data);

 - req is a pointer on a bloc of bytes (uint8) containing the request data

   (subfunc., ...);

 - rlengh is the lengh of the request data pointed by req;

 - ans is a pointer on an initialized bloc of bytes (uint8) which will

   contain the answer from the server to the request (if any);

 - alengh is the lengh of the expected returned data.



 The value returned if negative is a Pandora API error, otherwise it's the

 ax register value see NCP error table.

 */



 int Pan_NCP_transmit(int func,uint8 *req,int rlengh,uint8 *ans,int alengh);



 /* Usage : ret=Pan_NCP_spoof(packet,lengh);

 This function requires a packet driver on interrupt 0x60, and permits to

 send fully customized packets (Network and Transport layer). Parameters :



 - packet is a pointer on a bloc of bytes (uint8) containing the data to send;

 - packlengh if the Total Physical Lengh of packet (Network and Transport);



 This code is experimental : it works but will be replaced by something more

 elaborate and more "compatible" ...

 */



 int Pan_NCP_spoof(uint8 *packet,int packlengh);

-------------------------------------><---------------------------------------





_A_     Appendix A : error codes



Return code   Description

------------------------------------------------------------------------------

--------------------------<Server Return Codes>-------------------------------

 1         | Server In Use,Semaphore Overflow,TTS Available

 2         | DOS File Not Found

 3         | DOS Path Not Found

 4         | DOS Too Many Open Files

 5         | DOS Access Denied

 6         | DOS Invalid File Handle

 7         | DOS Memory Blocks Destroyed

 8         | DOS Insufficient Memory

 9         | DOS Invalid Memory Block Address

 10        | DOS Invalid Environment

 11        | DOS Invalid Format

 13        | DOS Invalid Access Code

 14        | DOS Invalid Data

 15        | DOS Invalid Drive Specified

 16        | DOS Attempt To Delete Current Dir

 17        | DOS Not Same Device

 18        | DOS No More Files

 32        | DOS Sharing Violation

 33        | DOS Lock Violation

 128       | File In User Error

 129       | No More File Handles

 130       | No Open Privileges

 131       | IO Error Network Disk

 132       | No Create Privileges

 133       | No Delete Privileges

 134       | Create File Exists Read Only

 135       | Wild Cards in Create File Name

 136       | Invalid File Handle

 137       | No Search Privileges

 138       | No Delete Privileges

 139       | No Rename Privileges

 140       | No Modify Privileges

 141       | Some Files Affected In Use

 142       | No Files Affected In Use

 143       | Some Files Affected Read Only

 144       | No Files Affected Read Only

 145       | Some Files Renamed - Name Exists

 146       | No Files Renamed - Name Exists

 147       | No Read Privileges

 148       | No Write Privileges or Read Only

 149       | File Detached

 150       | Server Out Of Memory,Out Of Dynamic Workspace

 151       | No Disk Space for Spool File

 152       | Volume Does Not Exist

 153       | Directory Full

 154       | Renaming Across Volumes

 155       | Bad Directory Handle

 156       | Invalid Path,No more Trustees

 157       | No More Directory Handles

 158       | Invalid Filename

 159       | Directory Active

 160       | Directory Not Empty

 161       | Directory IO Error

 162       | Read File With Record Locked

 163       | No Netware shell loaded

 192       | No Account Privileges

 193       | Login Denied,No Account Balance

 194       | Account Credit limit Exceeded,Login Denied,No credit

 195       | Account,Too many Holds

 197       | Intruder Detection, Account is Locked

 198       | Not Console Operator

 208       | Queue Error

 209       | No Queue

 210       | No Queue Server

 211       | No Queue Rights

 212       | Queue Full

 213       | No Queue Job

 214       | No Job Rights

 215       | Password Not Unique,Queue Servicing

 216       | Password Too Short,Queue Not Active

 217       | Login Denied,No connection,Station Not Server

 218       | Unauthorized login time,Queue Halted

 219       | Unauthorized login station,Max Queue Servers

 220       | Account Disabled

 222       | Password has expired - No Grace

 223       | Password has expired

 232       | Not Item Property,Write Property to Group

 233       | Member Already Exists

 234       | No Such Member

 235       | Not Group Property

 236       | No Such Segment

 237       | Property Already Exists

 238       | Object Already Exists

 239       | Invalid Name

 240       | Wild Card Not Allowed

 241       | Invalid Bindery Security

 242       | No Object Read Privilege

 243       | No Object Rename Privilege

 244       | No Object Delete Privilege

 245       | No Object Create Privilege

 246       | No Property Delete Privilege,Not Same Local Drive

 247       | No Property Create Privilege,Target Drive Not Local

 248       | Already or Not Attached To Server,No Property Write Privilege

 249       | No Free Connection Slots,No Property Read Privilege

 250       | No More Server Slots,Temporary Remap Error

 251       | Invalid Parameters,No Such Property,Unknown Request

 252       | Unknown File Server,Message Queue Full,No Such Object

 253       | Bad Station Number,Unknown Request,Field Already Locked,TTS Disabled

 254       | Bind/NDS Locked/Err,Bad Sem Name Len,Login disable,Timeout,Trans err

 255       | Bad Printer/Offset/FCB/Name/Ext/Hrdwre/Drive/Sem/File/Passwd/Req/IO

-------------------------<Pandora specific error codes>-----------------------

 (NULL)	   | Ok

 -1        | unknown error

 -100      | Password lengh exeed maximum (16 chars for Brute_Force & Dict (128 chars for Hash_Gen))

 -101      | pw_first/pw_last mismatch

 -102      | pw_current/pw_last mismatch

 -103      | pw_first contains unauthorized chars OR pw_first/pwlen mismatch

 -104      | pw_current contains unauthorized chs OR pw_curr./pwlen mismatch

 -105      | Password not found with given words

 -106      | Maximum tries reached

 -107      | Hash is unknown

 -108      | Invalid hash

 -110      | Password is NULL

 -199      | File MUST be named, BACKUP.DS or BACKUP.NDS or DSREPAIR.DIB

 -200      | Error opening .NDS/.DS/.DIB files

 -201      | Out of memory

 -202      | Out of DOS memory

 -203      | NDS needs repair, cross reference encountered

 -204      | Value not found for this object/attribute pair

 -205      | Attribute not defined

 -206      | Unable to open Adapter

 -300      | Error opening file (Pandora/.NDS)

 -301      | File read/write failure OR invalid file"}





_B_     Appendix B : physical file structures



For an explanation of the .NDS file structure see Inside.txt.



The two following structures are the physical equivalent to Pan_PassHack

(<-> PASSHACK) and Pan_PassList (<-> PASSLIST). We decided the use of uint8[]

blocs, this permits to write all numbers in the form of ASCII strings, thus

bypassing any Endian problem and platform dependant data representation.

Also note that all fields are multiples of 4 in bytes lengh, this is done for

the same reasons. It's ugly but effective, yet we're open to suggestions...



----------------------------<Physical Structures>-----------------------------

typedef struct passlist

{

 uint8 bind[8];         /* Type of bindery object, see end of file */

 uint8 id[8];           /* Object ID from ENTRY */

 uint8 parentID[8];     /* Parent ID */

 uint8 objectID[8];     /* Object ID from Private Key */

 uint8 pwlen_known[8];  /* TRUE or FALSE */

 uint8 pwlen[8];        /* Password length of user account */

 uint8 pwhash_known[8]; /* TRUE or FALSE */

 uint8  hash[16];       /* One-way hash */

 uint8  userOU[40];     /* OU of User */

 uint8  userCN[258];    /* User common name */

 uint8  password[258];  /* User password */

} PASSLIST; /* size=628 */



typedef struct passhack

{

 uint8 bind[8];         /* Type of bindery object, see end of file */

 uint8 id[8];           /* Object ID from ENTRY */

 uint8 parentID[8];     /* Parent ID */

 uint8 objectID[8];     /* Object ID from Private Key */

 uint8 pwlen[8];        /* Password length currently tested */

 uint8  pw_first[128];  /* Passwd used to initialize the hack */

 uint8  pw_current[128];/* Last attempt saved */

 uint8  pw_last[128];   /* Last attempt to perform */

 uint8  key_space[PAN_KEYSPACE+1]; /* Key space used for brute force */

 uint8  hash[16];       /* One-way hash if set to 0 => unknown */

 uint8  userOU[40];     /* OU of User */

 uint8  userCN[258];    /* User common name */

} PASSHACK; /* size=807 */



-------------------------------------><---------------------------------------





A final word. You are very welcome and encouraged to contribute to the

project; Moreover, since this is GNU licensed, it is courteous ( if not

required ;-) ) to notify us with any changes you make to or tools you build

with the Pandora API; AND THESE TOOLS MUST REMAIN FREE WITH SOURCE CODE 

ACCESSIBLE.



Happy Coding !



			 (c) Nomad Mobile Research Center

				   www.nmrc.org



