Pandora Toolbox API (c) Nomad Mobile Research Center www.nmrc.org _I_ What is all this about ? _II_ Credits _III_ Pandora API architecture _IV_ The mother of all : Pan_glob.h _V_ Ripped off ! Pan_file.h _VI_ The hash and the pendulum. Pan_hash.h _VII_ Netware, Bravo, do you copy ? Pan_com.h _A_ Appendix A : error codes _B_ Appendix B : physical file structures _I_ What is all this about ? Project Pandora was developped by o O O Simple Nomad O O o at the NMRC to hack Novell premier product : Netware NDS. The project initially permitted dictionary attacks and brute force attacks on password's hash extracted from the NDS. Then more attacks were added, involving Netware Core Protocol, and it became clear that an API was needed to reduce the redundancy in the code, facilitate algorithm emprovments, expand the project and permit others to share the fun... _II_ Credits This API was made possible thanks to the work of many, that was carefuly gathered and assembled here. Therefore the NMRC team, Imnsho - Jitsu-Disk - Knobster - Simple Nomad - Up-uat, wishes to thanks the following people for their (sometime unconscious) contributions... o O O Special Thanks O O o DJ Delorie [www.delorie.com] [GNU C DOS Compiler] Vincenzo Morello [volftp.tin.it/italiani/MORELLO/index_e.htm] [MGUI GUI lib] Rainer Schnitker [www.mathematik.uni-bielefeld.de/~rainer/] [RSX Win32 C] o O O Eleete O O o Greg Miller Itsme o O O Ideas & Support O O o Al Grant Denis. L gOObER Richard. P Rx2 Thomas Lackner Netware Hack Mailing List o O O Cryptography O O o TheRuiner o O O NCP Insight O O o Adrian Cunnelly Eugene Ilchenko & Igor Gusev Fauzan Mirza Sven B. Schreiber o O O Linux Novell GNU Client O O o Volker Lendecke o O O Low level IPX/DOS coding O O o John R. McCawley III Cap'n Hardgeus Hotwarez LLC o O O Packet Driver For NT/95 O O o The L0Pht Weld Pond Mudge Piero Viano o O O C00lness O O o Tan Gary Hein Gabe Nault _III_ Pandora API architecture The Pandora API is fully written in C code using the free GNU compiler. It supports big and little endian platforms, and requires DJGPP free GNU C to compile under DOS/WIN/OS2 environment (available at www.delorie.com). Since Pandora rel 4, the API is now thread safe and succesfully compiles under most Unices, you only need to define PAN_UNIX in your makefile CFlags. It is build as a set of shared libraries, each of them specialized in a certain type of attack. As of Pandora v4 release the libraries are : Pan_file.h : for manipulation of the NDS files and password hash extraction Pan_hash.h : to play all sort of crypto games with the hash (and others) Pan_com.h : used to communicate on the network using NCP/IPX/Packet transport for DOS only. Sniffing/Spoofing capabilities are built-in the GUI code, see PAN_GUI doc for details. In addition there is a common library which defines common types and routines to all shared libraries : Pan_glob.h Pan_file.h, Pan_hash.h and Pan_com.h are the headers you want to include in your programs if you need to manipulate NDS/decipher/communicate with netware. These files are only declaration headers, the source code is located in subdirectories affiliated to them : main-dir header file sub-dir source files -------- ----------- ------- ------------ | Pan_file.h |---> p_file |-----> file_lib.c (Pandora interface) | file_med.h (file manipul. code) | file_low.h (NDS files struct) | | Pan_hash.h |---> p_hash |-----> hash_lib.c (Pandora interface) | hash_med.h (crypto routines) | hash_low.h (crypto algo) pandora | | Pan_com.h |---> p_com |-----> com_lib.c (Pandora interafce) | com_med.h (TODO:IPX struct) | low | com_dos.h (com for DOS only) | level| com_lin.h (TODO:com for LINUX) | | Pan_glob.h |---> p_glob |-----> pandora.c (Pandora structures) | globals.c (endian & unicode) We separated in each library the code of the API functions themselves (Pandora interafce) from the routines those API rely upon (_med and _low). The separation of what is considered a "low" level code and "medium" level code is arbitrary. If this looks a bit tortuous, a glance at a typical makefile might help ;-) -------------------------------------------------------------------- # this makefile illustrate the use of all libraries in one prog. # the prog is supposed to be in a directory under which we find the # "pandora" directory and all its subordinates. CC = gcc # your favorite compiler CFLAGS = -O3 -funroll-all-loops -fforce-mem # Optimization options # following declarations will cause the compiler to build the libraries # if not already compiled PAN_GLOB = pandora\\p_glob\\pandora.o pandora\\p_glob\\globals.o PAN_HASH = pandora\\p_hash\\hash_lib.o PAN_FILE = pandora\\p_file\\file_lib.o PAN_COM = pandora\\p_com\\com_lib.o # invoking 'make' or 'make myprog' will build nwhack myprog: nwhack all: nwhack # compil macro .c.o: $(CC) $(CFLAGS) $(DEFINES) -c $< -o $@ # your stuff that requires all libraries nwhack: nwhack.o $(PAN_FILE) $(PAN_HASH) $(PAN_COM) $(PAN_GLOB) nwhack.o: nwhack.c #sample : # #myprog: myprog.o [$(__PAN__HEADER_I_USED__) ...] $(PAN_GLOB) # myprog.o: myprog.c # # this makefile is found in the directory: mydirectory # project pandora files are found under mydirectory\pandora # linking $(PAN_GLOB) is always required since used by all shared lib -------------------------------------><--------------------------------------- The start of nwhack.c source as you may expect ... -------------------------------------------------------------------- #include "pandora\pan_file.h" #include "pandora\pan_hash.h" #include "pandora\pan_com.h" /* include "pandora\pan_glob.h" not required since already included by above shared libraries */ ... ------------------------------------><---------------------------------------- Also note that a special care was taken to wrap all C headers so you could include them in C++ progs (if you dare ;-) ). O.K now you have a pretty good idea on how to build your prog with Pandora facility, so lets get into real trouble and see what exactly you can do with it... First off we need to talk about Pan_glob.h . _IV_ The mother of all : Pan_glob.h Initially project Pandora was designed to extract users info and password hash from Novell's NDS files and permit password recovery through brute force or dictionary attack (see inside.txt). The ripped info from NDS being saved in a file called PASSWORD.NDS, and the "save state" of a brute force attempt in RESTORE.PAN; thus permitting via manipulation (manipul8) to spread the attack over multiple computers. The API offers two memory structure that duplicates the contents of these files, in order to avoid the boredom of dealing with the physical access in each program. Also those structures permit to pass info to and from the functions of the API. Some variables have been added in comparison to v3, so to take care (hopefully) of new and future needs. This is a very sensitive part of the API since all modification renders Pandora files incompatible between two versions (not ment to be a database) but you could write a prog to convert the files between the various versions if you really need to. Since v4 their are also two new structures different than the one that deals with passwords hash : one to store "atomic values" from NDS, one to store live connections informations ripped from the servers. ----------------------------------------------------------- typedef unsigned char uint8; /* one byte */ typedef unsigned short uint16; /* one 16bit word */ typedef unsigned long uint32; /* one 32bit word */ typedef unsigned int unicode; /* depends on system may be 16 or 32 bit */ typedef struct pan_passlist { uint32 bind; /* Bindery type of object */ uint32 id; /* Object ID from ENTRY */ uint32 parentID; /* Parent ID */ uint32 objectID; /* Object ID from Private Key */ uint32 pwlen_known; /* TRUE or FALSE */ uint32 pwlen; /* Password length of user account */ uint32 pwhash_known; /* TRUE or FALSE */ uint8 hash[16]; /* One-way hash */ uint8 userOU[40]; /* OU of User */ uint8 userCN[258]; /* User common name */ uint8 password[258]; /* User password */ struct pan_passlist *next; } *Pan_PassList; typedef struct pan_passhack { uint32 bind; /* Bindery type of object */ uint32 id; /* Object ID from ENTRY */ uint32 parentID; /* Parent ID */ uint32 objectID; /* Object ID from Private Key */ uint32 pwlen; /* Password length currently tested */ uint8 pw_first[128]; /* Passwd used to initialize the hack */ uint8 pw_current[128]; /* Last attempt saved */ uint8 pw_last[128]; /* Last attempt to perform */ uint8 key_space[PAN_KEYSPACE+1]; /* Key space used for brute force */ uint8 hash[16]; /* One-way hash if set to 0 => unknown */ uint8 userOU[40]; /* OU of User */ uint8 userCN[258]; /* User common name */ } Pan_PassHack; typedef struct pan_ndsbrowse { uint32 objectID; /* Object ID */ uint32 parentID; /* Parent ID */ uint32 typeID; /* Attribute ID */ uint8 parentStr[128]; /* Parent String NOT UNICODE */ uint8 objectStr[128]; /* Object String NOT UNICODE */ uint8 typeStr[128]; /* Object String NOT UNICODE */ struct pan_ndsbrowse *next; } *Pan_NDSBrowse; /* WTF didn't we kept Unicode shit here since we kept it everywhere else ?? Just because this memory structure is not meant (or never should :-) ) to be dumped to the disk */ typedef struct pan_connections { char name[MAXNAMELEN+1]; /* connection name */ int conn_type; /* server, user, other */ uint8 conn_number; /* connection number */ uint8 ipx_net[4]; /* IPX network */ uint8 ipx_addr[6]; /* IPX adress */ uint8 sock_high; /* socket high */ uint8 sock_low; /* socket low */ char details[512]; /* comment string to store connection details */ struct pan_connections *next; } *Pan_Connections; ------------------------------------><---------------------------------------- Pan_PassList declaration : Pan_PassList pPassList; All variables are pretty self explainatory, just for the record : 'bind' contains the bindery type of the object (if exist) and is stored in big endian format since we exclusively use it when communicating with a server which requires that format. Here are listed some common bindery types, not all types holds a password though : Description Value 'bind' value ---------------------------------------------------------- Unknown 0 0x0000 User 1 0x0100 User Group (container) 2 0x0200 Print Queue 3 0x0300 File Server 4 0x0400 Job Server 5 0x0500 Gateway 6 0x0600 Print Server 7 0x0700 Archive Queue 8 0x0800 Archive Server 9 0x0900 Job Queue 10 0x0a00 Administration 11 0x0b00 Remote Bridge Server 38 0x2600 Advertising Print Server 71 0x4700 Btrieve Server 75 0x4B00 RSPCX Server (Rconsole) 263 0x0701 HP Jet-Printer 780 0x0C03 Cheyenne ArcServe 1100 0x4c04 Reserved up to 32768 0x0080 Wild -1 0xffff Hence the following "defines" are set in pan_glob.h : #define PAN_TYPE_SERVER 0x0400 #define PAN_TYPE_USER 0X0100 #define PAN_TYPE_OTHER 0XFFFF 'pwlen_known' is set to YES when the lengh of the real password is known. 'pwhash_known' is set to YES when we know the real hash of a user. Also you've probably noticed that pPassList is a chained list and therefore requires memory allocation, and memory release when done, see Global Functions for this. Adding a new element or searching a new element in the list is very simple, for illustration check the code in manipul8.c . Here's a simple sketch that represents how PASSLIST records are stored in memory : Pan_PassList pPassList; * * --------------------------------------------------------------------- | | | | | pPassList | | | |bind | | |______>|id |bind | | |parentID |id | | | |objectID |parentID | | | |... |objectID | | | |next------->|... | | | |next------->...| | | |next------->(NULL) | |_____________________________________________________________________| Pan_PassHack declaration : Pan_PassHack pPassHack; This is a regular structure, it is use for brute force and for passing info from function to function, depending on the function you're calling not all fields are required. Check Global Functions for passing info from a pointer on pPassList to a pPassHack structure. The pw* variables are worhty a word of explaination : 'pwlen' contains the current testing size of for the password may it be the real one or not, 'pw_first' and 'pw_current' must be of that size. 'pw_first' is the initializing password, and is also the "upper-limit" when used in the brute force. 'pw_current' is the last saved attempt in a brute force and the starting point of a restored brute force. It allows to spread a brute force over multiple computers. 'pw_current' canno't be "before" 'pw_first' in regards of the key_space order. 'pw_last' is the last word to try, it gives the "lower_limit" to pw_current; pw_last has to be of the size if pwlen 'key_space' contains the characters to be tried in the brute force attempt. The maximum number of characters to try is 68, each character is different. for instance if we're doing a brute force that pwlen=5, pw_first=AAAAA, pw_current=, pw_last=ZZZZZ and key_space is A-Z, the first attempt will be AAAAA, the last possible attempt is ZZZZZ and all possible words of 5 characters length given the alphabet will be tried. Pan_NDSBrowse declaration : Pan_NDSBrowse pNDSBrowse; This strucuture similar to Pan_PassList, is designed to receive in each cell a matching (ParentID,TypeID,ObjectID) set to permit rapid value retrieval of the NDS. In association to the Parent/Type/Object ID's, we store their regular name (up to 48 chars) if we can match them. In other words this structure allows us to save the NDS "back bone" for later rapid classification and search of values. See the "NDS Browse" feature of Pandora4 for an illustration. Pan_Connections declaration : Pan_Connections pConnections; This strucuture similar to Pan_PassList, is designed to store active connections information usefull for later hacks. This includes : name / connection number / ipx adress / opened socket and a comment string for other info. Functions to manipulate the structures and do some stuff usefull everywhere are : ------------------------------------------------------------ /* !!!OUTDATED!!! void printUnicodeName(char *name, int j); */ /* replaced by a function that converts Unicode to regular string */ void sprintUnicodeName(char *output,char *name, int j); /* Make unicode from string. requires the trailing bytes of the string to be initialized (set to '\0') */ void MakeUnicodeName(char *string); /* Return error meaning for given error value*/ char *Pan_error(int number); /* Endian conversion routines, for shared lib use. These routines are usefull in two situations : when sending WORDS over the wire and when dealing with little endian/big endian problem. */ uint32 swap_uint32(uint32 n); /* uint32 BIG<->LITTLE Endian */ uint16 swap_uint16(uint16 n); /* uint16 BIG<->LITTLE Endian */ /* string to anything and versa */ uint32 str_to_uint32(uint8 *in); /* string to uint32 */ uint8 str_to_uint8(char *in); /* string to uint8 */ void uint32_to_str(uint32 in, uint8 *out); /* uint32 to a string */ void str_to_hex(const char *in,uint8 *out,int size_string); /* string to hex */ /* Memory alloc/desalloc routinesfor Pan_PassList chained list */ /* Usage : Pan_X pX=Pan_X_alloc(); allocates memory for 1 record; to acces information use for ex. (q being a pointer on the last record) q->next=Pan_PassList_alloc(); */ Pan_PassList Pan_PassList_alloc(void); Pan_NDSBrowse Pan_NDSBrowse_alloc(void); Pan_Connections Pan_Connections_alloc(void); /* Usage : Pan_X_free(pX); free the memory of a record and all records under it */ void Pan_PassList_free(Pan_PassList pPassList); void Pan_NDSBrowse_free(Pan_NDSBrowse pNDSBrowse); void Pan_Connections_free(Pan_Connections pConnections); /*Usage : Pan_PassList_to_PassHack(pPassList,&pPassHack); */ /* fill a PassHack record with current PassList pointed info */ void Pan_PassList_to_PassHack(Pan_PassList pPassList,Pan_PassHack *pPassHack); /*Usage : PassHack_in_Pan_PassList(&pPassHack,pPassList); */ /* fill current pointed PassList record with PassHack values */ void PassHack_in_Pan_PassList(Pan_PassHack *pPassHack,Pan_PassList pPassList); /*Usage : PassHack_to_PassHack(&pPassHack,&pPassHack); */ /* fill current pointed PassHack record with PassHack values */ void PassHack_to_PassHack(Pan_PassHack *aPassHack,Pan_PassHack *bPassHack); -------------------------------------><--------------------------------------- As an illustration lets comment a simple routine that reads from a "PASSWORD" file containing the extracted NDS info, that checks for a specific name, and finally that stores the matching record in a "PASSHACK" structure : ---------------------------------------------------------------------- /*Some function calls uses the Pan_file.h library described below*/ Pan_PassList pPassList,q; Pan_PassHack pPassHack; ... /*read from the PASSWORD file previously build using the NDS files*/ /*and copy the file into the Pan_PassList chained-list structure*/ err=Pan_PassList_read("PASSWORD.NDS",&pPassList); if (err) {printf("err : %d",err); /*check the return code*/ exit(-1); } /*check records one after the other until the name is found or the end of*/ /*the list is reached. We use a temporary pointer so not to screw up our*/ /*root-list (pPassList) pointer*/ for (q=pPassList;q!=NULL;q=q->next) {FOUND=TRUE; for (i=0;i<--------------------------------------- In addition we set a few global parameters used through out the project ------------------------------------------------------------ /* Type of OS */ #ifdef BIG_ENDIAN #define PAN_OS "B" #else #ifdef PDP_ENDIAN #define PAN_OS "P" #else #define PAN_OS "L" #endif #endif /* * Global constants */ #define TRUE 1 #define FALSE 0 #define VERS "Project Pandora v.4" #define MAX_CHARS 128 #undef NULL #define NULL 0 /* * Paths and files length depends on the system */ #if !defined PAN_UNIX #include #if defined _MSC_VER || defined __WATCOMC__ #include #define MAXPATHLEN _MAX_PATH #define MAXFNAMELEN _MAX_FNAME #else #include #include #ifdef __GO32__ #define MAXPATHLEN 260 #define MAXFNAMELEN 64 #else #define MAXPATHLEN MAXPATH #define MAXFNAMELEN (MAXFILE+MAXEXT) #endif #endif #define EXT "*.*" #else #include #define MAXPATHLEN 128 #define MAXFNAMELEN 64 #define EXT "*" #endif #define PAN_ASCII 26 #define PAN_ALPHANUM 36 #define PAN_KEYSPACE 68 #define MAXPASSLEN 128 #define MAXNAMELEN 48 #define MAXNCPREPLYLEN 130 -------------------------------------><--------------------------------------- If you want to develop with the Pandora Toolbox it is essential that you really master the Pan_glob.h functions and prototypes since the same system is applied throughout the project. Read the code... Now that the plot is set, it's about time to see what the shared lib can really do for us. __V__ Ripped off ! Pan_file.h The aim of this library is a twofold : extract info from the NDS files and save&read from the Pandora files. For the first issue check 'inside.txt'. The Pandora files are of two types : one is a list of all information extracted from the original NDS files (for instance the physical companion to Pan_PassList called PASSLIST), and the other represent the "save-state" of a current "work" in progress (for instance the physical equivalent to Pan_PassHack called PASSHACK). When extracting information from the NDS files, data are stored in a List structure, this list can then be saved to disk; with the exeption of 'Pan_Convert(...)' which converts a BACKUP.DS file into the original '.NDS' files, no function in the shared lib makes direct disk access to the Pandora files (except for the R/W functions of those files, of course). Pan_PassList related functions : - Pan_Convert_Auto(...) converts NDS backup files to original NDS files - Pan_Extract_Auto(...) extracts all NDS objects of type USER and BINDERY which *have* a hash in the .NDS/.DSD files - Pan_GetNDSInfo(...) Store the NDS structure itself - Pan_GetValueInfo(...) Read a specific value from NDS - Pan_PassList_read(...) reads the content of a physical PassList file into a Pan_PassList structure. The structure need Not be initialized (mem alloc) before the call. - Pan_PassList_write(...) writes the content of a PassList starting from a given pointer in the list, if the given file name already exists, the file is overwritten. Pan_PassHack related functions : - Pan_PassHack_read(...) reads the content of of physical PassHack record into a PassHack structure. - Pan_PassHack_write(...) writes the content of a PassHack structure in a given file (if exists, is overwritten) If you have compiled your program and the libraries with -DBIG_ENDIAN switch because you have a big endian processor, you can still use and exchange Pandora files produced on little endian platforms, conversion is taken care of automatically. For return codes see Apendix A. ------------------------------------------------------------ /* Read/Write the NDS related information */ /* path, refers to the path where the file is stored */ /* file, refers to the file name */ /* ext, refers to the file extension */ /*Usage : err=Pan_Convert_Auto("f:\system\",0)*/ /* convert Backup.DS */ /* return an error if a problem occured, NDS files in specified dir */ /* ext == "ds" -> .DS file (before SP5 on Nw4) */ /* ext == "dib" -> .DIB file (after SP5 on Nw4 and used on Nw5 */ #define Pan_Convert_DS(a) Pan_Convert_Auto(a, "backup.ds", NULL) #define Pan_Convert_DIB(a) Pan_Convert_Auto(a, "dsrepair.dib", NULL) int Pan_Convert_Auto(char *path,char *file, char *ext); /*Usage : err=Pan_Extract(&pPassList,"f:\nds\")*/ /* return an error if a problem occured, NDS files in current dir */ /* chained records in pPassList,last record if : last->next=NULL */ /* ext == "NDS" -> convert entry.nds, ... */ /* ext == "DSD" -> convert 1.dsd, ... */ #define Pan_Extract(a, b) Pan_Extract_Auto(a, b, "NDS") int Pan_Extract_Auto(Pan_PassList *pPassList, char *path, char *ext); /* retrieve the NDS "back bone" for specified NDS files */ int Pan_GetNDSInfo(Pan_NDSBrowse *pNDSBrowse, char *path, char *ext); /* read in *out, a value set (see "NDS Browse" code in Pandora4) */ int Pan_GetValueInfo(uint8 **out, uint32 *out_lengh, uint32 *data_lengh, uint32 search_object, uint32 search_attribute, char *path, char *ext); /*Usage : err=Pan_PassList_read("PASSNAME.NDS",&pPassList)*/ /* return an error if a problem occured */ /* chained list of records in pPassList */ int Pan_PassList_read(char *readfile,Pan_PassList *pPassList); /*Usage : err=Pan_PassList_write("PASSNAME.NDS",pPassList)*/ /* return an error if a problem occured */ /* The last Password record in the list MUST have last->next=NULL */ int Pan_PassList_write(char *writefile,Pan_PassList pPassList); /*Usage : err=Pan_PassHack_read("WHATEVER.EXT",&pPassHack)*/ /* return an error if a problem occured */ int Pan_PassHack_read(char *readfile,Pan_PassHack *pPassHack); /*Usage : err=Pan_PassHack_write("WHATEVER.EXT",&pPassHack)*/ /* return an error if a problem occured */ int Pan_PassHack_write(char *writefile,Pan_PassHack *pPassHack); -------------------------------------><--------------------------------------- _VI_ The hash and the pendulum. Pan_hash.h Novell private hash routine was a glorious attempt to build a proprietary algorithm that was meant to provide all sorts of tricks : a secure way to store passwords, a secure algorithm to wrap new cyphers with old cyphers when changing password and a non-trivial yet fast random-like generator (for packet signature for instance). The algorithm provided all of the above, but yet wasn't exempt, due to its concept or implementation, of serious weakness some we try to exploit here. For a more detailed discussion on the core algorithm see crypto.txt. Although Novell has introduced RSA in Netware 4.xx as part of the authentification scheme, many games can still be played using old bindery calls, and yet the core algorithm for hash generation remains the same. Six routines are provided here, Three for password hacking and three for hash generation. Pan_SBrute_Force(...) will attempt to recover someone's password given his hash and object ID by testing all possible passwords in a given test range. Note that due to the hashing algorithm, we do not make use of lower-case caracters (and this makes me wonder how possibly Novell can advertise the use both lower-case and upper-case caracters as a security improvement to your password secrecy, see : http://www.novell.com/products/nds/hacks2.html). Since we use a fast-hash generator, lengh of password to recover canno't exeed 16 caracters. Pan_Dict_Attack(...) this routine also attempts to recover a password given a user's object ID and hash, by testing the hash against all words of a determined lengh in a 'dictionary' file. This routine also make use of the fast-hash generator, thus lengh of password to recover canno't exeed 16 caracters. Pan_Hash_Gen(...) this routine permit to generate a password hash given the clear-text password and the user's object ID. The routine accepts passwords up to the maximum legal lengh : 128 caracters. Pan_Challenge_Response(...) this routine, given a Login Key and a user's password, computes the resulting Challenge Response. The password can be given either plaintext with the user's object ID or pre-processed as the password hash. This routine is used whenever a password must be transmitted over the wire to a Netware server. For details on the Challenge Response scheme see the Netware Hack FAQ. Pan_3hash_cipher(...) this routine is used when changing a password : the user old password hash (16bytes) is cut in two halves (8bytes) and each halves is processed in a mathematical function such as : Func(old-pass-half1,new-pass-half1)=cipher-half1; Func(old-pass-half2,new-pass-half2)=cipher-half2; So that when both cipher-halves are transmited, the server can process : Reverse-Func(cipher-half1,old-pass-half1)=new-pass-half1; Reverse-Func(cipher-half2,old-pass-half2)=new-pass-half2; It looks like a simple XOR Func could do the trick, but Novell used a complex algorithm, probably so that nothing could be deducted knowing the cipher and the new password hash alone. Pan_Decipher_RemoteNLM(...) this routine by courtesy of TheRuiner, will decipher instantaneously any encrypted remote.nlm password you provide. See crypt.txt for details. They are a few more algorithms used by Netware servers, keep tuned ... hehehee if we managed to get working what is planned for Pandora5, it will be MAJOR... For return codes see Apendix A. -------------------------------------------------------------- /* Password Hacking */ /* Usage : err=Pan_Brute_Force(&pPassHack,PAN_ASCII,&retpw,"RESTORE.PAN"); The first argument is the pPassHack structure that MUST contain valid values for the following : objectID, object ID of user 0< pwlen <=16, lengh of password to generate (brute force only lengh<=16) pw_first, the 'seed' password to start the brute force with If pw_last is not set, it is given the value of pw_first thus ensuring that we try all possible combination for that given password lengh. The second argument allows to 'segment' the brute force by telling how many attempts the routine should perform, regardless of pPassHack settings, before the brute-force routine returns to the calling program. Once returned the brute force can be restored transparently since the last attempt is stored in pw_current. This permits to give a status on the brute force on a regular basis, and to fine tune how often things should be saved to disk for instance. The third parameter will contain the real password if found. It is not required to initialize it (memory alloc), but it should be freed after use. The last parameter is the "limit" in the word-list for the brute force. Finally the return value here may be other things than errors : if it contains (NULL) password was found, -105 if not found, -106 if time to save (parameter two 'maxtry' reached). */ /* Since we added the ability to customize the key_space, we now have a new replacement function : Pan_SBrute_Force, see below */ /* Usage : err=Pan_SBrute_Force(&pPassHack,PAN_ASCII,&retpw,"RESTORE.PAN",NULL);*/ /* contains NULL if no error, -105 if not found, -106 if time to save */ /* if _key_space is not specified, then the maxtry is used along with default set */ #define Pan_Brute_Force(a, b, c, d) strcpy(a->key_space,"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,./<>?;':\"[]{}`~!@#$%^&*()_-+=|"); Pan_SBrute_Force(a, c, d); int Pan_SBrute_Force(Pan_PassHack *pPassHack, char **retpw, uint32 limit ); /*Usage : err=Pan_Dict_Attack(&pPassHack,&retpw,dict);*/ /*->pwlen:lengh to try,return:password in retpw or error,readfile:dict*/ int Pan_Dict_Attack(Pan_PassHack *pPassHack,char **retpw,char *readfile); /*Usage : err=Pan_Hash_Gen(&pPassHack);*/ /*->pw_first:password to use,->pwlen:lengh,return ->hash or an error*/ int Pan_Hash_Gen(Pan_PassHack *pPassHack); /*Usage : err=Pan_Challenge_Response(&pPassHack,TRUE,&logkey,&dst)*/ /*Info must contain ObjectID and pw_first for hash_gen if hash_known=FALSE*/ /*If hash_known=TRUE info must contain ObjectID and hash*/ int Pan_Challenge_Response (Pan_PassHack *Info,int hash_known,uint8 *logkey, uint8 *dst); /*Usage : err=Pan_3hash_cipher(oldcipher,newcipher,newcipher)*/ /*p1[8] : half of current password hash*/ /*p2[8] : half of new password hash*/ /*p3[8] : half-pattern such as H(p1,p2)=p3 and F(p1,p3)=p2, H() is Pan_*/ int Pan_3hash_cipher(uint8 *oldcrpw,uint8 *newcrpw,uint8 *cipherpw); /*Usage : err=Pan_Decipher_RemoteNLM(cipher,decipher)*/ /*cipher contains the ciphered output of remote NLM encryption*/ /*decipher will contain result, memory must be allocated beforehand*/ int Pan_Decipher_RemoteNLM(char *cipher, char *decipher); -------------------------------------><--------------------------------------- _VII_ Netware, Bravo, do you copy ? Pan_com.h In Networking Software, there is obviously Network ;-) And many funny tricks can be build over the wire. The routines presented here gives a crude but working interface to your progams for the following : sending packet-level information (allows spoofing), sending NCP requests/replies, connecting to a Netware server. At the time this doc is written full IPX send/receive support is in the process of being implemented. (well ahem.. we'll use linux IPX support from now one ;-) ). Pandora4 is the first and last GUI release for the Wintel platforms. Pandora5 will run Linux. One of the reason being the obscure coding and hard licensing language of Novell 32-bit API. Besides sbiffing and spoofing under windows is a major pain in the ass. This explains that NCP calls under Pandora4 GUI are served by an "NCP server", DOS based, and independant of all vendors API. For the snifing/spoofing we used M.Viano 32 bits packet driver, see the packet32 directory in the source code. The programs code released with Pandora gives unvaluable information, that was collected from the work of many hackers, on the way to communicate with a Netware server. Sparse but good documentation on how to perform specific NCP/NDS requests/replies can be found electronically and in specialised libraries; And for the sake of it, lets briefly describe what a typical NCP request looks like in a Ethernet 802.3 frame format : Description bytes byte order -----------------------------------------|------------|------------ >802.3 frame header< | | | | MAC adress of dest. (router/server) | 0 -> 5 | Normal MAC adress of origin (station) | 6 -> 11 | Normal Physical lengh of packet (end-14) | 12 -> 13 | Reversed | | >Internetwork Packet Exchange< | | | | Checksum (0xffff=no checksum) | 14 -> 15 | ?? Packet total lengh (=Physical lengh-1) | 16 -> 17 | Reversed Hop count (nb of routers btw org/serv) | 18 | Normal Packet type (=0x11 is NCP, 0x17 is NDS) | 19 | Normal Destination IPX net (server net) | 20 -> 23 | Normal Destination IPX adress (server adress) | 24 -> 29 | Normal Destination socket (=0x0451 is NCP) | 30 -> 31 | Normal Originator IPX net | 32 -> 35 | Normal Originator IPX adress | 36 -> 41 | Normal Originator socket (=0x40?? usually) | 42 -> 43 | Normal | | >NCP request/reply header< | | | | Request type (=0x2222 req./=0x3333 rep.)| 44 -> 45 | Normal Sequence num (+1 each for req., 0<->255)| 46 | Normal Connection number LOW | 47 | N/A Task number (for internal use of org.) | 48 | Normal Connection number HIGH (0 if conn.<255) | 49 | N/A Function code (=0x68 IPX/=other NCP) | 50 | Normal | | ---------------------Ex. if Function code is NCP 0x17--------------- | | >NCP data< | | | | Reply fragment requested (0x00 usual.) | 51 | Normal NCP data length from bytes 53 | 52 | Normal Subfunction code (action to perform) | 53 | Normal Data (if exists) | 54 ->end_1| Usually | | reversed ---------------------Ex. if Function code is NCP 0X68 (NDS)--------- | | >NCP data< | | | | Request (=0x02 is fragmented req./rep.) | 51 | Normal Fragment handle (=0xffffffff if null) | 52 -> 55 | ?? Max frag. size (=0x02020000 usually) | 56 -> 59 | Reversed Total data lengh (incl. all frag.) | 60 -> 63 | Reversed Fragment flag (=0x00000000 if null) | 64 -> 67 | ?? Verb number (action to perform) | 68 -> 71 | Reversed Reply buffer size (=0x00000000 if null) | 72 -> 75 | Reversed Data (if exists) | 76 ->end_1| Usually | | reversed ------------------------------------------------------------------- | | >Packet signature< | | | | If signature is level_1 Wild-Pad |end_1 -> end| 0xffffffffffffffff is accepted |end=end_1+7 | If signature is level_2 or higher | (8 bytes) | real signature is base on user hash | | The function you want to use to send packet like this is : Pan_NCP_Spoof(...) of course, other type than NCP packet can be sent and you're not obliged to spoof your adress, but the name was kinda cool ;-) This function is only available if you have installed a packet driver on interrupt 0x60, don't forget the '-n' switch if you use Novell 802.3 frame format. If you need to send a regular NCP request/reply, use Pan_NCP_Transmit(...), examples to use Pan_NCP_Transmit(...) can be found inside the Pandora code, the "function code" to call is the first parameter, the second parameter is the data to send (seen above as >NCP data< or >NDS data<). For Win32 sniff and spoof see packet32 and pandora4-online code. A function called Pan_NCP_connect(...) is also provided to connect to a Netware server (although you could do it through the appropriate call with Pan_NCP_transmit(...)). Our aim here is not to describe all possible NCP/NDS packets that can be generated. Just be aware that for NCP, Function code+Subfunction code defines the request, for NDS, Request+Verb number defines the request. As you have noticed, NDS requests are encapsulated in NCP headers, this is probably due to the fact that NCP stuff existed on Netware servers before NDS which was later used for requests that had to be spread over multiple packets. Below is a list of well none NCP Function/Subfunction codes, this list is NOT exhaustive and dosen't include IPX requests. Detailed parameters for most of these function calls can be found in the NCP interrup list document at : http://www.tsu.ru/~eugene/netware/archive/index.html NCP call description Function Subfunc. (hex) (hex) ---------------------------------------------------------------------------- ABORT SERVICING QUEUE JOB AND FILE | 17 | 84 ABORT SERVICING QUEUE JOB AND FILE OLD | 17 | 73 ADD AUDIT PROPERTY | 58 | 02 ADD BINDERY OBJECT TO SET | 17 | 41 ADD TRUSTEE SET TO NS ENTRY | 57 | 0A ADD TRUSTEE TO DIRECTORY | 16 | 0D AFP ALLOC TEMPORARY DIR HANDLE | 23 | 0B AFP CREATE DIRECTORY | 23 | 01 AFP CREATE FILE | 23 | 02 AFP DELETE | 23 | 03 AFP GET ENTRY ID FROM NAME | 23 | 04 AFP GET ENTRY ID FROM NETWARE HANDLE | 23 | 06 AFP GET ENTRY ID FROM PATH NAME | 23 | 0C AFP GET FILE INFORMATION | 23 | 05 AFP OPEN FILE FORK | 23 | 08 AFP RENAME | 23 | 07 AFP SCAN FILE INFORMATION | 23 | 0A AFP SET FILE INFORMATION | 23 | 09 AFP 20 CREATE DIRECTORY | 23 | 0D AFP 20 CREATE FILE | 23 | 0E AFP 20 GET DOS NAME ENTRY ID | 23 | 12 AFP 20 GET FILE | 23 | 0F AFP 20 GET MACINTOSH INFO ON DELETED FILE | 23 | 13 AFP 20 SCAN FILE INFORMATION | 23 | 11 AFP 20 SET FILE INFORMATION | 23 | 10 ALLOCATE PERMANENT DIRECTORY HANDLE | 16 | 12 ALLOCATE RESOURCE | 0F | 00 ALLOCATE SPECIAL TEMPORARY DIRECTORY HANDLE | 16 | 16 ALLOCATE TEMP NS DIR HANDLE | 57 | 0C ALLOCATE TEMPORARY DIRECTORY HANDLE | 16 | 13 ALLOW TASK ACCESS TO FILE | 4E | 00 ATTACH QUEUE SERVER TO QUEUE | 17 | 6F BROADCAST TO CONSOLE | 15 | 09 CHANGE AUDIT LEVEL TWO PASSWORD | 58 | 12 CHANGE AUDITOR PASSWORD | 58 | 04 CHANGE BINDERY OBJECT PASSWORD | 17 | 40 CHANGE BINDERY OBJECT PASSWORD ENCRYPTED | 17 | 4B CHANGE BINDERY OBJECT SECURITY | 17 | 38 CHANGE CONNECTION STATE | 17 | 1D CHANGE PROPERTY SECURITY | 17 | 3B CHANGE QUEUE JOB ENTRY | 17 | 7B CHANGE QUEUE JOB ENTRY OLD | 17 | 6D CHANGE QUEUE JOB POSITION | 17 | 7C CHANGE QUEUE JOB POSITION OLD | 17 | 6E CHANGE QUEUE JOB PRIORITY | 17 | 82 CHANGE TO CLIENT RIGHTS | 17 | 85 CHANGE TO CLIENT RIGHTS OLD | 17 | 74 CHANGE USER PASSWORD | 17 | 01 CHECK AUDIT ACCESS | 58 | 05 CHECK AUDIT LEVEL TWO ACCESS | 58 | 16 CHECK CONSOLE PRIVILEGES | 17 | C8 CHECK PIPE STATUS | 15 | 08 CLEAR CONNECTION NUMBER | 17 | FE CLEAR CONNECTION NUMBER OLD | 17 | D2 CLEAR FILE | 07 | 00 CLEAR FILE SET | 08 | 00 CLEAR LOGICAL RECORD | 0B | 00 CLEAR LOGICAL RECORD SET | 0E | 00 CLEAR PHYSICAL RECORD | 1E | 00 CLEAR PHYSICAL RECORD SET | 1F | 00 CLEAR VOLUME RESTRICTIONS | 16 | 22 CLOSE AND QUEUE CAPTURE FILE | 11 | 01 CLOSE BINDERY | 17 | 44 CLOSE EXTENDED ATTRIBUTE HANDLE | 56 | 01 CLOSE FILE AND START JOB QUEUE | 17 | 7F CLOSE FILE AND START JOB QUEUE OLD | 17 | 69 CLOSE MESSAGE PIPE | 15 | 07 CLOSE OLD AUDITING FILE | 58 | 14 CLOSE SEMAPHORE OLD | 20 | 04 CLOSE SEMAPHORE | 6F | 04 COMMIT FILE | 3B | 00 CONVERT PATH TO DIRECTORY ENTRY | 17 | F4 CREATE BINDERY OBJECT | 17 | 32 CREATE DIRECTORY | 16 | 0A CREATE NEW FILE | 4D | 00 CREATE PROPERTY | 17 | 39 CREATE QUEUE | 17 | 64 CREATE QUEUE JOB AND FILE | 17 | 79 CREATE QUEUE JOB AND FILE OLD | 17 | 68 DEALLOCATE DIRECTORY HANDLE | 16 | 14 DEALLOCATE RESOURCE | 10 | 00 DELETE BINDERY OBJECT | 17 | 33 DELETE BINDERY OBJECT FROM SET | 17 | 42 DELETE DIRECTORY | 16 | 0B DELETE NS ENTRY | 57 | 08 DELETE OLD AUDITING FILE | 58 | 15 DELETE OLD AUDITING FILE 2 | 58 | 1A DELETE PROPERTY | 17 | 3A DELETE TRUSTEE | 16 | 2B DELETE TRUSTEE FROM DIRECTORY | 16 | 0E DELETE TRUSTEE SET FROM NS ENTRY | 57 | 0B DESTROY QUEUE | 17 | 65 DETACH QUEUE SERVER FROM QUEUE | 17 | 70 DISABLE AUDITING ON VOLUME | 58 | 07 DISABLE STATION BROADCASTS | 15 | 02 DISABLE FILE SERVER LOGIN | 17 | CB DISABLE TRANSACTION TRACKING | 17 | CF DOWN FILE SERVER | 17 | D3 DS CHANGE AUDIT LEVEL TWO PASSWORD | 68 | D7 DS CHANGE AUDITOR PASSWORD | 68 | CB DS CHANGE OBJECT AUDITED | 68 | DD DS CHECK AUDIT ACCESS | 68 | CC DS CHECK AUDIT LEVEL TWO ACCESS | 68 | DB DS CHECK OBJECT AUDITED | 68 | DC DS CLOSE FRAGMENT | 68 | 03 DS CLOSE OLD AUDITING FILE | 68 | D9 DS DELETE OLD AUDITING FILE | 68 | DA DS DELETE OLD AUDITING FILE 2 | 68 | E1 DS DISABLE AUDITING ON CONTAINER | 68 | CE DS ENABLE AUDITING ON CONTAINER | 68 | CF DS GET AUDIT FILE LIST | 68 | DE DS GET AUDITING FLAGS | 68 | D8 DS GET DS STATISTICS | 68 | 06 DS GET CONTAINER AUDIT STATUS | 68 | C8 DS INIT AUDIT FILE READ | 68 | DF DS LOGIN AS CONTAINER AUDITOR | 68 | CA DS LOGOUT AS CONTAINER AUDITOR | 68 | D3 DS MONITOR CONNECTION | 68 | 05 DS PING FOR NDS NCP | 68 | 01 DS READ AUDIT CONFIG HEADER | 68 | D1 DS READ AUDITING FILE | 68 | D2 DS READ AUDITING FILE 2 | 68 | E0 DS READ AUDITING FILES | 68 | 15 DS RELOAD | 68 | 08 DS RESET AUDIT HISTORY FILE | 68 | D5 DS RESET AUDITING FILE | 68 | D4 DS RESET DS COUNTERS | 68 | 07 DS RETURN BINDERY CONTEXT | 68 | 04 DS SEND FRAGMENTED REQUEST REPLY | 68 | 02 DS SET AUDIT PASSWORD | 68 | E5 DS WRITE AUDIT CONFIG HEADER | 68 | D6 DUPLICATE EXTENDED ATTRIBUTE | 56 | 05 ENABLE AUDITING ON VOLUME | 58 | 08 ENABLE STATION BROADCASTS | 15 | 03 ENABLE FILE SERVER LOGIN | 17 | CC ENABLE TRANSACTION TRACKING | 17 | D0 END OF JOB | 18 | 00 ENTER LOGIN AREA | 17 | 0A ENUMERATE EXTENDED ATTRIBUTE | 56 | 04 ERASE FILES | 44 | 00 EXAMINE SEMAPHORE OLD | 20 | 01 EXAMINE SEMAPHORE | 6F | 01 FILE CLOSE | 42 | 00 FILE COMMIT | 3D | 00 FILE COPY | 4A | 00 FILE CREATE | 43 | 00 FILE DM REQUEST | 5A | 96 FILE OPEN | 41 | 00 FILE READ | 48 | 00 FILE RELEASE LOCK | 02 | 00 FILE RENAME | 45 | 00 FILE SEARCH CONTINUE | 3F | 00 FILE SEARCH INITIALIZE | 3E | 00 FILE SET LOCK | 01 | 00 FILE WRITE | 49 | 00 FILL NAME SPACE BUFFER | 16 | 2F FINISH SERVICING QUEUE JOB AND FILE | 17 | 83 FINISH SERVICING QUEUE JOB AND FILE OLD | 17 | 72 GET ACCOUNT STATUS | 17 | 96 GET ACTIVE CONNECTION LIST BY TYPE | 7B | 0E GET ACTIVE LAN BOARD LIST | 7B | 14 GET ACTIVE PROTOCOL STACKS | 7B | 28 GET AUDIT FILE LIST | 58 | 17 GET AUDITING FLAGS | 58 | 13 GET BIG PACKET NCP MAX PACKET SIZE | 61 | 00 GET BINDERY ACCESS LEVEL | 17 | 46 GET BINDERY OBJECT ACCESS LEVEL | 17 | 48 GET BINDERY OBJECT DISK SPACE LEFT | 17 | E6 GET BINDERY OBJECT ID | 17 | 35 GET BINDERY OBJECT NAME | 17 | 36 GET BROADCAST MESSAGE | 15 | 01 GET BROADCAST MESSAGE EX | 15 | 0B GET CACHE INFORMATION | 7B | 01 GET CONNECTION LIST FROM OBJECT | 17 | 1F GET CONNECTION OPEN FILES | 17 | EB GET CONNECTION OPEN FILES OLD | 17 | DB GET CONNECTION SEMAPHORES | 17 | F1 GET CONNECTION SEMAPHORES OLD | 17 | E1 GET CONNECTION TASK INFORMATION | 17 | EA GET CONNECTION TASK INFORMATION OLD | 17 | DA GET CONNECTION USAGE STATISTICS | 17 | E5 GET CONNECTIONS USING A FILE | 17 | EC GET CONNECTIONS USING A FILE OLD | 17 | DC GET CPU INFORMATION | 7B | 08 GET DIR ENTRY | 16 | 1F GET DIR INFO | 16 | 2D GET DIRECTORY BASE | 57 | 16 GET DIRECTORY CACHE INFORMATION | 7B | 0C GET DIRECTORY PATH | 16 | 01 GET DISK CACHE STATISTICS | 17 | D6 GET DISK CHANNEL STATISTICS | 17 | D9 GET DISK UTILIZATION | 17 | 0E GET DM INFO | 5A | 01 GET DM FILE INFO | 5A | 81 GET DM STATUS INFO | 5A | 83 GET DM SUPPORT MODULE INFO | 5A | 84 GET DRIVE MAPPING TABLE | 17 | D7 GET EFFECTIVE DIRECTORY RIGHTS | 16 | 03 GET EFFECTIVE NS DIRECTORY RIGHTS | 57 | 1D GET EFFECTIVE RIGHTS | 16 | 2A GET ENCRYPTION KEY | 17 | 17 GET EXTENDED VOLUME INFO | 16 | 33 GET FILE BIT MAP | 55 | 00 GET FILE SERVER DATE AND TIME | 14 | 00 GET FILE SERVER DESCRIPTION STRINGS | 17 | C9 GET FILE SERVER INFORMATION | 17 | 11 GET FILE SERVER INFORMATION EX | 7B | 02 GET FILE SERVER LAN IO STATISTICS | 17 | E7 GET FILE SERVER LOGIN STATUS | 17 | CD GET FILE SERVER MISC INFORMATION | 17 | E8 GET FILE SIZE | 47 | 00 GET FILE SYSTEM STATISTICS | 17 | D4 GET GARBAGE COLLECTION INFORMATION | 7B | 07 GET GENERAL ROUTER AND SAP INFORMATION | 7B | 32 GET INTERNET ADDRESS | 17 | 1A GET INTERNET ADDRESS OLD | 17 | 13 GET IPX SPX INFORMATION | 7B | 06 GET KNOWN NETWORKS INFORMATION | 7B | 35 GET KNOWN SERVERS INFORMATION | 7B | 38 GET LAN COMMON COUNTERS INFORMATION | 7B | 16 GET LAN CONFIG STRINGS | 7B | 18 GET LAN CONFIGURATION INFORMATION | 7B | 15 GET LAN CUSTOM COUNTERS INFORMATION | 7B | 17 GET LAN DRIVER CONFIGURATION INFORMATION | 17 | E3 GET LOADED MEDIA NUMBER LIST | 7B | 2F GET LOGICAL RECORD INFORMATION | 17 | F0 GET LOGICAL RECORD INFORMATION OLD | 17 | E0 GET LOGICAL RECORDS BY CONNECTION | 17 | EF GET LOGICAL RECORDS BY CONNECTION OLD | 17 | DF GET LSL INFORMATION | 7B | 19 GET LSL LOGICAL BOARD STATISTICS | 7B | 1A GET MEDIA MANAGER OBJECT CHILDREN LIST | 7B | 20 GET MEDIA MANAGER OBJECT INFORMATION | 7B | 1E GET MEDIA MANAGER OBJECT LIST | 7B | 1F GET MEDIA NAME BY MEDIA NUMBER | 7B | 2E GET MEMBER SET OF GROUP | 17 | 09 GET NAME SPACE ENTRY | 16 | 30 GET NCP EXTENSION INFO | 24 | 05 GET NCP EXTENSIONS LIST | 24 | 04 GET NETWARE FILE SYSTEMS INFORMATION | 7B | 03 GET NETWORK ROUTER INFORMATION | 7B | 33 GET NETWORK ROUTERS INFORMATION | 7B | 34 GET NETWORK SERIAL NUMBER | 17 | 12 GET NLM INFORMATION | 7B | 0B GET NLM LOADED LIST | 7B | 0A GET NLMS RESOURCE TAG LIST | 7B | 0F GET NS DIR HANDLE PATH | 57 | 15 GET NS ENTRY INFO | 57 | 06 GET NS INFO FORMAT | 57 | 17 GET NS LOADED LIST | 57 | 18 GET NS PATH | 57 | 1C GET NUMBER NCP EXTENSIONS | 24 | 03 GET OBJECT CONNECTION NUMBERS | 17 | 1B GET OBJECT CONNECTION NUMBERS OLD | 17 | 15 GET OBJECT DISK RESTRICTIONS | 16 | 29 GET OBJECT EFFECTIVE RIGHTS | 16 | 32 GET OS VERSION INFORMATION | 7B | 0D GET PACKET BURST INFORMATION | 7B | 05 GET PATH FROM DIRECTORY BASE | 17 | F3 GET PATH FROM DIRECTORY ENTRY | 16 | 1A GET PERSONAL MESSAGE | 15 | 05 GET PHYSICAL DISK STATISTICS | 17 | D8 GET PHYSICAL RECORD LOCKS BY CONNECTION AND FILE | 17 | ED GET PHYSICAL RECORD LOCKS BY CONNECTION AND FILE OLD | 17 | DD GET PHYSICAL RECORD LOCKS BY FILE | 17 | EE GET PHYSICAL RECORD LOCKS BY FILE OLD | 17 | DE GET PRINTER QUEUE | 11 | 0A GET PRINTER STATUS | 11 | 06 GET PROTOCOL STACK CONFIGURATION INFORMATION | 7B | 29 GET PROTOCOL STACK CUSTOM INFORMATION | 7B | 2B GET PROTOCOL STACK NUMBERS BY LAN BOARD NUMBER | 7B | 2D GET PROTOCOL STACK NUMBERS BY MEDIA NUMBER | 7B | 2C GET PROTOCOL STACK STATISTICS INFORMATION | 7B | 2A GET QUEUE JOB LIST | 17 | 81 GET QUEUE JOB LIST OLD | 17 | 6B GET QUEUE JOB FILE SIZE | 17 | 87 GET QUEUE JOB FILE SIZE OLD | 17 | 78 GET QUEUE JOBS FROM LIST | 17 | 89 GET REFERENCE COUNT FROM DIRECTORY HANDLE | 5A | 0B GET REFERENCE COUNT FROM DIRECTORY NUMBER | 5A | 0A GET RELATIONOF AN OBJECT | 17 | 4C GET SEMAPHORE INFORMATION | 17 | F2 GET SEMAPHORE INFORMATION OLD | 17 | E2 GET SERVER INFORMATION | 7B | 36 GET SERVER SET CATEGORIES | 7B | 3D GET SERVER SET COMMANDS INFORMATION | 7B | 3C GET SERVER SOURCES INFORMATION | 7B | 37 GET SET VOLUME DM STATUS | 5A | 86 GET SPOOL QUEUE ENTRY | 11 | 04 GET STATION NUMBER | 13 | 00 GET STATION LOGGED INFORMATION | 17 | 1C GET STATION LOGGED INFORMATION OLD | 17 | 16 GET STATION LOGGED INFORMATION EX | 17 | 05 GET USER INFORMATION | 7B | 04 GET UTC TIME | 72 | 01 GET VOLUME AUDIT STATISTICS | 58 | 01 GET VOLUME DM STATUS | 5A | 82 GET VOLUME INFO WITH HANDLE | 16 | 15 GET VOLUME INFO WITH NUMBER | 12 | 00 GET VOLUME INFORMATION | 17 | E9 GET VOLUME INFORMATION BY LEVEL | 7B | 22 GET VOLUME NAME | 16 | 06 GET VOLUME NUMBER | 16 | 05 GET VOLUME SEGMENT LIST | 7B | 21 GET VOLUME SWITCH INFORMATION | 7B | 09 GET VOLUME USAGE | 16 | 2C INIT AUDIT FILE READ | 58 | 18 INITIALIZE NS SCAN | 57 | 02 IS BINDERY OBJECT IN SET | 17 | 43 IS STATION A MANAGER | 17 | 49 IS USER AUDITED | 58 | 09 LOCK FILE SET OLD | 04 | 00 LOCK FILE SET | 6A | 00 LOCK LOGICAL RECORD SET OLD | 0A | 00 LOCK LOGICAL RECORD SET | 6C | 00 LOCK PHYSICAL RECORD SET OLD | 1B | 00 LOCK PHYSICAL RECORD SET | 6E | 00 LOG FILE OLD | 03 | 00 LOG FILE | 69 | 00 LOG LOGICAL RECORD OLD | 09 | 00 LOG LOGICAL RECORD | 6B | 00 LOG NETWORK MESSAGE | 17 | 0D LOG PHYSICAL RECORD OLD | 1A | 00 LOG PHYSICAL RECORD | 6D | 00 LOGIN AS VOLUME AUDITOR | 58 | 03 LOGIN OBJECT | 17 | 14 LOGIN OBJECT ENCRYPTED | 17 | 18 LOGIN USER OBJECT | 17 | 00 LOGOUT | 19 | 00 LOGOUT AS VOLUME AUDITOR | 58 | 0D MAP DIRECTORY NUMBER TO PATH | 16 | F3 MAP GROUP NAME TO NUMBER | 17 | 07 MAP NUMBER TO GROUP NAME | 17 | 08 MAP NUMBER TO USER NAME | 17 | 04 MAP USER NAME TO NUMBER | 17 | 03 MAP USER TO STATION SET | 17 | 02 MODIFY MAXIMUM RIGHTS MASK | 16 | 04 MOVE ENTRY | 16 | 2E MOVE FILE FROM DM | 5A | 85 MOVE FILE TO DM | 5A | 80 MOVE QUEUE JOB | 17 | 88 NEGOTIATE BUFFER | 21 | 00 OPEN BINDERY | 17 | 45 OPEN CREATE FILE | 54 | 00 OPEN CREATE NS ENTRY | 57 | 01 OPEN CREATE NS FILE OR DIRECTORY | 57 | 1E OPEN DATA STREAM | 16 | 31 OPEN FILE | 4C | 00 OPEN MESSAGE PIPE | 15 | 06 OPEN SEMAPHORE OLD | 20 | 00 OPEN SEMAPHORE | 6F | 00 PACKET BURST CONNECTION REQUEST | 65 | 00 PURGE ALL ERASED FILES | 17 | CE PURGE ERASED FILES | 16 | 10 PURGE NS SALVAGEABLE FILE | 57 | 12 PURGE SALVAGEABLE FILE | 16 | 1D READ AUDIT CONFIG HEADER | 58 | 0B READ AUDITING BIT MAP | 58 | 0A READ AUDITING FILE | 58 | 0C READ AUDITING FILE 2 | 58 | 19 READ EXTENDED ATTRIBUTE | 56 | 03 READ EXTENDED NS INFO | 57 | 1A READ NS INFO | 57 | 13 READ PROPERTY VALUE | 17 | 3D READ QUEUE CURRENT STATUS | 17 | 7D READ QUEUE CURRENT STATUS OLD | 17 | 66 READ QUEUE JOB ENTRY | 17 | 7A READ QUEUE JOB ENTRY OLD | 17 | 6C READ QUEUE SERVER CURRENT STATUS | 17 | 86 READ QUEUE SERVER CURRENT STATUS OLD | 17 | 76 RECOVER NS SALVAGEABLE FILE | 57 | 11 RECOVER SALVAGEABLE FILE | 16 | 1C RELEASE A RESOURCE | 17 | FC RELEASE FILE | 05 | 00 RELEASE FILE SET | 06 | 00 RELEASE LOGICAL RECORD | 0C | 00 RELEASE LOGICAL RECORD SET | 0D | 00 RELEASE PHYSICAL RECORD | 1C | 00 RELEASE PHYSICAL RECORD SET | 1D | 00 REMOVE AUDIT PROPERTY | 58 | 06 REMOVE ENTRY FROM SPOOL QUEUE | 11 | 05 REMOVE JOB FROM QUEUE | 17 | 80 REMOVE JOB FROM QUEUE OLD | 17 | 6A RENAME BINDERY OBJECT | 17 | 34 RENAME DIRECTORY | 16 | 0F RENAME NS ENTRY | 57 | 04 RESET AUDIT HISTORY FILE | 58 | 0F RESET AUDITING FILE | 58 | 0E RESTART VOLUME AUDITING | 58 | 1E RESTORE DIRECTORY HANDLE | 16 | 18 RESTORE ERASED FILE | 16 | 11 RESTORE QUEUE SERVER RIGHTS | 17 | 75 SAVE DIRECTORY HANDLE | 16 | 17 SCAN BINDERY OBJECT | 17 | 37 SCAN BINDERY OBJECT TRUSTEE PATHS | 17 | 47 SCAN DIR ENTRY | 16 | 1E SCAN DIR RESTRICTIONS | 16 | 23 SCAN DIRECTORY FOR TRUSTEES | 16 | 0C SCAN DIRECTORY INFORMATION | 16 | 02 SCAN ENTRY FOR TRUSTEES | 16 | 26 SCAN FILE INFORMATION | 17 | 0F SCAN FILE PHYSICAL | 16 | 28 SCAN NCP EXTENSIONS | 24 | 00 SCAN NCP EXTENSIONS BY NAME | 24 | 02 SCAN NS ENTRY FOR TRUSTEES | 57 | 05 SCAN NS ENTRY INFO | 57 | 03 SCAN NS NEXT SET | 57 | 14 SCAN NS SALVAGEABLE FILES | 57 | 10 SCAN PROPERTY | 17 | 3C SCAN SALVAGEABLE FILES | 16 | 1B SCAN VOLUME FOR RESTRICTIONS | 16 | 20 SEARCH FILE | 40 | 00 SEND BROADCAST MESSAGE | 15 | 00 SEND BROADCAST MESSAGE EX | 15 | 0A SEND CONSOLE BROADCAST | 17 | FD SEND CONSOLE BROADCAST OLD | 17 | D1 SEND PERSONAL MESSAGE | 15 | 04 SEND REMOTE CONSOLE OPERATION | 83 | ?? SERVICE QUEUE JOB AND OPEN FILE OLD | 17 | 71 SERVICE QUEUE JOB LIST | 17 | 8A SET AUDIT PASSWORD | 58 | 1F SET COMP FILE SIZE | 5A | 0C SET DIR RESTRICTION | 16 | 24 SET DIRECTORY HANDLE | 16 | 00 SET DIRECTORY INFORMATION | 16 | 19 SET ENTRY | 16 | 25 SET EXTENDED FILE ATTRIBUTES | 4F | 00 SET FILE ATTRIBUTES | 46 | 00 SET FILE INFORMATION | 17 | 10 SET FILE SERVER DATE AND TIME | 17 | CA SET FILE TIME AND DATE | 4B | 00 SET NS ENTRY DOS INFO | 57 | 07 SET QUEUE CURRENT STATUS | 17 | 7E SET QUEUE CURRENT STATUS OLD | 17 | 67 SET QUEUE SERVER CURRENT STATUS | 17 | 77 SET SPOOL FLAGS | 11 | 02 SET TEMP NS DIR HANDLE | 57 | 09 SET TRUSTEE | 16 | 27 SET VOLUME RESTRICTIONS | 16 | 21 SET WATCHDOG DELAY INTERVAL | 17 | 1E SIGNAL SEMAPHORE OLD | 20 | 03 SIGNAL SEMAPHORE | 6F | 03 SPECIFY CAPTURE FILE | 11 | 09 SPOOL DATA TO A CAPTURE FILE | 11 | 00 SPOOL EXISTING FILE | 11 | 03 SUBMIT ACCOUNT CHARGE | 17 | 97 SUBMIT ACCOUNT HOLD | 17 | 98 SUBMIT ACCOUNT NOTE | 17 | 99 SYNCHRONIZE SCHEMA | 27 | 00 TTS ABORT TRANSACTION | 22 | 03 TTS BEGIN TRANSACTION | 22 | 01 TTS END TRANSACTION | 22 | 02 TTS GET APPLICATION THRESHOLDS | 22 | 05 TTS GET CONTROL FLAGS | 22 | 09 TTS GET STATISTICS | 17 | D5 TTS GET WORKSTATION THRESHOLDS | 22 | 07 TTS IS AVAILABLE | 22 | 00 TTS SET APPLICATION THRESHOLDS | 22 | 06 TTS SET CONTROL FLAGS | 22 | 0A TTS SET WORKSTATION THRESHOLDS | 22 | 08 TTS TRANSACTION STATUS | 22 | 04 VERIFY BINDERY OBJECT PASSWORD | 17 | 3F VERIFY BINDERY OBJECT PASSWORD ENCRYPTED | 17 | 4A VERIFY NETWORK SERIAL NUMBER | 17 | 0C WAIT ON SEMAPHORE OLD | 20 | 02 WAIT ON SEMAPHORE | 6F | 02 WRITE AUDIT CONFIG HEADER | 58 | 11 WRITE AUDITING BIT MAP | 58 | 10 WRITE EXTENDED ATTRIBUTE | 56 | 02 WRITE EXTENDED NS INFO | 57 | 1B WRITE NS INFO | 57 | 19 WRITE PROPERTY VALUE | 17 | 3E Again, our aim here is NOT to recode Client32, however a (very little) library of usefull NCP calls can be found under the "online" directory, look for the file "panrcp.h"; besides the ncpfs project for Linux already provides a GNU port of Netware Client. This listing wouldn't be complete without the return code list of Netware severs. This list was ripped off the "Netware C library" manual by Adrian Cunnelly (adrian@amcsoft.demon.co.uk), whose "Netware C library" shareware version is available on the SimTel site, check for netclb35.zip. All error codes listed below, are generated by the Pan_error function in Pan_Glog.h ÉÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ºHex ³Meaning º Hex ³Meaning º ÌÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÎÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ º00h ³Action Successful º 9Ah ³Renaming Across Volumes º º ³Server Not In Use º 9Bh ³Bad Directory Handle º º ³TTS Not Available º 9Ch ³Invalid Path º º01h ³Server In Use º ³No more Trustees º º ³Semaphore Overflow º 9Dh ³No More Directory Handles º º ³TTS Available º 9Eh ³Invalid Filename º º02h ³DOS File Not Found º 9Fh ³Directory Active º º03h ³DOS Path Not Found º A0h ³Directory Not Empty º º04h ³DOS Too Many Open Files º A1h ³Directory IO Error º º05h ³DOS Access Denied º A2h ³Read File With Record Locked º º06h ³DOS Invalid File Handle º BBh ³No Netware shell loaded º º07h ³DOS Memory Blocks Destroyed º C0h ³No Account Privileges º º08h ³DOS Insufficient Memory º C1h ³Login Denied - º º09h ³DOS Invalid Memory Block Address º ³No Account Balance º º0Ah ³DOS Invalid Environment º C2h ³Account Credit limit Exceeded º º0Bh ³DOS Invalid Format º ³Login Denied - No credit º º0Ch ³DOS Invalid Access Code º C3h ³Account - Too many Holds º º0Dh ³DOS Invalid Data º C5h ³Intruder Detection Lock º º0Fh ³DOS Invalid Drive Specified º C6h ³Not Console Operator º º10h ³DOS Attempt To Delete Current Dirº D0h ³Queue Error º º11h ³DOS Not Same Device º D1h ³No Queue º º12h ³DOS No More Files º D2h ³No Queue Server º º20h ³DOS Sharing Violation º D3h ³No Queue Rights º º21h ³DOS Lock Violation º D4h ³Queue Full º º80h ³File In User Error º D5h ³No Queue Job º º81h ³No More File Handles º D6h ³No Job Rights º º82h ³No Open Privileges º D7h ³Password Not Unique º º83h ³IO Error Network Disk º ³Queue Servicing º º84h ³No Create Privileges º D8h ³Password Too Short º º85h ³No Delete Privileges º ³Queue Not Active º º86h ³Create File Exists Read Only º D9h ³Login Denied - No connection º º87h ³Wild Cards in Create File Name º ³Station Not Server º º88h ³Invalid File Handle º DAh ³Unauthorized login time - º º89h ³No Search Privileges º ³Queue Halted º º8Ah ³No Delete Privileges º DBh ³Unauthorized login station - º º8Bh ³No Rename Privileges º ³Max Queue Servers º º8Ch ³No Modify Privileges º DCh ³Account Disabled º º8Dh ³Some Files Affected In Use º DEh ³Password has expired - No Graceº º8Eh ³No Files Affected In Use º DFh ³Password has expired º º8Fh ³Some Files Affected Read Only º E8h ³Not Item Property - º º90h ³No Files Affected Read Only º ³Write Property to Group º º91h ³Some Files Renamed - Name Exists º E9h ³Member Already Exists º º92h ³No Files Renamed - Name Exists º EAh ³No Such Member º º93h ³No Read Privileges º EBh ³Not Group Property º º94h ³No Write Privileges or Read Only º ECh ³No Such Segment º º95h ³File Detached º EDh ³Property Already Exists º º96h ³Server Out Of Memory º EEh ³Object Already Exists º º ³Out Of Dynamic Workspace º EFh ³Invalid Name º º97h ³No Disk Space for Spool File º F0h ³Wild Card Not Allowed º º98h ³Volume Does Not Exist º F1h ³Invalid Bindery Security º º99h ³Directory Full º F2h ³No Object Read Privilege º ÈÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ ÉÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ºHex ³Meaning º Hex ³Meaning º ÌÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÎÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ ºF3h ³No Object Rename Privilege º FFh ³Bad Printer Error º ºF4h ³No Object Delete Privilege º ³Bad Record Offset º ºF5h ³No Object Create Privilege º ³Close FCB Error º ºF6h ³No Property Delete Privilege º ³File Extension Error º º ³Not Same Local Drive º ³File Name Error º ºF7h ³No Property Create Privilege º ³Hardware Failure º º ³Target Drive Not Local º ³Invalid Drive Number º ºF8h ³Already Attached To Server º ³Invalid Initial Semaphore Valueº º ³No Property Write Privilege º ³Invalid Semaphore Handle º º ³Not Attached To Server º ³IO Bound Error º ºF9h ³No Free Connection Slots º ³No Files Found Error º º ³No Property Read Privilege º ³No Response From Server º ºFAh ³No More Server Slots º ³No Such Object º º ³Temporary Remap Error º ³Bad Password º ºFBh ³Invalid Parameters º ³Path Not Locatable º º ³No Such Property º ³Queue Full Error º º ³Unknown Request º ³Request Not Outstanding º ºFCh ³Unknown File Server º ³Transaction Not Yet Written º º ³Message Queue Full º ³No More Matching Files º º ³No Such Object º ³Bindery Failure º ºFDh ³Bad Station Number º ³Explicit Transaction Active º º ³Unknown Request º ³No Explicit Transaction Active º º ³Field Already Locked º ³No Record Found º º ³TTS Disabled º ³Output Buffer Full º ºFEh ³Bindery Locked º ³ º º ³Directory Locked º ³ º º ³Invalid Semaphore Name Length º ³ º º ³Server Bindery Locked º ³ º º ³Spool Directory Error º ³ º º ³Supervisor has disabled login º ³ º º ³Timeout Failure º ³ º º ³Transaction ends Record Lock º ³ º º ³Implicit Transaction Active º ³ º ÈÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ And we're only talking 'Offical NCP calls' here, so just imagine if you add undocumented stuff and NDS/IPX specific calls... Anyway, here are the communication API : ----------------------------------------------------- /* Connect and Transmit NCP requests */ /* Usage : ret=Pan_NCP_connect(server); 'server' is the file server number ?? setting server to 0 connects you to the default server. The value returned if negative is a Pandora API error, otherwise it's the ax value see table above. */ int Pan_NCP_connect(int socket); /* Usage : ret=Pan_NCP_transmit(function,request,r_lengh,answer,a_lengh); Use this to transmit an NCP packet via Novell Driver, parameters : - func is the NCP Function code (subfunc. is located in request data); - req is a pointer on a bloc of bytes (uint8) containing the request data (subfunc., ...); - rlengh is the lengh of the request data pointed by req; - ans is a pointer on an initialized bloc of bytes (uint8) which will contain the answer from the server to the request (if any); - alengh is the lengh of the expected returned data. The value returned if negative is a Pandora API error, otherwise it's the ax register value see NCP error table. */ int Pan_NCP_transmit(int func,uint8 *req,int rlengh,uint8 *ans,int alengh); /* Usage : ret=Pan_NCP_spoof(packet,lengh); This function requires a packet driver on interrupt 0x60, and permits to send fully customized packets (Network and Transport layer). Parameters : - packet is a pointer on a bloc of bytes (uint8) containing the data to send; - packlengh if the Total Physical Lengh of packet (Network and Transport); This code is experimental : it works but will be replaced by something more elaborate and more "compatible" ... */ int Pan_NCP_spoof(uint8 *packet,int packlengh); -------------------------------------><--------------------------------------- _A_ Appendix A : error codes Return code Description ------------------------------------------------------------------------------ --------------------------------------------------------- 1 | Server In Use,Semaphore Overflow,TTS Available 2 | DOS File Not Found 3 | DOS Path Not Found 4 | DOS Too Many Open Files 5 | DOS Access Denied 6 | DOS Invalid File Handle 7 | DOS Memory Blocks Destroyed 8 | DOS Insufficient Memory 9 | DOS Invalid Memory Block Address 10 | DOS Invalid Environment 11 | DOS Invalid Format 13 | DOS Invalid Access Code 14 | DOS Invalid Data 15 | DOS Invalid Drive Specified 16 | DOS Attempt To Delete Current Dir 17 | DOS Not Same Device 18 | DOS No More Files 32 | DOS Sharing Violation 33 | DOS Lock Violation 128 | File In User Error 129 | No More File Handles 130 | No Open Privileges 131 | IO Error Network Disk 132 | No Create Privileges 133 | No Delete Privileges 134 | Create File Exists Read Only 135 | Wild Cards in Create File Name 136 | Invalid File Handle 137 | No Search Privileges 138 | No Delete Privileges 139 | No Rename Privileges 140 | No Modify Privileges 141 | Some Files Affected In Use 142 | No Files Affected In Use 143 | Some Files Affected Read Only 144 | No Files Affected Read Only 145 | Some Files Renamed - Name Exists 146 | No Files Renamed - Name Exists 147 | No Read Privileges 148 | No Write Privileges or Read Only 149 | File Detached 150 | Server Out Of Memory,Out Of Dynamic Workspace 151 | No Disk Space for Spool File 152 | Volume Does Not Exist 153 | Directory Full 154 | Renaming Across Volumes 155 | Bad Directory Handle 156 | Invalid Path,No more Trustees 157 | No More Directory Handles 158 | Invalid Filename 159 | Directory Active 160 | Directory Not Empty 161 | Directory IO Error 162 | Read File With Record Locked 163 | No Netware shell loaded 192 | No Account Privileges 193 | Login Denied,No Account Balance 194 | Account Credit limit Exceeded,Login Denied,No credit 195 | Account,Too many Holds 197 | Intruder Detection, Account is Locked 198 | Not Console Operator 208 | Queue Error 209 | No Queue 210 | No Queue Server 211 | No Queue Rights 212 | Queue Full 213 | No Queue Job 214 | No Job Rights 215 | Password Not Unique,Queue Servicing 216 | Password Too Short,Queue Not Active 217 | Login Denied,No connection,Station Not Server 218 | Unauthorized login time,Queue Halted 219 | Unauthorized login station,Max Queue Servers 220 | Account Disabled 222 | Password has expired - No Grace 223 | Password has expired 232 | Not Item Property,Write Property to Group 233 | Member Already Exists 234 | No Such Member 235 | Not Group Property 236 | No Such Segment 237 | Property Already Exists 238 | Object Already Exists 239 | Invalid Name 240 | Wild Card Not Allowed 241 | Invalid Bindery Security 242 | No Object Read Privilege 243 | No Object Rename Privilege 244 | No Object Delete Privilege 245 | No Object Create Privilege 246 | No Property Delete Privilege,Not Same Local Drive 247 | No Property Create Privilege,Target Drive Not Local 248 | Already or Not Attached To Server,No Property Write Privilege 249 | No Free Connection Slots,No Property Read Privilege 250 | No More Server Slots,Temporary Remap Error 251 | Invalid Parameters,No Such Property,Unknown Request 252 | Unknown File Server,Message Queue Full,No Such Object 253 | Bad Station Number,Unknown Request,Field Already Locked,TTS Disabled 254 | Bind/NDS Locked/Err,Bad Sem Name Len,Login disable,Timeout,Trans err 255 | Bad Printer/Offset/FCB/Name/Ext/Hrdwre/Drive/Sem/File/Passwd/Req/IO ------------------------------------------------ (NULL) | Ok -1 | unknown error -100 | Password lengh exeed maximum (16 chars for Brute_Force & Dict (128 chars for Hash_Gen)) -101 | pw_first/pw_last mismatch -102 | pw_current/pw_last mismatch -103 | pw_first contains unauthorized chars OR pw_first/pwlen mismatch -104 | pw_current contains unauthorized chs OR pw_curr./pwlen mismatch -105 | Password not found with given words -106 | Maximum tries reached -107 | Hash is unknown -108 | Invalid hash -110 | Password is NULL -199 | File MUST be named, BACKUP.DS or BACKUP.NDS or DSREPAIR.DIB -200 | Error opening .NDS/.DS/.DIB files -201 | Out of memory -202 | Out of DOS memory -203 | NDS needs repair, cross reference encountered -204 | Value not found for this object/attribute pair -205 | Attribute not defined -206 | Unable to open Adapter -300 | Error opening file (Pandora/.NDS) -301 | File read/write failure OR invalid file"} _B_ Appendix B : physical file structures For an explanation of the .NDS file structure see Inside.txt. The two following structures are the physical equivalent to Pan_PassHack (<-> PASSHACK) and Pan_PassList (<-> PASSLIST). We decided the use of uint8[] blocs, this permits to write all numbers in the form of ASCII strings, thus bypassing any Endian problem and platform dependant data representation. Also note that all fields are multiples of 4 in bytes lengh, this is done for the same reasons. It's ugly but effective, yet we're open to suggestions... --------------------------------------------------------- typedef struct passlist { uint8 bind[8]; /* Type of bindery object, see end of file */ uint8 id[8]; /* Object ID from ENTRY */ uint8 parentID[8]; /* Parent ID */ uint8 objectID[8]; /* Object ID from Private Key */ uint8 pwlen_known[8]; /* TRUE or FALSE */ uint8 pwlen[8]; /* Password length of user account */ uint8 pwhash_known[8]; /* TRUE or FALSE */ uint8 hash[16]; /* One-way hash */ uint8 userOU[40]; /* OU of User */ uint8 userCN[258]; /* User common name */ uint8 password[258]; /* User password */ } PASSLIST; /* size=628 */ typedef struct passhack { uint8 bind[8]; /* Type of bindery object, see end of file */ uint8 id[8]; /* Object ID from ENTRY */ uint8 parentID[8]; /* Parent ID */ uint8 objectID[8]; /* Object ID from Private Key */ uint8 pwlen[8]; /* Password length currently tested */ uint8 pw_first[128]; /* Passwd used to initialize the hack */ uint8 pw_current[128];/* Last attempt saved */ uint8 pw_last[128]; /* Last attempt to perform */ uint8 key_space[PAN_KEYSPACE+1]; /* Key space used for brute force */ uint8 hash[16]; /* One-way hash if set to 0 => unknown */ uint8 userOU[40]; /* OU of User */ uint8 userCN[258]; /* User common name */ } PASSHACK; /* size=807 */ -------------------------------------><--------------------------------------- A final word. You are very welcome and encouraged to contribute to the project; Moreover, since this is GNU licensed, it is courteous ( if not required ;-) ) to notify us with any changes you make to or tools you build with the Pandora API; AND THESE TOOLS MUST REMAIN FREE WITH SOURCE CODE ACCESSIBLE. Happy Coding ! (c) Nomad Mobile Research Center www.nmrc.org