Last modified:

By Mad Hacker Snyder


Packet Sniffing is an especially powerful method of compromising an entire Ethernet or token-ring network. As a packet comes to a system on the network one of two things is supposed to happen. If the packet is addressed to that workstation, the information is accepted and processed. If the addresses do not match, the station is supposed to discard (Ethernet) or pass along (token-ring) the packet. Packet Sniffers corrupt this method to their own advantage. The Packet Sniffer software must put the network interface card into promiscuous mode. In promiscuous mode, the local system will accept EVERY packet that crossed the network. A spy can monitor and collect all e-mail messages circulating the network. If the network interfaces with a mainframe through a terminal emulation program, the login routine very likely transmits the password in clear text.

Two popular Packet Sniffers are and

There are a number of ways to combat Packet Sniffer attacks. A 10 base T network can use an active hub. An active hub sends packets ONLY to the station targeted by the server. A savvy network administrator can use any one of MANY forms of encryption protection plans. The easiest defense is to use adaptors that CAN NOT be set to promiscuous mode.


BINDERY.EXE accesses the bindery and extracts the cipher resulting from the NetWare one-way encryption feature. BINDERY.EXE outputs a text file containing the encrypted password and the USER ID. This text file can be cracked by a function of BINDERY.EXE, BINCRACK.EXE, through a dictionary file.

With powerful CPUs, multiple CPUs, and orchestrated networks, BINCRACK.EXE can make short work of the task of delivering passwords.

An intruder must have first gained supervisor equivalency in order to attack the bindery files. There is a way around this. A clever hacker might copy the old files produced every time BINDFIX runs. As system administrator you must guard against this by ensuring that the proper rights are set for the SYS:SYSTEM directory. Don't let BINDFIX's "seat-belt" files just hang around and accumulate; decide on a schedule for quickly deleting these files.

NWPCRACK.EXE is the other siege engine in the hacker's arsenal. NWPCRACK.EXE tries to log onto the network using a dictionary file as a list of all possible passwords. These dictionary files will contain every word in English, many words in other languages, celebrity names, slang, titles of books, movies, and TV shows - a universe of passwords. NWPCRACK.EXE will attempt to login as SUPERVISOR or any other USER ID, trying each entry in the dictionary file.

A variation on the theme is the brute force cracker like NOVELBFH.ZIP. A brute force attack simply tries every single combination of possible password characters. If allowed to run unchecked, this sort of program will surely get into the system. Protect your network's security by having intruder detection enabled. Have the account locks for an appropriate period of time after a set number of incorrect password attempts. With intruder detection, only a maximum of seven passwords might be inputted.

Of course, you must stress to your users that their password must not be anything so obvious that a human could guess it in five tries. This rules out the user's nickname, wife's/husband's name, car type, or whatever else an acquaintence might possibly know.


SETPWD.ZIP decompresses into a NLM, Netware Loadable Module. SETPWD.NLM resets any user password, including that of supervisor.

NW-HACK.ZIP is another software tool that hackers use to place themselves in the supervisor's seat.

To Be Continued