---

Pandora v4.0, GUI security audit tool, released

Simple Nomad posted to
BUGTRAQ:

_______________________________________________________________________________

                          Nomad Mobile Research Centre
                             A N N O U N C E M E N T
                                  www.nmrc.org
                        Simple Nomad [[email protected]]
                                   05Jul1999
_______________________________________________________________________________ Product : Pandora v4.0 Platform : Windows 95/98/NT, X Windows on Linux 2.x

The long-awaited Pandora v4.0 with “point, click, and attack”
GUI interface is now available. Running under Windows 95/98/NT or
Linux with X, this security audit tool with full metal jacket ninja
kungfu action was compiled with 100% freeware compilers using
freeware libraries with no big corporation SDK assistance. In other
words, the GUI looks and behaves the same on either Windows or
Linux.

Old Pandora v3 exploits are back, with Netware 4.x AND Netware
5.x support. We have even updated several attacks to make them
easier to use and to take advantage of our GUI.

The GUI interface has some important new features:

  • Offline and Online components. Offline for cracking passwords
    offline, and Online for direct server attacks.

Offline (for Windows and Linux) includes:

  • Password cracking of Netware 4.x and 5.x passwords.
  • Reads native NDS files — as well as maintenance files such as
    BACKUP.DS and DSREPAIR.DIB — and extracts password hashes for
    cracking.
  • Reads Netware 4.x and 5.x versions of NDS, BACKUP.DS, and
    DSREPAIR.DIB.
  • Multiple accounts can be brute forced and dictionary cracked
    simultaneously.
  • Preset and user-definable keyspace for brute forcing.
  • On screen sorting of account listings for easy viewing.
  • Built-in NDS browser to look at all NDS objects.
  • Remote Console Decryption using The Ruiner’s decryption
    algorithm.

Online (Linux coming soon, hey we’re in beta!) includes:

  • Attach to servers using only the password hash (if you do not
    wish to crack them).
  • Dictionary attacks against NDS objects that detect if Intruder
    Detection was triggered.
  • Browse for target servers and gather connection info for
    spoofing attacks.
  • GameOver spoofing attack against servers not using Level 3
    packet signature.
  • Improved Level3-1 attack which no longer requires using a
    sniffer to find elusive data for Admin session hijacking, just add
    in the Admin’s MAC address and we do the rest.
  • Several nasty Denial of Service attacks.

Full source code included in case you don’t trust our binaries,
and for adding your own code.

Check out binaries, code, doco, rants, and more at http://www.nmrc.org/pandora/