---------------------------------------------------------------------------

Appendix Section - Source Code and Other Documentation

A-04. Documentation for NOCRYPT and the Attack Explanation

---------------------------------------------------------------------------

					NOCRYPT.DOC

					Greg Miller

The nocrypt.c program uses a man-in-the-middle attack to hijack a user's 
loggin session (see attack.doc for details on the attack).  
The program should be run just before the intended target user is about to 
log in.  When run, the program will wait for the user to log in, hijack the 
session, and grant the specified user a security equivelance of the attacked 
user.

Before compiling the program you'll need to set variables for the following 
values in the program:  the address of the station you want to attack, the 
address of the station you'll be using to cary out the attack, the address 
of the nearest router, the name of the account you'll be attacking, the name 
of the account to receive the security equivelance, and the internal network 
address of the server the attackee will be logging in to.  (Perhaps someone 
will remove the need to specify such parameters in the future by auto 
detecting most of them).

NOTE:  With all addresses you must specify the Netork address, not just 
the MAC address.

After setting the corresponding values, compile the program.  The program 
has been compiled successfuly in Borland C++ 3.1.  However, it should 
compile in almost any C compiler capable of forming a DOS executable as 
long as the compiler allows inline ASM of the form _asm{ ... }.  If your 
compiler does not support inline ASM of that form, you'll need to edit the 
_asm{ ... } blocks to the correct format.
The final step before running the program is to install a packet driver on 
INT 0x60.  Most network cards come with a packet driver on the installation 
disk.  If you do not have the installation disks, or the disks do not have 
the drivers on them, many drivers for many cards are available on the web.  
Normally you must specify which interrupt to use for the packet driver, if so, 
use 0x60.  The 0x60 notation is hexadecimal, if your packet driver does not 
allow the use of hexadecimal numbers on the command line use 96 (without the 
preceeding 0x).
Just before the intended target is about to log in, run the program.  Assuming 
you've set everything up correctly, the session will be hijacked, the 
specified user will be given a security equivelance of the attacked user, 
and the program will terminate.  Now, reset your system and log in as the 
user who was granted the rights.  You will now be able to access all of 
the files of the attacked user.
One thing to note is that if the user you are attacking is not supervisor, 
but has supervisor equivelance you will not inherit the supervisor rights 
when you inherit the user's rights.  However, nocrypt.c can be modified to 
grant supervisor privlelages in this case, but as of now it does not.
The attack only works if the packet signature level is not set to 3 at the 
server.  The signature level set at the workstation has no impact on the 
attack.  Since the default value for this parameter is 2, administrators 
should set signature level in the autoexec.ncf file so it will be re-set 
each time the server is rebooted.

Do not send questions about this program directly to me.  Rather send them 
to a public forum on NetWare security such as the newsgroup 
comp.os.netware.security, or the NetWare Hack mailing list at 
nw-hack@bebr.cba.ufl.edu.

---------------------------------------------------------------------------


                        An Explanation of NOPASS.EXE
                                Greg Miller
                            September 26, 1996


        The NetWare login protocol consists of three packet exchanges between
the server and the client.  First the client sends a request for a login key,
the server generates a random eight byte value and sends it to the client.
Then the client sends a request for for the user ID of the user loging in, the
server looks up the user ID in the bindery and sends it to the client.
Finally, the client computes X=hash(UID,password) and Y=hash(X,login key) and
sends the result to the server.  The server retrieves X'=hash(UID,password)
stored in the bindery and computes Y'=hash(X',login key).  If Y=Y', the client
is granted access as the user.  If both the client and server agree to use
packet signatures, both parties then compute Z=hash(X,c) (where c is some
constant value) which they will use as a shared secret for authentication.
The following chart gives a graphical representation of the protocol:

	Client								Server

Request Login  Key	------------------------------------------------>

          <------------------------------------------------       Login Key

Request User ID		------------------------------------------------>

          <------------------------------------------------       UID of client

Compute X=hash(UID,password)                      Compute X'=hash(UID,password)
Compute Y=hash(X,login key)                       Compute Y'=hash(X,login key)

Request Authentication	------------------------------------------------>	If Y=Y', Access is Granted

Comput Z=hash(X,c)                                Compute Z=hash(X,c)


        When a user Alice logs in, an attacker Bob can interrupt this protocol
sequence and gain access as Alice without knowing her password.  In order for
the procedure to work, Bob must be on a network where he can observe the
traffic between Alice and the server, and Bob must be able to respond to
Alice's requests faster than the server.
        First Bob sends a request to the server to login, and the server sends
Bob a login key R".  Then Alice requests a login key from the server, Bob sees
the request and spoofs a reply as the server which sends Alice R" as her login
key.  The server receives Alice's request and sends her R as her login key,
when Alice receives R she will discard it as a duplicate.  Alice requests her
UID from the server, and the server responds with her UID.  Alice computes
X=hash(UID,password) and Y=hash(X,R") and sends the result to the server.  The
server computes Y'=hash(X,R), since Y' is not equal to Y, Alice is denied
access.  Meanwhile, Bob saw Alice's Y submitted to the server, he retrieves
this value from the network and sends it to the server for authentication as
Alice.  The server computes Y"=hash(X,R"), sice Y = Y" Bob is granted access
as Alice.  Bob requests not to sign packets, if the server does not require
all clients to sign packets, then Bob is allowed to masqurade as Alice.

	Alice				Bob			Server

                                Requests Login Key R"  ---->

                                                       <---- Sends R" to Bob

Requests Login Key R    ----------------------------------->

                        <----   Sends R" to Alice
                        <----------------------------------- Sends R to Alice
Receives R" first
Discards R as a duplicate

Requests UID for Alice  ----------------------------------->

                        <----------------------------------- Sends UID of Alice

Computes X=hash(UID,password)
Computes Y=hash(X,R")
Sends Y to the server   -----------------------------------> Computes
                                                                Y'=hash(X,R)
                                Sees Y and retrieves it.     Y != Y',
                                                                access is denied

                                Sends Y for             ---> Computes
                                        authentication          Y"=hash(X,R")
                                                             Y"=Y, access is
                                                                granted

                                Refuses to sign packets      If all clients are
                                                             not REQUIRED to
                                                             sign packets,
                                                             access is granted.

        There may be a second attacker, Joe, waiting for Alice to log in
without using packet signatures.  As a result, Joe can highjack Bob's
connection as Alice.

---------------------------------------------------------------------------