--------------------------------------------------------------------------- Appendix Section - Source Code and Other Documentation A-04. Documentation for NOCRYPT and the Attack Explanation --------------------------------------------------------------------------- NOCRYPT.DOC Greg Miller The nocrypt.c program uses a man-in-the-middle attack to hijack a user's loggin session (see attack.doc for details on the attack). The program should be run just before the intended target user is about to log in. When run, the program will wait for the user to log in, hijack the session, and grant the specified user a security equivelance of the attacked user. Before compiling the program you'll need to set variables for the following values in the program: the address of the station you want to attack, the address of the station you'll be using to cary out the attack, the address of the nearest router, the name of the account you'll be attacking, the name of the account to receive the security equivelance, and the internal network address of the server the attackee will be logging in to. (Perhaps someone will remove the need to specify such parameters in the future by auto detecting most of them). NOTE: With all addresses you must specify the Netork address, not just the MAC address. After setting the corresponding values, compile the program. The program has been compiled successfuly in Borland C++ 3.1. However, it should compile in almost any C compiler capable of forming a DOS executable as long as the compiler allows inline ASM of the form _asm{ ... }. If your compiler does not support inline ASM of that form, you'll need to edit the _asm{ ... } blocks to the correct format. The final step before running the program is to install a packet driver on INT 0x60. Most network cards come with a packet driver on the installation disk. If you do not have the installation disks, or the disks do not have the drivers on them, many drivers for many cards are available on the web. Normally you must specify which interrupt to use for the packet driver, if so, use 0x60. The 0x60 notation is hexadecimal, if your packet driver does not allow the use of hexadecimal numbers on the command line use 96 (without the preceeding 0x). Just before the intended target is about to log in, run the program. Assuming you've set everything up correctly, the session will be hijacked, the specified user will be given a security equivelance of the attacked user, and the program will terminate. Now, reset your system and log in as the user who was granted the rights. You will now be able to access all of the files of the attacked user. One thing to note is that if the user you are attacking is not supervisor, but has supervisor equivelance you will not inherit the supervisor rights when you inherit the user's rights. However, nocrypt.c can be modified to grant supervisor privlelages in this case, but as of now it does not. The attack only works if the packet signature level is not set to 3 at the server. The signature level set at the workstation has no impact on the attack. Since the default value for this parameter is 2, administrators should set signature level in the autoexec.ncf file so it will be re-set each time the server is rebooted. Do not send questions about this program directly to me. Rather send them to a public forum on NetWare security such as the newsgroup comp.os.netware.security, or the NetWare Hack mailing list at nw-hack@bebr.cba.ufl.edu. --------------------------------------------------------------------------- An Explanation of NOPASS.EXE Greg Miller September 26, 1996 The NetWare login protocol consists of three packet exchanges between the server and the client. First the client sends a request for a login key, the server generates a random eight byte value and sends it to the client. Then the client sends a request for for the user ID of the user loging in, the server looks up the user ID in the bindery and sends it to the client. Finally, the client computes X=hash(UID,password) and Y=hash(X,login key) and sends the result to the server. The server retrieves X'=hash(UID,password) stored in the bindery and computes Y'=hash(X',login key). If Y=Y', the client is granted access as the user. If both the client and server agree to use packet signatures, both parties then compute Z=hash(X,c) (where c is some constant value) which they will use as a shared secret for authentication. The following chart gives a graphical representation of the protocol: Client Server Request Login Key ------------------------------------------------> <------------------------------------------------ Login Key Request User ID ------------------------------------------------> <------------------------------------------------ UID of client Compute X=hash(UID,password) Compute X'=hash(UID,password) Compute Y=hash(X,login key) Compute Y'=hash(X,login key) Request Authentication ------------------------------------------------> If Y=Y', Access is Granted Comput Z=hash(X,c) Compute Z=hash(X,c) When a user Alice logs in, an attacker Bob can interrupt this protocol sequence and gain access as Alice without knowing her password. In order for the procedure to work, Bob must be on a network where he can observe the traffic between Alice and the server, and Bob must be able to respond to Alice's requests faster than the server. First Bob sends a request to the server to login, and the server sends Bob a login key R". Then Alice requests a login key from the server, Bob sees the request and spoofs a reply as the server which sends Alice R" as her login key. The server receives Alice's request and sends her R as her login key, when Alice receives R she will discard it as a duplicate. Alice requests her UID from the server, and the server responds with her UID. Alice computes X=hash(UID,password) and Y=hash(X,R") and sends the result to the server. The server computes Y'=hash(X,R), since Y' is not equal to Y, Alice is denied access. Meanwhile, Bob saw Alice's Y submitted to the server, he retrieves this value from the network and sends it to the server for authentication as Alice. The server computes Y"=hash(X,R"), sice Y = Y" Bob is granted access as Alice. Bob requests not to sign packets, if the server does not require all clients to sign packets, then Bob is allowed to masqurade as Alice. Alice Bob Server Requests Login Key R" ----> <---- Sends R" to Bob Requests Login Key R -----------------------------------> <---- Sends R" to Alice <----------------------------------- Sends R to Alice Receives R" first Discards R as a duplicate Requests UID for Alice -----------------------------------> <----------------------------------- Sends UID of Alice Computes X=hash(UID,password) Computes Y=hash(X,R") Sends Y to the server -----------------------------------> Computes Y'=hash(X,R) Sees Y and retrieves it. Y != Y', access is denied Sends Y for ---> Computes authentication Y"=hash(X,R") Y"=Y, access is granted Refuses to sign packets If all clients are not REQUIRED to sign packets, access is granted. There may be a second attacker, Joe, waiting for Alice to log in without using packet signatures. As a result, Joe can highjack Bob's connection as Alice. ---------------------------------------------------------------------------