					NOCRYPT.DOC

					Greg Miller

The nocrypt.c program uses a man-in-the-middle attack to hijack a user's 
loggin session (see attack.doc for details on the attack).  
The program should be run just before the intended target user is about to 
log in.  When run, the program will wait for the user to log in, hijack the 
session, and grant the specified user a security equivelance of the attacked 
user.

Before compiling the program you'll need to set variables for the following 
values in the program:  the address of the station you want to attack, the 
address of the station you'll be using to cary out the attack, the address 
of the nearest router, the name of the account you'll be attacking, the name 
of the account to receive the security equivelance, and the internal network 
address of the server the attackee will be logging in to.  (Perhaps someone 
will remove the need to specify such parameters in the future by auto 
detecting most of them).

NOTE:  With all addresses you must specify the Netork address, not just 
the MAC address.

After setting the corresponding values, compile the program.  The program 
has been compiled successfuly in Borland C++ 3.1.  However, it should 
compile in almost any C compiler capable of forming a DOS executable as 
long as the compiler allows inline ASM of the form _asm{ ... }.  If your 
compiler does not support inline ASM of that form, you'll need to edit the 
_asm{ ... } blocks to the correct format.
The final step before running the program is to install a packet driver on 
INT 0x60.  Most network cards come with a packet driver on the installation 
disk.  If you do not have the installation disks, or the disks do not have 
the drivers on them, many drivers for many cards are available on the web.  
Normally you must specify which interrupt to use for the packet driver, if so, 
use 0x60.  The 0x60 notation is hexadecimal, if your packet driver does not 
allow the use of hexadecimal numbers on the command line use 96 (without the 
preceeding 0x).
Just before the intended target is about to log in, run the program.  Assuming 
you've set everything up correctly, the session will be hijacked, the 
specified user will be given a security equivelance of the attacked user, 
and the program will terminate.  Now, reset your system and log in as the 
user who was granted the rights.  You will now be able to access all of 
the files of the attacked user.
One thing to note is that if the user you are attacking is not supervisor, 
but has supervisor equivelance you will not inherit the supervisor rights 
when you inherit the user's rights.  However, nocrypt.c can be modified to 
grant supervisor privlelages in this case, but as of now it does not.
The attack only works if the packet signature level is not set to 3 at the 
server.  The signature level set at the workstation has no impact on the 
attack.  Since the default value for this parameter is 2, administrators 
should set signature level in the autoexec.ncf file so it will be re-set 
each time the server is rebooted.

Do not send questions about this program directly to me.  Rather send them 
to a public forum on NetWare security such as the newsgroup 
comp.os.netware.security, or the NetWare Hack mailing list at 
nw-hack@bebr.cba.ufl.edu.