[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: Re: Novell Vulnerabilities
From: Marc Mosko <marc () tear ! com>
Date: 1996-08-29 14:02:53
[Download RAW message or body]
Keith McCammon wrote:
> I don't really think spoofing in that sense is a relevent attack because
> all Netware connections are authenticated through RSA public/private key.
Only Netware 4 is RSA. The RSA is only for connection setup. If you do
not enable packet signatures (disabled by default because of the
processing overhead) then after authentication you are only known by a
conneciton ID and network address. Easily spoofed.
> The only hole in this to my knowledge is that only the client is
> authenticated, the server is not. So, certainly for bindery mode
> connections you could impersonate a Netware server by doing something as
> simple as turning on SAP in Win95 and running a hacked LOGIN.EXE that
> caches usernames and passwords and redirects them to a real Netware
> server.
The authentication scheme uses random number encryption/decryption.
Passwords are never passed over the network (that was Netware 3). NDS
uses nonce values to help protect again known value attacks.
No, you do not authenticate to a particular server. You authenticated
to the directory tree. The directory tree then provides you server
addresses which are properties of server objects.
> I don't know how you'd override the SAP of an existing server, but if the
> preferred server is not set then the Netware clients will look for the
> nearest server (which could be your Win95 box).
The default is to find a directory server (different SAP type, but same
idea). Yes, if you wrote a man-in-the-middle attack you could look like
a NetWare Directory server and get authentication requests. This does
not help you, since as I said above passwords are never sent over the
network (the private key is, but not the password). In addition, you
would need to spoof a real Netware server.
The authentication scheme goes like (this is from Netware App Notes Oct
94):
CLIENT SERVER
send username ---> verify user name
<-- valid login server IPX address
<-- NDS "Entry ID" (object id of user)
(possibly after new NCP connection to server established)
"Entry ID" -->
<-- Salt (stored with password on server)
<-- R1 (random number challenge)
Get Server public key -->
<-- send public key
Compute HSP = Hash1( Salt, Password )
Compute Y from HSP and R1
Choose R2 (another random number for server challenge)
Choose S (long random data nonce)
Encrypt R2, S, Y with servers public key
(This really uses RSA to encrypt a secret, then encrypts the
message
with the random number. The encrypted secret and cypher text are
sent
to the server. The server decrypts the secret with the private
key then
decrypts the message with the secret [R2 above]).
send encryption -->
Decrypt Y, S, R2
Compute RC2(HSP,R1) and check against Y
* This verifies that the user has the
real password without the user sending
the
password. It prevents
password-guessing
techniques.
Encrypt ( R2, Users private key XOR S)
with Y
<-- send cypher text
Client now has the private key so it can generate things like
packet signatures.
I'm sure there's more info on Novell's web site about this. I would
guess the best attack against this is the random data generator used to
make S. If you can figure out S, then you could probably mount a good
man-in-the-middle attack.
--
Marc Mosko Email: marc@tear.com
Web: http://www.tear.com/
"If anyone knocks out another's eye, he shall pay him
sixty-six shillings, six pence, and a third of a penny."
-- Leges Henrici Primi (13th century)
PGP Key availabe via Public Servers and
http://www.tear.com/pgp-key.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic