Let the Supervisor know who is in charge!!!!!!!!!!!
The Novell Hack Site
Go to the main page Here(Danger.net)
Here is some text you should read it has some good information.
If you don't feel like It Go down here
Date: Fri, 9 Apr 1999 02:24:45 -0700
From: [email protected]
To: [email protected]
Subject: New Novell Remote.NLM Password Decryption Algorithm with Exploit
I am providing this message in hopes that It will contribute to the
general knowledge of others. Please distribute this document fully
intact, so people can learn the -entire- algorithm.
- - - - - -
Novell is known to use a one-way hash algorithm in their password
encryption, so all captured encrypted passwords must be brute-forced,
slowly and painfully.
However, a few days ago, I cryptographically cracked Novell's Remote.NLM
password encryption algorithm. It is a very weak algorithm compared to
what Novell has implemented in NDS, as it is instantaneously
decryptable.
RConsole password encryption is different from Remote.NLM password
encryption because:
1) Encrypted RConsole passwords are sent across the wire, via RConsole.
Remote.NLM's encrypted passwords are generated at the server console by
typing REMOTE ENCRYPT MyPass, and they are optionally stored in
SYS:System\LDRemote.NCF.
2) They use a different password encryption algorithm. RConsole
passwords are encrypted with information from the workstation that is
currently running RConsole. Remote.NLM passwords are encrypted with a
time byte, one of 255 constants in a hash table, appended characters,
some XORing, and bit-order separation.
3) Encrypted RConsole passwords are locally obtained with a packet
sniffer, but Remote.NLM passwords are remotely accessible to anyone with
the ability to view SYS:System\LDRemote.NCF.
The Remote.NLM passwords are decrypted using only five steps. To
encrypt, simply reverse the steps. I don't know if this would be called
a two-way hash algorithm, but I assume it is.
The password will look something like this:
AF8CBBF48CA9955F5ADAFDADAA23
The structure of the password is as follows:
AF8CBBF48CA99 55F5ADAFDADAA - 23
The first section contains the low-order bits, and the second, the
high-order bits. 23 is the time byte, which is decremented by the
server once every two seconds, from FF to 02, then back up to FF, etc.
Step 1) Realign the low-order bits and high-order bits.
This is extremely simple to do. The high-order bits are in order from
the first character to the last, and so are the low-order bits.
Example:
Password: AF8CBBF48CA99 - 55F5ADAFDADAA,
Output: 5A 5F F8 5C AB DB AF F4 D8 AC DA A9 A9
At this point, ignore 5A 5F F8 5C, or the first four bytes. They are
appended somewhere during encryption, and decrypt to "%*@$".
It was a TERRIBLE idea for Novell to implement those four characters
into every single password, as those are what helped me rebuild their
hash table from scratch. Also, if the length of the password is 10, the
password is automatically decryptable to null.
Step 2) Match each of the password characters (group of two hex
characters) to the hash table below. Use their position from the
beginning of the table to determine the value of the pre-hash encrypted
password. Example: F4, the 8th character of the password, matches the
hash table at 95. This means that 95 is the pre-hash value of F4.
Thus far, (ignoring the first four characters) the password was:
AB DB AF F4 D8 AC DA A9 A9
and now the password is:
98 A0 9B 95 A1 9D A6 9C 9C
Remote.NLM Hash Table
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00 5B 58 5E 5F 59 5C 5A 5D-73 70 76 77 71 74 72 75
10 13 10 16 17 11 14 12 15-7B 78 7E 7F 79 7C 7A 7D
20 53 50 56 57 51 54 52 55-03 00 06 07 01 04 02 05
30 1B 18 1E 1F 19 1C 1A 1D-0B 08 0E 0F 09 0C 0A 0D
40 2B 28 2E 2F 29 2C 2A 2D-63 60 66 67 61 64 62 65
50 83 80 86 87 81 84 82 85-3B 38 3E 3F 39 3C 3A 3D
60 8B 88 8E 8F 89 8C 8A 8D-33 30 36 37 31 34 32 35
70 93 90 96 97 91 94 92 95-6B 68 6E 6F 69 6C 6A 6D
80 9B 98 9E 9F 99 9C 9A 9D-A3 A0 A6 A7 A1 A4 A2 A5
90 F3 F0 F6 F7 F1 F4 F2 F5-AB A8 AE AF A9 AC AA AD
A0 DB D8 DE DF D9 DC DA DD-FB F8 FE FF F9 FC FA FD
B0 23 20 26 27 21 24 22 25-B3 B0 B6 B7 B1 B4 B2 B5
C0 CB C8 CE CF C9 CC CA CD-BB B8 BE BF B9 BC BA BD
D0 C3 C0 C6 C7 C1 C4 C2 C5-D3 D0 D6 D7 D1 D4 D2 D5
E0 43 40 46 47 41 44 42 45-E3 E0 E6 E7 E1 E4 E2 E5
F0 4B 48 4E 4F 49 4C 4A 4D-EB E8 EE EF E9 EC EA ED
Step 3) Subtract the length (the number of groups of hex characters,
excluding the time character) of the full password from each encrypted
password character. Now you have the ACTUAL pre-hash encrypted
password. If the subtracted value is negative then simply continue from
FF down to the negative value. Example: if the password character is
at 04, and the length is 6, the value of the password character will be
FF.
The length is 13 (D in hex), so the password was:
98 A0 9B 95 A1 9D A6 9C 9C
and is now:
8B 93 8E 88 94 90 99 8F 8F
Step 4) Get the time var, in this situation 23 (hex), and subtract it
>from FF. This new character is for use in Step 5. Example: FF-23=DC.
Step 5) Finally, XOR each character (group of 2 hex characters) of the
encrypted password with the new time character, and you now have the
decrypted password!
The password was:
8B 93 8E 88 94 90 99 8F 8F (before the XOR)
Now, the decrypted password is:
57 4F 52 54 48 4C 45 53 53
"WORTHLESS"
I used "worthless" because if I seventeen-year-old with almost NO
experience in cryptography can crack an encryption algorithm, then under
most circumstances the algorithm is ABSOLUTELY WORTHLESS!!!
I have written a program in Pascal (oh well) which decrypts Remote.NLM
passwords instantaneously. I am unsure of the password length limits of
the program because I just wrote it. However, it has never failed to
decrypt a password. I have tested it on a password of around 50
characters, and it worked flawlessly, so there shouldn't be anything to
worry about regarding the length limit.
It can decrypt any character, from 00 to FF, and it will display that
value upon execution.
The source of the program is attached.
If you need help understanding this, or you wish to contribute to this
document, feel free to e-mail me.
TheRuiner
[email protected]
"Some OTHER operating systems suffer from weak password encryption."
- A quote from Novell's course of Networking Technologies.
Here are the files for hacking into a novell network.
Novell tools This file contains a lot of programs for hacking into novell. Have a look at Novelbfh.zip. 205 kb
NovelspyThis file looks of the supervisor is logged in and it has some other handy programs. 95.6 KB
Novell HackA program for hacking into a novell network. 20.4 KB
Novell LoginThis is a program that gives a novell login screen and if the supervisor try to login on that computer the program locks the password. 16.4 KB
NWl.zipA program to get the supervisor rights. 71.1 KB
Nwpcrack.zipThis is a simple Brute-force cracking program for novell platforms. 16.3 KB
Super.zipSUPER allows to switch SV equivalence on/off when needed. Do your daily work as normal user, and be SV only when needed. 33.5 KB
Kock.zipA Netware hacker. I didn't test this program so I don't know what it exactly does. 15.7 KB
Control.zipa memory resident program that runs on the node you wish to control. 30.8 KB
!Registry policies cleaner!it is very obvious what this program is for. Works with windows 95&98(Looks like shit in windows 95)
Here you have some links to other good site's (go to the "Danger.net-Links" for more links).
Archive Guide:
Danger.net
email/Nukers
IRC
Required Files
Trojans
Novell site
HAck texten
Hapa's Txtconverter
If you have any comment feel free to mail me NOW
Salami1_1
Search with ASTALAVISTA !!!!