Hacks & Cracks

home *** CD-ROM | disk | FTP | other *** search

/ Hacks & Cracks / Hacks_and_Cracks.iso / hackersguides-&-software / getit.zip / READ.ME < prev

Wrap

Text File | 1989-06-01 | 4KB | 69 lines

Thief is a TSR (Terminate and Stay Resident) utility written in 8086 assembly language that attempts to steal Novell passwords. It originates from a site with consummate hackers and a long, colorful history of mischief: George Washington High School in Denver, Colorado. The school is well endowed with a large variety of IBM microcomputers. Five rooms of about 30 computers each are all tied together on a Novell network. Four of the five rooms solely use boot proms for initializing the workstations.* However, the fifth houses IBM PS/2 model 80s with hard drives. The power users tend to congregate in this area, including the "administrators" with Supervisor equivalence. These machines do not use boot proms. So it was on one of these computers where the "thief" was first discovered, because it takes advantage of weaknesses in the security at the boot phase. Into the regular flow of action in the AUTOEXEC.BAT file, the creator inserted a line that executes the (hidden) program copied onto the boot disk. The TSR remains in the background and the process continues. Visual signs of the break-in are imperceptable. Then, as soon as a program named LOGIN is executed, the thief springs to life and records all the keystroke action into a hidden file on the boot disk. The human thief may then later return to the computer and see what the trap caught. Before a more detailed description of the "metabolism" of the thief, consider now the weaknesses that led to the breach: o a localized boot process, or at least one that is corruptable. o _physical_ access (by the thief) to a sensitive computer. Both are controllable, of course. The boot prom is a solution for the former, and lock and key (on the computer or a room that surrounds it) is for the latter. Now return to the "metabolism". Surprisingly, THIEF uses the same "hook" that the Novell shell does! That is, it captures the centralized portal to DOS, interrupt 21h.* Then, it intercepts all function calls. Specifically, it checks for the EXECute file function call and the "terminate" interrupt. Whenever an EXEC call is made with a filename LOGIN, THIEF springs to life and records keystrokes until the program terminates. This is somewhat sophisticated; however, an even more effective method could be realized: it could simply wait for the specialized Novell function call to log in, and record the calling parameters. Note that the above technique requires the program be loaded _subsequent_ to the Netware shell. By no means are these types of programs new; they have been around as long as password-based program security. Here, however, is an example that is tangible and immediate. Study of it is beneficial because knowledge of Netware security is one thing; knowledge of how to _defeat_ it is quite another! The latter demands cutting-edge sophistication and comprehension. The future will certainly see improved identification techniques, and timeless, devious ingenuity will be there to greet them. Note: THIEF was formerly named GETIT by its creator, who was careless and cocky enough to leave the source code. *"Boot proms", for those not familiar, are accessory chips that reside on network interface cards; they redirect local drive activity to the server during the boot process, thus allowing a workstation to initialize without a (boot) disk. *Interrupt 21h is that used by any program when requesting a DOS function. The Netware shell, of course, intercepts this regular flow. It may pass the information directly along to DOS, or process the call itself.