                                NDSAS HOWTO

                        (c) Nomad Mobile Research Centre
                                 www.nmrc.org


This exploit is build to make use of the ncpfs project for Linux. We used
ncpfs-2.2.0 available on many ftp sites, this projects implements a kind of
"Client32" for Linux, it comes with many tools and source code since it is a
GNU project.

Apply the "ndsas.dif" diff file to "ndslib.c" in the lib directory, and
rebuild the project. You will then be able to login a Netware 4.x server,
with packet signature enabled, using the hash of a user and not his password.

This works by looking at the lengh of the password submitted, if the lengh is
32 characters long, it considers you typed a hash value then converts the
hash string in hex and use this hash for authentification.

For the record, function "shuffle" in ndscrypt.c is our well known "Hash_Gen"
function. We insert in ndslib.c at line 715, where is the procedure that
authentificate to an NDS server, the instructions to check the lengh of the
password just before "shuffle" is to be called.

This exploit was made possible by the tremendous work of Volker Lendecke and
the other people who wrote ncpfs. It proves our point regarding the weakness
of NDS authentification scheme such as we described in the NCP paper.
