OK  I'll  not mess about with good English here,  making  ypghost
user  friendly  and documenting seems to be taking about  two  or
three  times  the  amount of time it  took  to  originally  write
it...... 

I  'pre-released'  ypghost  about a month ago on  a  small  U. K.
hacker's newsgroup (amusingly I would guess about half of the  70
odd  people  that  downloaded it as  a  result  were  anti-hacker
types,  the  http  log read like a who's who  of  U. K.  security
consultants).   Unfortunately  I have had  very  little  feedback
from  the  pre-release, so there may still be  some  mistakes  in
this release. 

Version  0.5 differs only slightly from the pre-release  version,
apart  from  a couple of small bug fixes the main  difference  is
DLT_NULL  is now supported so that ypghost now should  work  with
the loopback interface under BSD.  

If  your unsure what ypghost is supposed to do, you  should  read
the  paper  by D.Hess (the file name is probably  NIS_Paper.ps),
available  from  my  WWW page amongst other  places.   The  paper
explains  the  general principle and describes a  program  called
'ypfake'  which apparently does the same thing that  ypghost  now
does.   Note  that this 'ypfake' program is not  available  (Many
thanks  to  D.Hess for confirming this BTW),   and  since  it  is
described  as  using Sun's NIT, I suppose it would only  work  on
Suns anyway.  

Note  that ypghost only fakes UDP replies to YPPROG_MATCH  calls,
so  the false entries will not show up if you try looking at  the
maps with ypcat etc, although thats explained in NIS_Paper.ps 

I  have  so  far  tested ypghost  on  linux  using  the  loopback
interface  (which  seems  to be of 'ethernet'  type)  and  on  an
ethernet  network  of  Suns.   Linux  &  loopback  worked   fine,
although  for  some reason it seemed to work consistently  for  a
while,  then  not  work  consistently  for  a  while,  then  work
consistently   again,  presumably  if  you  tipped  the   balance
slightly by nice'ing ypserv or something, it probably would  work
consistently all the time.  

The test on the network of Suns is obviously a much better  test.
I  was  slightly surprised that with all the  machines  idle  the
real response consistently beat the spoofed response, this  could
be  for  a  variety of reasons, perhaps the  positioning  of  the
machines,  or maybe libpcap is slow on Suns.  Anyway,  bombarding
the  NIS  server  with a few NFS requests soon  popped  the  load
average up, and ypghost began to work fine.  

Ypghost  also compiles and runs fine on FreeBSD 2.1.0,   although
unfortunately  I haven't tested it to see whether it  works.   My
machine   doesn't   have   an   ethernet   card   and   the   BSD
portmap/ypserv/ypbind seemed particularly reluctant to work so  I
couldn't  test  it using the localhost interface  (I  didn't  try
that hard since it seemed to be trying to use TCP anyway).  

I  really  can't be bothered to explain the basic  principles  of
NIS  and UDP spoofing here.  Although I will say,  despite  group
wheel,  secure  consoles,  passwd  shadowing  and  efficient  NIS
servers,  it does actually work, for me anyway, so do  persevere,
it at first you don't succeed....  
               (the limitations described in the man page aside.)

No  it wont work if NIS+ is being used, NIS+ is not  something  I
know  much  about  yet  but I gather  its  use  is  still  pretty
limited,  as far as I know only solaris actually  implements  it.
However  if  you  have *nothing* but  solaris  machines  on  your
network  your  using,  you may  be  disappointed  (or  pleasantly
surprised  if  you're a fascist sysadmin).  THAT IS  NOT  TO  SAY
THAT  NIS+ IS SECURE, please don't come to any  conclusions  like
that,  quite  frankly I can't think of  any  obvious  conclusions
that  can  be drawn from ypghost, other than common  sense  ones,
like  that  confidential data should never be  kept  on  Internet
connected computers.  

Oh  yeah,  if you're planning to do anything with the  source  at
all, *do* let me know, I might be able to send you some  comments
even.   If you're used to normal RPC programming, I do  apologise
if  my  code  makes you feel physically sick,  or  if  you  can't
actually  believe  what you see.  In its defense  I'll  just  say
that,  even though I couldn't test it while I was writing it,  it
*did*  work virtually the first time I tried it.  I  also  wanted
to  make  it portable, even to systems that may not  have  rpcgen
etc.  

Apologies  for  retaining all copyright on ypghost,  if  somebody
actually  paid  me  for  doing  stuff  like  this  I  might  feel
differently,  but they don't, and I don't suppose using  my  time
to  do  stuff like this will get any credit with  the  Employment
Service, who expect me to spend all my time looking for  cleaning
jobs (or whatever else pays 50quid for a 72 hour week).  

Finally  having  spoofed packets on your network  could  possibly
confuse it, I take no responsibility for anything ypghost does.  

Please  let  me  know  of  any  bugs,  as  I  certainly   haven't
exhaustively  tested  it (testing it *once* was  enough  hassle).
Similarly  let  me  know if its worked fine on such  and  such  a
system.   In fact any comments would be welcome, although  please
put the word 'ypghost' in the subject line.  

Cheers,

Arny - cs6171@scitsc.wlv.ac.uk

			http://www.scit.wlv.ac.uk/~cs6171/hack/index.html

