lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY1-F161EUEiffC8aH0000f5c5@hotmail.com>
Date: Thu, 25 Mar 2004 22:13:21 -0500
From: "spiffomatic 64" <spiffomatic64@...mail.com>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: NetSupport School Pro: Password encryption weaknesses


Vendor  : NetSupport
URL     : http://www.netsupport-inc.com/
Version : Invision NetSupport School Pro
Risk    : Password protection weakness

Description: NetSupport School, market leading training tool for the modern 
classroom featuring full student remote control, application & internet 
monitoring, customized student testing and more.

Password protection weakness: The password encryption method is a method 
which is easily reversed. The encryption method is as follows:
The letters are expressed using a hexadecimal type of system. Every letter 
is shown by two characters the first character can be any ascii character 
while the second is in a range from a-p. This works just like hex in that 
ap+1=ba. Its not case sensitive so that also makes it easier for kids to get 
passes. The characters start at EM. So A= EM B=EN and so on. Each letter is 
also added to by the number of letters in front of it. So the crypt of aa= 
EN9O while the crypt of aaa=EO9P>A. I can figure the routine used for the 
crypt of each colum though. Here is a reference for the letter a and its 
crypt of each colum EM, 9O, >a, BC, FE, :G, >I, BK, FM, :O. Based on this 
knowledge and the hex-esque characters, and the addition to each char based 
on the amount of letters in front of it, you can get the password from an 
encrypted one. An example of a cracked password: The crypt is “GC;H@KEO” GC 
-3 = FP (according to the hexish system) FP=T so the first letter is T. Take 
9O (known “a” for the 2nd column) and add the difference from a-t to it (19) 
and you get ;B add 2 to it (amount of letters in front of it) = ;D then 
subtract ;D from ;H you get 4 places. A+4 = E the second letter is “E” you 
continue to do this until you get the password “test”

Solution: based on my research this program uses a hash type validation 
method, so the quickest and most painless solution would be to use the md5 
routine for passwords.

Credits: Credits go to Drexel University, and Harry Hoffman because if they 
hadn’t have used this software I would have never had the urge to circumvent 
it ;)
As well as Mr. Flynn for teaching me pascal (even though its 20+ years old 
its still my favorite)

Im attaching a exploit to decrypt the password from a machine with the 
software installed

Spiffomatic64
Hacking is an art-form

_________________________________________________________________
All the action. All the drama. Get NCAA hoops coverage at MSN Sports by 
ESPN. http://msn.espn.go.com/index.html?partnersite=espn

Download attachment "EXPLOIT.PAS" of type "application/octet-stream" (3459 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ