| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY1-F161EUEiffC8aH0000f5c5@hotmail.com> From: spiffomatic64 at hotmail.com (spiffomatic 64) Subject: NetSupport School Pro: Password encryption weaknesses Vendor : NetSupport URL : http://www.netsupport-inc.com/ Version : Invision NetSupport School Pro Risk : Password protection weakness Description: NetSupport School, market leading training tool for the modern classroom featuring full student remote control, application & internet monitoring, customized student testing and more. Password protection weakness: The password encryption method is a method which is easily reversed. The encryption method is as follows: The letters are expressed using a hexadecimal type of system. Every letter is shown by two characters the first character can be any ascii character while the second is in a range from a-p. This works just like hex in that ap+1=ba. Its not case sensitive so that also makes it easier for kids to get passes. The characters start at EM. So A= EM B=EN and so on. Each letter is also added to by the number of letters in front of it. So the crypt of aa= EN9O while the crypt of aaa=EO9P>A. I can figure the routine used for the crypt of each colum though. Here is a reference for the letter a and its crypt of each colum EM, 9O, >a, BC, FE, :G, >I, BK, FM, :O. Based on this knowledge and the hex-esque characters, and the addition to each char based on the amount of letters in front of it, you can get the password from an encrypted one. An example of a cracked password: The crypt is “GC;H@KEO” GC -3 = FP (according to the hexish system) FP=T so the first letter is T. Take 9O (known “a” for the 2nd column) and add the difference from a-t to it (19) and you get ;B add 2 to it (amount of letters in front of it) = ;D then subtract ;D from ;H you get 4 places. A+4 = E the second letter is “E” you continue to do this until you get the password “test” Solution: based on my research this program uses a hash type validation method, so the quickest and most painless solution would be to use the md5 routine for passwords. Credits: Credits go to Drexel University, and Harry Hoffman because if they hadn’t have used this software I would have never had the urge to circumvent it ;) As well as Mr. Flynn for teaching me pascal (even though its 20+ years old its still my favorite) Im attaching a exploit to decrypt the password from a machine with the software installed Spiffomatic64 Hacking is an art-form _________________________________________________________________ All the action. All the drama. Get NCAA hoops coverage at MSN Sports by ESPN. http://msn.espn.go.com/index.html?partnersite=espn -------------- next part -------------- A non-text attachment was scrubbed... Name: EXPLOIT.PAS Type: application/octet-stream Size: 3459 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040325/8a0b8be5/EXPLOIT.obj
Powered by blists - more mailing lists