lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTimVgJaqxzPdF8HmaDJNit-YppxKAQdwE410PSPG@mail.gmail.com>
Date: Mon, 31 May 2010 15:50:35 +0000
From: Richard Miles <richard.k.miles@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Decrypt info in referenced file @ web.config

Hello

I'm doing a test and I obtained a copy of the web.config file, the
interesting is that there is a line like that "<add key="PasswordFile"
value="C:\Inetpub\site\Users.acl" />"  this called my attention to be
on the inetpub folder and I was able to download it.

It's with base64, when decoding it is messed up, so I believe it's encrypted.

I found something on the web.config that is related with encryption
and hashing, but I'm unsure if it's used to encrypt this file.

<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate"
validation="SHA1" />
<add key="CryptoEngine" value="False" />
<add key="CryptoHashKey" value="SpartanLosHeros" />

SHA1 is a hash function, and based on the name of the file I believe
the contents contain usernames, so I don't believe they are using a
hash function.

The CryptoHashKey may be the key used to encrypt. But this
CryptoEngine configured to false sounds strange.

I find no reference to crypt algorithms on this file. Based on your
experience do you believe this CryptoHashKey is the key used to
encrypt this file? What algorithm? There is a default one used by
.NET?

I have no experience with .NET, someone with experience can point me
what it can be, or where discover the key and algorithm used?

Maybe a application that I enter the supposed key and the encrypted
data and it show me all the possibilities available with .NET?

Thank you

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ