How the password could be recover using FTP Explorer's registry!

From: Nelson (stderrat_private)
Date: Thu Feb 24 2000 - 16:18:52 PST

Next message: Andrew Daviel: "Zonealarm exports sensitive data"

Previous message: Curtis Anderson, CNE, MCSE: "Re: Wordpad vulnerability, exploitable also in IE for Win9x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The scene:
user -> nelson
pass -> ABC

ON Connect Window, typed login == nelson and pass == ***(ABC), made a
connection in my own ftp server. After this, I found this KEY in Windows
REGISTRY:
HKEY_CURRENT_USER -> Software -> FTP Explorer -> Profiles -> MY_OWN_SERVER

and I found two values:
Login = nelson
Type  = 4A4E52

Hmmm... looks like a encrypted password  to me...

Ok, the crypt function in FTP Explorer works like that:
get the ascii hexa value and increment 9, if the position in password was
changed, increment 3 per position.

IN order words, a progression arithmetical.

I made a code to proof this, look the result:
unreal:~/temp$ ./ftpe-crypt -t 3 -i 9 -r 3 -s teste
Criptografia do FTP Explorer v0.6b - por Nelson Brito
unreal:~/temp$ more teste
[...]
A = 4A = 4D = 50
    `-> correct
B = 4B = 4E = 51
         `-> correct
C = 4C = 4F = 52
              `-> correct
[...]

Well, the password is 'ABC'... Is it a big security hole? I think so...

PS: The credits to begin this thread in BOS-Br<bosat_private> goes to
Hever<Heverat_private>.

PPS: Sorry about my poor ENGLISH. If don't understand, don't read. =)

My proof...

-------begin
/*
 ** Este  codigo  demostra  como  funciona  a "criptografia" do software FTP
 ** Explorer,  levando-se  em  consideracao  as informacoes  passadas para a
 ** BOS-Br por Hever<Heverat_private>.
 **
 ** author:  Nelson Brito
 ** e-mails: nelsonat_private & nelsonat_private
 ** program: ftpe-crypt.c
 **
 ** ChangeLog:
 ** v 0.6b - arquivo de destino incluido(output file)
 **        - apartir desta versao sera' necessario a utilizacao de todos os
 **          argumentos na linha de comando
 ** v 0.5b - incluido opcoes longas na linha de comando
 **        - problemas da opcao '-h' corrigidos gracas a fpm :*( ) )
 ** v 0.4  - opcoes  de  linha  de comando  acrescentadas,  permitindo que o
 **          usuario "set" suas preferencias [a.k.a. getopt(3)]
 ** v 0.3  - adicionado argumentos passados para a funcao r2()
 **        - contador a ser usado em r2() como argumento
 ** v 0.2  - desenvolvimento das funcao r2() e inclusao de u_abort()) e
 **          logo()
 **        - o length do password foi aumentado
 ** v 0.1  - desenvolvimento inicial do esqueleto do programa, incluindo:
 **          > retirada dos caracteres especiais, ie, so' [a-z][A-Z][0-9]
 **          > uma simples PA, sem utilizacao de formula ou funcao
 **
 ** Agradecimentos a drk, Morauder e fpm pela forca com o getopt(3). =)
 **
 ** Como compilar(How to compile):
 ** lameness:~# gcc -Wall -O3 -g ftpe-crypt.c -o ftpe-crypt
 */

#include <stdio.h>
#include <signal.h>
#include <stdlib.h>
#include <getopt.h>
#include <unistd.h>
#define  VERSION   "0.6b"

int r2(int n, int p, int i, int b, FILE *fp){
      n=((n+b)+(i*p));
      fprintf(fp, "= %X ", n);
      return(n);
}

char usage(char *p){
      fprintf(stderr, "use:     %s -l <length> -i <increment> -r <ratio> -o <output-file>\n", p);
      fprintf(stderr, "example: %s -l 15 -i 9 -r 3 -o outlist\n", p);
      fprintf(stderr, "options:\n\t -l, --length     password's length\n");
      fprintf(stderr, "\t -i, --increment  ASCII Table's increment\n");
      fprintf(stderr, "\t -r, --ratio      PA's ratio\n");
      fprintf(stderr, "\t -o, --output     output file\n");
      fprintf(stderr, "\nfor ftpe's criptography use r=3, i=9\n");
      exit(0);
}

int main(int ac, char **av){
   FILE *outlist = NULL;

   register int a = 48;
   int r = 0, inc = 0, ct = 0, op;

   printf("FTP Explorer's Criptography v%s - by Nelson Brito\n", VERSION);

   if(ac != 9) usage(av[0]);

   while(1){
        static struct option long_options[] = {
           {"length",        1, 0, 'l'},
           {"ratio",         1, 0, 'r'},
           {"increment",     1, 0, 'i'},
           {"output",        1, 0, 'o'},
           {0,               0, 0, 0}
        };

        int option_index = 0;
        op = getopt_long(ac, av, "l:r:i:o:", long_options, &option_index);

        if (op == -1) break;

        switch(op){
              case 'l':
                    ct = atoi(optarg);
                    break;
              case 'r':
                    r = atoi(optarg);
                    break;
              case 'i':
                    inc = atoi(optarg);
                    break;
             case 'o':
                    if(!(outlist=fopen(optarg, "w"))){
                       printf("unable to open %s\n", optarg);
                       exit(0);
                    }
                    break;
              default:
                    usage(av[0]);
                    break;
        }
   }

   while(a < 123){

        if((a >= 58) && (a <= 64)){
             printf("%c", (char)0);
             a++;
        }

        else if((a >= 91) && (a <= 96)){
             printf("%c", (char)0);
             a++;
        }

        else{
              register int c;

              fprintf(outlist, "%c ", (char)a);
              for(c = 0 ; c < ct ; c++) r2(a, c, r, inc, outlist);
              fprintf(outlist, "\n");
              a++;
        }

   }

   fclose(outlist);

   return(1);
}
-------end

Sem mais,
--
Nelson - nb

Next message: Andrew Daviel: "Zonealarm exports sensitive data"
Previous message: Curtis Anderson, CNE, MCSE: "Re: Wordpad vulnerability, exploitable also in IE for Win9x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:20 PDT