Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability

From: Tyler Walden (twaldenat_private)
Date: Fri Jun 08 2001 - 16:27:36 PDT

  • Next message: Greg A. Woods: "RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival" 

    For those interested here is perl program to generate Crypt-PW's with a
propper salt.

#!/usr/bin/perl

$salt=salt();
print "password encryptee, [CTRL]-D quits.\n";
while (<STDIN>) {
chop;
$text=crypt($_,$salt);
print $text."\n";
}

sub salt {
  local($salt);
  local($i, $rand);
  local(@itoa64) = ( 0 .. 9, a .. z, A .. Z ); # 0 .. 63   # to64
  for ($i = 0; $i < 8; $i++) {
    srand(time + $rand + $$);
    $rand  = rand(25*29*17 + $rand);
    $salt .= $itoa64[$rand & $#itoa64];
  }
  return $salt;
}

Tyler Walden - twaldenat_private
Alternate Access http://www.aa.net
Network Operations - nocat_private

On Fri, 8 Jun 2001 aleph1at_private wrote:

> This is a very old problem. See
> http://www.securityfocus.com/archive/1/5494  (1996)
> http://www.securityfocus.com/archive/1/34191 (1999)
> 
> NSI obviously does not care much about the security. I haven't been
> able to get PGP authentication working in months.
> -- 
> Elias Levy
> SecurityFocus.com
> http://www.securityfocus.com/
> Si vis pacem, para bellum
>

    This archive was generated by hypermail 2b30 : Sun Jun 10 2001 - 16:38:35 PDT