> GOBBLES then run tcpdump and using YMSG structure above as reference he find > first packet with service type constant 0x01. This LOGIN packet. GOBBLES > notice it use MCF/MD5 encryption of user password with crypt(3) salt like > $1$_2S43d5f$. Encrypted password is sent over the wire in LOGIN packet. User > is immediately authenticated. Try this, login to Yahoo and type this into your URL bar: javascript:document.cookie This will reveal your Yahoo cookie. Now, take a look at the Y= part: Y=v=1&n=9pmgnpttq7fsr&l=6e11b4i1k6jh0g/o&p=m2g298l2020002&r=8p&lg=us v= is probably version, n= is most likely the hashed password, like you already pointed out, probably a MD5 hash. Now, l= is more interesting. This is obviously "login". My friend (jabanksat_private) figured out that this is simply some sort of ROT13-type encryption: 6 = g, e = o, 1 = b, b = l, 4 = e, i = s and so on...It's a matter of replacing letters and rotating the alphabet around. So 6e11b4i1k6jh0g = gobblesbugtraq. The /o never changes in the cookies for some reason. I have no idea what p= is, but after several tests (changing passwords) it is not the password, regardless of "p". It doesn't even seem to matter when someone logs in. I also don't know what r= is, but I'm sure it has something to do with n=, the password. lg= is the language. So in conclusion, if you could figure out n= you could also login to someone's account using a cookie. Just my $0.02 > GREETS > ****** [snip] > nietzsche, radiohead, Good philosophy...good music :)
This archive was generated by hypermail 2b30 : Fri Nov 23 2001 - 18:12:38 PST