Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Password problem in Trumpet Winsock.
From: jes () GROVE UFL EDU (John Sheehy)
Date: Mon, 7 Apr 1997 02:50:03 -0400


On Sun, 6 Apr 1997, null wrote:

| I've known of this bug for over a year and a half now, and am tired of
| waiting to see if Trumpet will ever fix it.
|
| It is possible to open trumpwsk.ini, take the encrypted string for the
| $password= variable, and place it in the ppp-username= variable. This,
| allows one to start up tcpman.exe,g oto File > PPP Options and get the
| user's password.
[...]

I use this script in TWSK 2.0b to recover passwords:

# little script

load $password
output \13
display "password: "
display '$password'
output \13\13

#end

Doesn't take much, does it?

I think it's generally a bad idea to store your password in any kind of
dialer program.

Passwords authenticate people, not machines. Your machine shouldn't "know"
your password. Machine-to-machine authentication should be performed in a
protocol that doesn't use a password as the shared secret.


-John Sheehy



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]