Home page logo
/

bugtraq logo Bugtraq mailing list archives

Tfn2k Password Recovery
From: thegnome () NMRC ORG (Simple Nomad)
Date: Thu, 24 Feb 2000 10:08:28 -0600


Tfn2k asks for a password during the build, which is used to prevent
someone from recovering the password from the td or tfn binaries. I
wrote a program that will recover the password. It will compile and run
on Solaris and Intel-based free Unix systems (didn't test it elsewhere).
It can extract the password from a Sol, Intel-based Linux, or
Intel-based FreeBSD binary td or tfn (also probably others but just tested
these). In other words, you can extract passwords from a Linux td binary
on your Sol 2.7 box.

Uses for this include:

Scenario #1 -

 You are a hot cybersleuth, extracting the password as a part of a
 forensics effort. If the password matches some other forensic stuff
 (like the password of a suspected script kid, or the DES key that
 unlocks a cache of hacker tools in a tar file), you might catch that
 elusive cyberterrorist.

Scenario #2 -

 You have discovered a cache of tfn2k binaries on your large network.
 By recovering the password, you can compile your own tfn and send
 a command to be rexec'd to each suspected system, such as:

   echo "0wned!! Clean me!!" | mail yourname () youraddress com

 Optionally if you discover you are flooding someone, you could
 send the command to stop the flood from your new tfn binary.

Scenario #3 -

 You are under attack and Zombie Zapper didn't help (ZZ only works
 against tfn, trinoo, and stacheldraht). Send the sites attacking
 you this software and ask them to send you the password. Once you
 have it, compile your own tfn and start telling those zombies to
 leave you alone! Okay, this last one is a little far-fetched and
 won't work if the attack lasts just a couple of hours and if the
 addresses are forged, but it is better than nothing.

Have fun and play nice, everyone!

-         Simple Nomad          -  No rest for the Wicca'd  -
-      thegnome () nmrc org        -        www.nmrc.org       -
-  thegnome () razor bindview com  -     razor.bindview.com    -

/*
 * tfn2kpass - tfn2k Password Recovery. Extract password for tfn2k from a
 * td or tfn binary.
 *
 * Written by Simple Nomad [thegnome () razor bindview com] 21Feb2000
 *
 * More fun stuff at http://razor.bindview.com/, licensing at end
 * of file.
 *
 * Should compile and run fine on any Intel/Sun-based system:
 *    gcc -o tfn2kpass tfn2kpass.c
 *
 * Example usage:
 *    ./tfn2kpass tfn-binary-file
 *
 * Tested against binaries compiled on Intel Linux, Intel FreeBSD, and
 * Solaris. Thanks for the help, Jordan <jritter () razor bindview com>
 * and Paul <pashton () razor bindview com> from the RAZOR team.
 *
 */

/* includes */
#include <stdio.h>
#include <stdlib.h>

/*
 * Main program....
 */
int main(int argc, char *argv[])
{
  FILE *ftd;
  int i, search = 0, search2, found = 0, rew = 32;
  unsigned char recover[32];
  unsigned char password[32];
  unsigned char offset;
  char close[]="@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@";
  char check[sizeof(close)];

  /* Say hello... */
  printf("tfn2kpass - Recover the password from tfn2k's 'td' or 'tfn'\n");
  printf("Comments/bugs: Simple Nomad <thegnome () razor bindview com>\n");
  printf("http://razor.bindview.com/\n\n";);

  if (argc!=2)
  {
    fprintf(stderr,"USAGE: tfn2kpass <td_filename>\n\n");
    fprintf(stderr,"EXAMPLES:\n");
    fprintf(stderr,"  tfn2kpass renamed_td\n");
    exit(-1);
  }

  ftd=fopen(argv[1],"rb");
  if (ftd == NULL)
  {
    fprintf(stderr,"Unable to open file %s.\n",argv[1]);
    exit(-1);
  }

  /* first we search the file for the first marker that we
     are close to the password -- the 40 @'s should be right
     after the password */
  while(!feof(ftd))
  {
    fseek(ftd,search,SEEK_SET);
    fread(&check,40,1,ftd);
    if (!strncmp(check,close,40))
    {
      found = 1;
      break;
    }
    search++;
  }

  if (found)
  {
    found = 0; /* reset our flag for next 'find' */
    search--;
    search2 = search;
    /* Now we'll search backward looking for the first non-zero
       value, which is the offset used to mask the password.
       The amount of zeroes depends upon platform as well as the
       daemon type (td or tfn), so we move back one at a time.
       Also it allows us to examine daemons compiled on a freebsd
       box from our linux box, for example. */
    while(search2!=0)
    {
      fseek(ftd,search2,SEEK_SET);
      fread(&offset,1,1,ftd);
      /* Sol bins have the needed "offset" right before the string
         of @'s as well as at the end of the password field, so we
         need to skip that byte. Also, if we do not shorten the
         amount of bytes for a Sol bin by one, we end up with one
         extra char at the beginning of the password. Go figure. */
      if((offset) && (search2 == search))
      {
        rew--;
      }
      else if(offset)
      {
        found = 1;
        break;
      }
      search2--;
    }
    if (found) /* if we found the offset, grab and print the password */
    {
      fseek(ftd,search2-rew,SEEK_SET);
      fread(&recover,32,1,ftd);
      fclose(ftd);

      for (i=0;i<32;i++) password[i]=recover[i] - offset;
      printf("The password is - ");
      for (i=0;i<32;i++)
      {
        if (isprint(password[i]))
          printf("%c",password[i]);
      }
      printf("\n\n");
    }
  }
  if(!found) printf("The password was not found\n\n");
  exit(0);
}

/*
 * BindView License -

Copyright (c) 2000 BindView Corporation.  All rights reserved.

By using this software, YOU AGREE to the following license terms.  IF YOU
DO NOT AGREE, YOU MAY NOT USE THE SOFTWARE.

1.  BindView believes that this software is safe for use in normal
circumstances, and has performed what it believes to be reasonable but
non-exhaustive testing to verify this.  The software is intended for use
only by experienced and knowledgeable computer professionals; IT IS
PROVIDED "AS IS, WITH ALL FAULTS," including source code so that the user
can study the source code and independently determine the software's
suitability.  BindView makes no warranty of any kind, express or implied,
and DISCLAIMS ANY AND ALL WARRANTIES, CONDITIONS, OR IMPLIED TERM OF
QUALITY, INCLUDING THE IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT,
MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE.  All use of the
software is entirely at the user's own risk.

2.  IN NO EVENT WILL BINDVIEW BE LIABLE FOR DAMAGES OF ANY KIND arising
from or relating to use of the software, whether such damages are direct,
indirect, incidental, consequential, exemplary, or any other kind, and
whether arising under contract, tort (including negligence), strict
liability, or otherwise.

3.  BindView will not object to your distribution of complete, unmodified
copies of the distribution package of the software as provided by
BindView, PROVIDED that you do not charge a fee other than a reasonable
fee for distribution services.  You may charge a fee for any warranty or
support services that you offer to purchasers of copies of the software.

4.  You may modify the software and distribute copies of the modified
software, PROVIDED:

        (a) that you distribute, together with the executable code of the
            modified software:
        
                 (1) the source code of the modified software, which must
                 contain the BindView copyright notice set forth above (in
                 addition to your own copyright notice if any); and

                 (2) a copy of the complete, unmodified distribution
                package of the software as provided by BindView; and

         (b) that you clearly indicate in the source code and in an
             accompanying documentation file that the software is based on
            BindView's software and was modified by you; and

         (c) that you grant users of the modified software the same rights
            as are granted to you by this license.

 *
 */


  By Date           By Thread  

Current thread:
  • Tfn2k Password Recovery Simple Nomad (Feb 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]