mailing list archives
[[ TH 026 Inc. ]] SA #4 - Blackmoon FTP Server cleartext passwords and User enumeration
From: Daniel Nyström <exce () netwinder nu>
Date: Wed, 21 May 2003 01:30:07 +0200
Telhack 026 Inc. Security Advisory - #4
Name: Blackmoon FTP Server 2.6 Free Edition
Date: May 21 / 2003
Daniel Nyström a.k.a. excE <exce () netwinder nu>
_I N F O_
BlackMoon FTP Server is an FTP daemon written specifically for Windows 2000/XP and above. It takes advantage of all the
new features in the mentioned oses like io completion ports, thread pooling, running as a system services, using
built-in SSL certificate stores, authenticating against an Active Directory or remote NTLM, accessing network shares,
impersonating an NT user and more. More at: www.blackmoonftpserver.com
The Non-free editions has not been tested.
_P R O B L E M_
There are two problems with this software.
* User/Password data is stored in plaintext
* Easy to enumerate usernames.
_I M P A C T_
Users with physicall access can steal the database and extract user/pass pairs from it.
Malicious remote users can detect valid usernames on the FTP server.
_E X P L O I T I N G_
The plaintext Usernames/Passwords are stored in the file blackmoon.mdb in the
Blackmoon FTP directory. To extract them use standard Windows software such
as MS Access or MS Excel.
To find out valid usernames/passwords you just look at the server responses.
Valid username with invalid password:
530-Login incorrect. Name[ValidUser] Pass[NotValidPass]
Invalid username with invalid password:
530-Account does not exist. Name[NotValidUser]
A tool for enumerating users in a bruteforce manner will be available on www.telhack.tk next week.
Daniel Nyström, excE
exce () netwinder nu
- [[ TH 026 Inc. ]] SA #4 - Blackmoon FTP Server cleartext passwords and User enumeration Daniel Nyström (May 21)