Follow us on Twitter!
Hacking isn't just Computers & Exploits. It's a Philosophy. - Mr_Cheese
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 31
Guests Online: 24
Members Online: 7

Registered Members: 82902
Newest Member: kcutta77
Latest Articles
View Thread

HellBound Hackers | HellBound Hackers | Questions

Author

Am I being Trapped. Encrypted Hash


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 28-05-11 08:17
Okay, I have this Hash.

aepTOqxOi4i8U

However, it was EXTREMLEY easy to get, the website is very prestigious, and I find it very hard to believe they just have their username and hash of the admin sitting in a passwd.txt file with no security on it, and on top of that, it is that "WebAdmin"'s. I feel like I am being trapped here, how plausible is this?

Also, I am not experienced with command line programs, so it would be helpful if someone knew of a GUI decryption program (or a very simple command line one), one that hopefully uses rainbow tables. I use Ubuntu 11.04.




Edited by rex_mundi on 17-07-13 02:45
Author

RE: Am I being Trapped? Encrypted Hash

j4m32
Member

Your avatar

Posts: 81
Location:
Joined: 01.05.10
Rank:
Newbie
Posted on 28-05-11 13:11
Better open the Terminal and learn to use it.

Sounds like a typical WWWBoard Perlscript package, if you had even bothered to research the package you'd have already found the default password.

Don't take this the wrong way but simply looking at a few things probably would have become evident to you anyway.

In the "wwwadmin.pl" script you'll find that the 'encryption' method used is simply the Perl crypt(string, salt); funtion

Code

sub check_passwd {
   open(PASSWD,"$basedir/$passwd_file") || &error(passwd_file);
   $passwd_line = <PASSWD>;
   chop($passwd_line) if $passwd_line =~ /\n$/;
   close(PASSWD);

   ($username,$passwd) = split(/:/,$passwd_line);

   $test_passwd = crypt($FORM{'password'}, substr($passwd, 0, 2));
   if (!($test_passwd eq $passwd && $FORM{'username'} eq $username)) {
      &error(bad_combo);
   }
}





Loads the file, splits the string, checks whether the username and the cryot of the input password matches the stored hash.

So in answer to you question: What ever Perl uses for crypt, you would have needed to reverse or bruteforce it if it had not been the default password.

Notice also, that the second param of crypt is the 'salt' which is the first two/three characters of the password string (I am not familiar with Perl substring, I would guess three characters).

Jim,
Author

RE: Am I being Trapped? Encrypted Hash


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 28-05-11 17:39
Wow, okay, thank you, I hadn't realized how simple this was. I am a 110% it is not the default password though. And if it was, that would led me even more to the idea that actually logging into this account would be a trap.

I do use the terminal every once and awhile, just never bother to use programs on it, just simply because there has always been a GUI version of the program. Guess now is a good time to start.

I know how they compare the stored hashes, but wouldn't they have at least a little protection on the password file?

Honestly I was just screwing around looking for something to do when this came up. And I looked around a little bit more, to find nothing (after you said something about the wwwadmin.pl I looked at it, just to see what it said), most likely because I know nothing about any language.


Author

RE: Am I being Trapped? Encrypted Hash

stealth-
Member



Posts: 1003
Location: Eh?
Joined: 10.04.09
Rank:
Mad User
Posted on 28-05-11 20:46
otomotos wrote:
Wow, okay, thank you, I hadn't realized how simple this was. I am a 110% it is not the default password though. And if it was, that would led me even more to the idea that actually logging into this account would be a trap.

....

I know how they compare the stored hashes, but wouldn't they have at least a little protection on the password file?


Every time someone thinks "There is no way someone is this stupid", there is always someone who is ten times worse.
And besides, what's the worse thing that could happen if it is a honeypot?

I do use the terminal every once and awhile, just never bother to use programs on it, just simply because there has always been a GUI version of the program. Guess now is a good time to start.


Once you get the hang of it, the terminal has much more flexibility and is way more useful than a series of GUI apps. At least under Linux.

most likely because I know nothing about any language.


You should fix that. Pfft


The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealt. . .
http://www.stealth-x.com
Author

RE: Am I being Trapped? Encrypted Hash

j4m32
Member

Your avatar

Posts: 81
Location:
Joined: 01.05.10
Rank:
Newbie
Posted on 28-05-11 20:52
Alright, you're 110% sure, you can't possibly be wrong, that whole 10% makes so much difference...

I'll still refer you to this:

http://www.scriptarchive.com/download.cgi?s=wwwboard&c=zip

Look in the ZIP at the following files:

passwd.txt, it's the only entry, I think you might be surprised:

Code

WebAdmin:aepTOqxOi4i8U





After all, documentation included in the ZIP in the ADMIN_README file:

Written by the developer, must be totally wrong too, I mean, honestly line 62, so full of shit isn't it? Oh wait there is the password in plaintext.

Well, looks like I am universally incorrect, it seems! Aha. Brilliant.
*The above is all meant in kind jest :)*

In response to your next question:

They often make no attempt to protect the file from remote users viewing it because the kinds of people who set this, to use the approriate technical term, "crap", up follow the guide which doesn't really think about security implications of using a generic opensource package without taking a few counter measures.

That largely depends on the features of the webserver and whether the administrator can place files outside of the document root away from public eyes or indeed control the permissions sufcciently if it is stored within the document root.

The design of it is "attempts" to be such that, although the attacker will have the username, it's difficult initially arbitrary point of view just looking at the file with the username and hash, to reverse or crack the hash. Since one can easily find out that it is also salted with the first N characters it's actually no more difficult to crack if you have a good table or bruteforcer because the hash function isn't particularly complex.

The "average joe" often doesn't know about best security practices, they follow a "neat simple" tutorial they find from the first link on Google, and then wonders either: Why their non Perl enabled webspace doesn't appear to "work" or can't open a text editor and mdify a few bits of code to keep the passwd.txt file from either being index or being accessed (say with a .htaccess file to deny access to that file or a new subdirectory with reduced privledges).

Just so you know, the development of it seemed to have stop dead about 16 years ago :)

Hope that has helped!

Jim,
Author

RE: Am I being Trapped? Encrypted Hash


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 29-05-11 02:18
Alright, well, that defiantly proves me very wrong haha, owell, this shit takes some experience before you stop making simple mistakes haha

Thank you both, gives me some stuff to look at and read up some.