Hosting Provided By

Encrypted Password script - easy to defeat

From: Ian Lyte <ianlyte(at)hotmail.com>
Date: Fri Jun 27 2003 - 04:41:51 EDT

List,

I've come across a site protected by the following script :

function submitentry(){

password = document.password1.password2.value.toLowerCase()
username = document.password1.username2.value.toLowerCase()
passcode = 1
usercode = 1

for(i = 0; i < password.length; i++) {
passcode *= password.charCodeAt(i);
}
for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x);

Essentially it takes each charCode and multiplies it by the next to give a unique-ish (since letter order makes no odds) code for both user and password i.e 12955552800 for example. This sum is then used later on in further checks. Further research indicates its the script from http://www.dynamicdrive.com/dynamicindex9/password.htm and should the password and username match the hashes the user is redirected to password.htm or password.html (easily seen in the source of the page - look for {window.location=password+".htm"}or {window.location=password+".html"}).

Since this is apparently a fairly common script for those people trying to protect pages without access to CGI I thought I would post here so people are aware it only offers minimal protection - if it can be called protection at all.

In the example above you can do it by hand. 12955552800 divides without remainder by 100,97,101,114,116. These are the codes for 'daert'. Its obvious looking at it that it should be 'trade'. Therefore we can just type http://victim.com/pricing/trade.htm and 2 minutes later you have access to the 'protected page'

Not all combinations are that simple as people don't always use words like that for their protected pages. In this case the easy thing to do then is feed the letters you get into Gammadyne's Random Word Generator (the eval version does this just fine) and it will generate every possible combination of the letters. A little bit of formatting to the output and you can stick those combinations into doucment full of http://victom.com/pricing/xxxxx.htm where xxxxx represents your letter. A quick run through with a link verifier will highlight the page that exists which is the protected one.

Do you need help?

Can anyone on the list code a quick and dirty reverser and send it to me or the list? I realise that doing it by hand is a) slow and b) prone to errors. An automated reverser would make the letter generation bit a lot easier.

Thanks in advance

Ian

Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980

Received on Fri Jun 27 15:13:10 2003

This message: [ Message body ]
Next message: Wolf, Glenn: "Automated Pen-testing Tool?"
Previous message: Craig H. Rowland: "RE: protocol analysis"
Next in thread: Michael Sconzo: "Re: Encrypted Password script - easy to defeat"
Reply: Michael Sconzo: "Re: Encrypted Password script - easy to defeat"
Reply: noconflic: "Re: Encrypted Password script - easy to defeat"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:38 EDT