Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Am I being Trapped. Encrypted Hash


ghost's Avatar
0 0

Okay, I have this Hash.

aepTOqxOi4i8U

However, it was EXTREMLEY easy to get, the website is very prestigious, and I find it very hard to believe they just have their username and hash of the admin sitting in a passwd.txt file with no security on it, and on top of that, it is that "WebAdmin"'s. I feel like I am being trapped here, how plausible is this?

Also, I am not experienced with command line programs, so it would be helpful if someone knew of a GUI decryption program (or a very simple command line one), one that hopefully uses rainbow tables. I use Ubuntu 11.04.


j4m32's Avatar
Member
0 0

Better open the Terminal and learn to use it.

Sounds like a typical WWWBoard Perlscript package, if you had even bothered to research the package you'd have already found the default password.

Don't take this the wrong way but simply looking at a few things probably would have become evident to you anyway.

In the "wwwadmin.pl" script you'll find that the 'encryption' method used is simply the Perl crypt(string, salt); funtion

sub check_passwd {
   open(PASSWD,"$basedir/$passwd_file") || &error(passwd_file);
   $passwd_line = <PASSWD>;
   chop($passwd_line) if $passwd_line =~ /\n$/;
   close(PASSWD);

   ($username,$passwd) = split(/:/,$passwd_line);

   $test_passwd = crypt($FORM{'password'}, substr($passwd, 0, 2));
   if (!($test_passwd eq $passwd && $FORM{'username'} eq $username)) {
      &error(bad_combo);
   }
}

Loads the file, splits the string, checks whether the username and the cryot of the input password matches the stored hash.

So in answer to you question: What ever Perl uses for crypt, you would have needed to reverse or bruteforce it if it had not been the default password.

Notice also, that the second param of crypt is the 'salt' which is the first two/three characters of the password string (I am not familiar with Perl substring, I would guess three characters).

Jim,


ghost's Avatar
0 0

Wow, okay, thank you, I hadn't realized how simple this was. I am a 110% it is not the default password though. And if it was, that would led me even more to the idea that actually logging into this account would be a trap.

I do use the terminal every once and awhile, just never bother to use programs on it, just simply because there has always been a GUI version of the program. Guess now is a good time to start.

I know how they compare the stored hashes, but wouldn't they have at least a little protection on the password file?

Honestly I was just screwing around looking for something to do when this came up. And I looked around a little bit more, to find nothing (after you said something about the wwwadmin.pl I looked at it, just to see what it said), most likely because I know nothing about any language.


stealth-'s Avatar
Ninja Extreme
0 0

otomotos wrote: Wow, okay, thank you, I hadn't realized how simple this was. I am a 110% it is not the default password though. And if it was, that would led me even more to the idea that actually logging into this account would be a trap.

….

I know how they compare the stored hashes, but wouldn't they have at least a little protection on the password file?

Every time someone thinks "There is no way someone is this stupid", there is always someone who is ten times worse. And besides, what's the worse thing that could happen if it is a honeypot?

I do use the terminal every once and awhile, just never bother to use programs on it, just simply because there has always been a GUI version of the program. Guess now is a good time to start.

Once you get the hang of it, the terminal has much more flexibility and is way more useful than a series of GUI apps. At least under Linux.

most likely because I know nothing about any language.

You should fix that. :P


j4m32's Avatar
Member
0 0

Alright, you're 110% sure, you can't possibly be wrong, that whole 10% makes so much difference…

I'll still refer you to this:

http://www.scriptarchive.com/download.cgi?s=wwwboard&c=zip

Look in the ZIP at the following files:

passwd.txt, it's the only entry, I think you might be surprised:

WebAdmin:aepTOqxOi4i8U

After all, documentation included in the ZIP in the ADMIN_README file:

Written by the developer, must be totally wrong too, I mean, honestly line 62, so full of shit isn't it? Oh wait there is the password in plaintext.

Well, looks like I am universally incorrect, it seems! Aha. Brilliant. The above is all meant in kind jest :)

In response to your next question:

They often make no attempt to protect the file from remote users viewing it because the kinds of people who set this, to use the approriate technical term, "crap", up follow the guide which doesn't really think about security implications of using a generic opensource package without taking a few counter measures.

That largely depends on the features of the webserver and whether the administrator can place files outside of the document root away from public eyes or indeed control the permissions sufcciently if it is stored within the document root.

The design of it is "attempts" to be such that, although the attacker will have the username, it's difficult initially arbitrary point of view just looking at the file with the username and hash, to reverse or crack the hash. Since one can easily find out that it is also salted with the first N characters it's actually no more difficult to crack if you have a good table or bruteforcer because the hash function isn't particularly complex.

The "average joe" often doesn't know about best security practices, they follow a "neat simple" tutorial they find from the first link on Google, and then wonders either: Why their non Perl enabled webspace doesn't appear to "work" or can't open a text editor and mdify a few bits of code to keep the passwd.txt file from either being index or being accessed (say with a .htaccess file to deny access to that file or a new subdirectory with reduced privledges).

Just so you know, the development of it seemed to have stop dead about 16 years ago :)

Hope that has helped!

Jim,


ghost's Avatar
0 0

Alright, well, that defiantly proves me very wrong haha, owell, this shit takes some experience before you stop making simple mistakes haha

Thank you both, gives me some stuff to look at and read up some.