From: User C0d3r (c0d3r@cotse.net)
Date: Thu Feb 06 2003 - 13:45:13 EST
Hi;
Clearly, the password is encrypted/encoded somehow. I doubt that it is a hash, as
there are 43 characters (bytes) of data, a hash would likely be 32, 128, 256, etc.
Unless Symantec has developed a proprietary hashing algorithm, which is certainly
possible. You can set this up in a text file for John-the-Ripper, and John will
bang away at it, and may even identify the algorithm on it's own. More likely John
will expect you to tell it what sort of encryption is used, which sort of puts you
back to square one. On the other hand, if you put it into the text file in the
format John expects, and tell him it's NTLM, he might point it out to you if you're
wrong. Worth a shot.
If you want to test it for an MD5 algorithm, you could put together some simple loop
code using something like Perl, similar to this pseudocode:
open(dictionary_file, "<file.txt");
foreach word in (dictionary_file){
$testvar = "20AA9E1606F91E64ABF97162783AE5E059E48797D7F";
$hashed = md5($word);
$variable = ($hashed = $testvar)? 1 : 0;
if($variable){print "Success: ".$word;}
}
close dictionary_file;
(disclaimer: This code will NOT run, and is meant for explanation purposes only).
Perl also has functions available for testing the Unix crypt stuff. Same basic
syntax. The only problem with this is that if your word isn't in the dictionary, or
the algorithm is not, say MD5, then you've spent a lot of ticks on nothing. Of
course, if you script it, you can go do something else and let it run forever if you
like.
Getting the password into L0pht Crack, might be tricky, as L0pht is a bit picky
about where it gets hashes from. What may work, is to set up SMB Relay (1 or 2), on
a box on your network, to relay the credentials through that machine during the
weekly phone home session, capture the hashes with LC3's sniffer, and crack them.
The side benefit of this is you can test the setup with local boxes to make sure
that it is working, and if LC3 doesn't pull the hashes during the phone home
session, it isn't a LanMan authentication credential. Obviously, the down side here
is that there may be legalities involved. Besides if the hashes are win2k hashes
(ala NTLMv2), LC3 won't crack them anyway -- but at least you'll know what algorithm
you're dealing with.
I agree that you may have a security issue here, but the question is, is it an issue
for the user (ie, an attacker can gain access, run code, or elevate privilege on the
user's system, Symantec putting unknowing users at risk) or is it an issue for
Symantec, who is perfectly within their rights to assume that risk if they like?
Let's face it if an AV company gets hacked by placing the password to their server
in registries around the world, they deserve what they get, no?
Hope it helps.
C0d3r!
> All,
>
> recently installed Symantec A/V and looked at the
> registry in my PC. XP sp1
>
> clear text entries for an NT server and the share name
> that it uses.
>
> An entry for a “netscanpassword” that looks encrypted
> ?
>
> 20AA9E1606F91E64ABF97162783AE5E059E48797D7F
>
> Questions ?
> 1. is this password encrypted via Windows ( lmhash
> ntlm)
> 2. some crypt function (ala the UNIX world)
> 3. some other algorithms ? MD4 MD5 etc…
>
> Can I cut and paste the above into John-the-ripper or
> the crypt function ?
>
> What I have in clear text is the NT machine, it's
> share name and the NT account (user) that it uses.
> All in the registry or event log.
>
> It does "phone home" every week - but I have yet to
> catch the packet traffic with Ethereal to see what
> type of authentication it is doing.
>
> Anyone else besides me think that this may present a
> security exposure ( inside our network - of course) ?
>
> It seems to me that placing this on every user’s
> desktop is exposing the A/V server to more risk than
> is required – if – the account and password (if it can
> be cracked) can access the server in any manner not
> expected by the installer.
>
> Or - is this old news and already been spotted ?
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
> ---------------------------------------------------------------------------- This
> list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service.
> For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT