Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

PasswordsPro modules

  • 24-10-2007 3:10pm
    #1
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭


    for anyone here (security consultant) that has to make assessment of password security in business, you could use passwordspro application.

    the author recently added support for custom modules.
    i've written some, although i've no use for them, they may interest some people on the forum here.

    HMAC-SHA-1
    HMAC-MD5

    MS SQL / MS SQL 2005
    ORACLE DES
    ORACLE SHA-1

    these are pre-release versions.
    if you would like to see module written, PM me.
    at the moment, i've only written those which aren't already available for ppro.


Comments

  • #2
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    hmm - can't edit the above message.

    just wanted to add another version.
    its written in assembly using SSE for des_set_key(), which should perform pretty good on CORE2 architecture (not tested)

    ORACLE DES (10g) assembly version

    i've tested it against the fastest known cracker, orabf 0.7.6 by 0rm/toolcrypt.
    the module is slightly slower, this partly due to implementation of converting ANSI -> UNICODE
    a separate tool is faster than orabf, and i might release this sometime in future.


  • #3
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    WPA1/WPA2 PMK hash module


  • #4
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    Cisco PIX
    RIPEMD-128/RIPEMD-160


  • #5
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    Eggdrop module using blowfish
    RSA MD2
    HAVAL-128
    SHA-512


  • #6
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    sha-2 512 (sse2) +175% faster.
    RIPEMD-256


  • Advertisement
  • #7
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    update modules:

    http://h1.ripway.com/kevindevine/ORACLE.rar
    http://h1.ripway.com/kevindevine/MSSQL.rar
    http://h1.ripway.com/kevindevine/WPA.rar
    http://h1.ripway.com/kevindevine/SHA-512.rar


  • #8
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    some of you might find this interesting..its about AIM6 passwords stored in the registry.:p

    i was in process of finding out about various IM password hashes.
    How these can be cracked using module for passwordspro - when i noticed that AIM6 passwords are just the plaintext encrypted using static key and random 64-bit salt value.

    this is the static key

    [PHP]blowfish_key label dword
    db 8 dup (0) ; user_salt
    db 099h,000h,086h,0A5h,027h,0AAh,09Dh,07Fh
    db 058h,0AAh,0AEh,0B9h,00Bh,047h,03Ah,035h
    db 0AAh,0E0h,0EAh,095h,066h,0FBh,0E4h,09Fh
    db 0CBh,0F7h,016h,01Ch,0A3h,092h,0E6h,01Ch
    db 096h,006h,09Bh,05Bh,029h,030h,0BFh,0AFh
    db 0ECh,011h,029h,0C8h,089h,05Bh,0B8h,057h
    key_len equ $-blowfish_key[/PHP]


    sorry this is in assembly, but i hadn't C compiler installed on laptop.
    its very simple anyway, description follows..

    For each user, a base64 string exists at the following registry key:

    HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords

    In order to recover the original password:

    Base64 decode the string into binary format
    The first 8 bytes are a salt pre-pended to 48 byte static value
    Use this 56 byte value to create the blowfish context.
    Decrypt the remaining ciphertext (24 bytes) in 8 byte blocks
    The decrypted ciphertext is the unicode format of the password

    Below is some assembly code to demonstrate decoding

    [PHP]main proc private uses esi ebx edi argc:dword, argv:dword

    local b64_aim_pass[64] :byte
    local ciphertext[64] :byte
    local aim_pass[64] :byte

    mov ebx,[argv]

    .if [argc] == 2

    invoke ZeroMemory,addr ciphertext,64
    invoke ZeroMemory,addr aim_pass,64
    invoke ZeroMemory,addr b64_aim_pass,64

    invoke lstrcpyn,addr b64_aim_pass,dword ptr[ebx+4],48
    invoke Base64Decode,addr b64_aim_pass,addr ciphertext

    lea esi,[ciphertext]
    lea edi,[blowfish_key]
    movsd ; 1st 4 bytes of salt
    movsd ; 2nd 4 bytes

    sub edi,8

    invoke Blowfish_SetKey, edi, key_len

    lea edi,[aim_pass] ; for plaintext..
    mov ebx,24/8 ; decrypt remaining bytes

    decrypt_loop:
    invoke Blowfish_Decrypt,edi,esi
    add esi,8
    add edi,8
    dec ebx
    jnz decrypt_loop

    invoke wprintf,addr format,addr aim_pass ; print unicode password
    .else
    invoke printf,
    CStr(<10,'Usage:%s <AIM6 PASSWORD STRING>',10>),
    dword ptr[ebx]
    .endif
    ret
    main endp[/PHP]

    i don't understand why they even use a block cipher like blowfish to do this..it isn't really protecting anything.


  • #9
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    these are encrypted, but if on the same system can be easily decoded.

    you have 16 byte static key - (maybe it is derived from hash function)

    [PHP]unsigned char secretKey[16]={ 0xa3,0x1e,0xf3,0x69,
    0x07,0x62,0xd9,0x1f,
    0x1e,0xe9,0x35,0x7d,
    0x4f,0xd2,0x7d,0x48 };[/PHP]


    there is also 32-bit pseudo-random value, just random i guess?

    [PHP]#define SEED_CONSTANT 0xba0da71d[/PHP]

    the key + seed are mixed with logged on username/domain name. (this is the entropy)
    decryption is with CryptUnprotectData()

    anyway, see small program to show decoding googlè tàlk pàsswords.

    dgt


Advertisement