Recently I installed GoodTech FTP Server for Windows 95/98 V3.0 onto my Windows box. So I played with it for a while and found out some stuff about the way it saves it passwords by looking at its passwd file.

Basically it creates a username/password file where it stores the accepted (valid) usernames and their respective passwords. However, to my shock and horror ( :P ), the way the passwords are encrypted has nothing to do with the username at all, like in DES, where the username has an affect on the ciphertext version on the password, if you understand what I mean...

So a password "whatever" with username "jethro", would equal an encrypted version of the same password, "whatever", with a completely different username, "geergeger". The password is made in the following way:



test3 ¡¢¢££¤¤¥¥¦¦§§¨¨©©ªª««¬¬**® 0


The spaces at the start middle and end are useless, as is the 0 at the end, which I think signifies the end of the password. The spaces in the middle are a lot bigger than what I have conveyed them here so I just decided to shorten it down a bit.

So after more experimenting, I found out what each encrypted letter's plaintext is. Here's the alpha-numerical alphabet: (it's a simple letter-replacement setup)


™ - 0
™ - 1
š - 2
š - 3
› - 4
› - 5
œ - 6
œ - 7
 - 8
 - 9

± - a
² - b
² - c
³ - d
³ - e
´ - f
´ - g
µ - h
µ - i
¶ - j
¶ - k
· - l
· - m
¸ - n
¸ - o
¹ - p
¹ - q
º - r
º - s
» - t
» - u
¼ - v
¼ - w
½ - x
½ - y
¾ - z

¡ - A
¢ - B
¢ - C
£ - D
£ - E
¤ - F
¤ - G
¥ - H
¥ - I
¦ - J
¦ - K
§ - L
§ - M
¨ - N
¨ - O
© - P
© - Q
ª - R
ª - S
« - T
« - U
¬ - V
¬ - W
* - X
* - Y
® - Z

So anybody (even "guest") with improperly set permissions (you have to set the permissions yourself, in a seperate file. Somebody might be stupid enough to forget to do this because the server works without it) could issue a ``GET`` command for the passwd file and get the ``encrypted`` passwords for any user.

Also, if you notice, every second letter has the same letter to substitute for it, so "-" means both X and Y and "©" means both P and Q. So if someone was to brute-force the server, the passwords would be much easier to crack.

<Edit> I had to reword this whole post because someone PMed me and said they couldn't understand it. I hope it makes more sense now, as looking back on it, there were a lot of typographical errors </Edit>

GoodTechSys.com