-
August 15th, 2006, 05:38 AM
#1
which cipher is this?
!CRYPT!103CF0A0C28A711EB964F627A3B
some site says its md5, but cain does not accept it even if i paste it without the !CRYPT!
-
August 15th, 2006, 05:50 AM
#2
How odd...
I punch that into google and I get this from a registry dump
[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion]
"Application Path"="e:\\Trend Micro\\OfficeScan Client\\"
"EnableClientEventLog"=dword:00000001
"Mode"=dword:00000001
"ProxyPort"=dword:00000050
"UseProxy"=dword:00000000
"ServerPort"=dword:00000050
"Server"="192.9.200.3"
"ProxyServer"=""
"ProxyLogin"=""
"ProxyPwd"="!CRYPT!103CF0A0C28A711EB964F627A3B"
An exact match.. care to tell us what you're doing?
-
August 16th, 2006, 07:25 PM
#3
it's a 256 bit password/phrase in hexadecimal format;
if you don't know what is, you probably shouldn't be able to/have access to it, and are probably doing something you shouldn't be; unless you can prove so otherwise
-
August 16th, 2006, 10:28 PM
#4
Hi
Actually, I think it is a 96bit ciphertext (skipping the first three hexadecimals).
There is a decryption algorithm in pwd.dll with the appropriate key.
The given Proxy-Password "Proxy_Pwd=!CRYPT!103D59D1CBE85FE9A124F627A3B"
corresponds to the default password.
TrendMicro's OfficeScan actually is quite a nice piece of work.
Certainly, anyone installing it in a corporate environment will
have a look at its files - and its registry entries. In particular,
ofcscan.ini is interesting - there, besides the Proxy_Pwd, the master
key (which you enter at installation time), the uninstall (and unload) keys are
stored (encrypted md5-hash of the actual keys). Encrypting
them with the keys provided in another executable, will just give
you the md5-hashes.
All this is known...even TrendMicro knows that this is known
NB: Skip those sites claiming it is a MD5 hash. A MD5 hash is
a 128bit hash, represented by 32 hexadecimals.
Cheers
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
August 27th, 2006, 07:23 AM
#5
i always get that - "if you don't know what is, you probably shouldn't be able to/have access to it, and are probably doing something you shouldn't be; unless you can prove so otherwise"
anyway yes it trendmicro's office scan and i put up teh google hash coz i didnt wanna put up mine.....from what i came to know is that the md5 is encrpyted (again) and then presented in this format....
just wanted to learn.....thats all.....this was something new which cain/jtripper or any other program wouldnt accept so i just wanted to know what this new thing was......
anyway......is there any program to 'unmask' it?
-
August 28th, 2006, 08:01 AM
#6
Re: which cipher is this?
Originally posted here by C47
!CRYPT!103CF0A0C28A711EB964F627A3B
some site says its md5, but cain does not accept it even if i paste it without the !CRYPT!
http ftp certification code, like HTRegz says: "punch that into google and I get this from a registry dump".
The cert is a essential registry for www transactions, one of my virus work attack this registry and put the the value "dword norad = !CRYPT!103CF0A0C28A711EB964F627A99" see the final 99 inserted. for irc pre authenticated...
so the ProxyPwd reffers a hexadecimal cypher:
the code:
Code:
public static string doHttpGet(string webURL, string sParameters)
{
HttpWebResponse webRes = null;
HttpWebRequest webReq = null;
WebProxy webProxy = null;
string httpResponse = "";
sParameters = HttpUtility.UrlEncode(sParameters);
string proxyAddr = ConfigurationSettings.AppSettings["ProxyAddr"];
string proxyPort = ConfigurationSettings.AppSettings["ProxyPort"];
if(ConfigurationSettings.AppSettings["EnableProxy"] == "1" &&
proxyAddr != null && proxyAddr.Length > 0 && proxyPort != null)
{
try
{
webProxy = new WebProxy(proxyAddr, int.Parse(proxyPort));
}
catch
{
webProxy = new WebProxy(proxyAddr, 80);
}
string proxyUser = ConfigurationSettings.AppSettings["ProxyUser"];
string proxyPwd = ConfigurationSettings.AppSettings["ProxyPwd"];
string proxyDom = ConfigurationSettings.AppSettings["ProxyDom"];
if(proxyUser != null && proxyUser.Length > 0 && proxyPwd != null && proxyDom != null)
webProxy.Credentials = new NetworkCredential(proxyUser, proxyPwd, proxyDom);
}
try
{
ServicePointManager.CertificatePolicy = new AcceptAllCertificatePolicy();
sParameters = "";
webReq = (HttpWebRequest)HttpWebRequest.Create(webURL + sParameters);
if(webProxy != null)
webReq.Proxy = webProxy;
webReq.Timeout = int.Parse(ConfigurationSettings.AppSettings["WebTimeout"]);
webReq.UserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)";
webReq.Method = "GET";
webReq.ProtocolVersion = HttpVersion.Version11;
webRes = (HttpWebResponse)webReq.GetResponse();
Stream stmRes = webRes.GetResponseStream();
StreamReader stmReader = new StreamReader(stmRes);
httpResponse = stmReader.ReadToEnd();
}
catch(WebException ex)
{
httpResponse = "";
}
finally
{
webReq = null;
if(webRes != null)
webRes.Close();
webRes = null;
}
return httpResponse;
}
try to resolve a url using a base ProxyPwd on this line:
Code:
string proxyUser = ConfigurationSettings.AppSettings["ProxyUser"];
string proxyPwd = ConfigurationSettings.AppSettings["ProxyPwd"];
string proxyDom = ConfigurationSettings.AppSettings["ProxyDom"];
if(proxyUser != null && proxyUser.Length > 0 && proxyPwd != null && proxyDom != null)
webProxy.Credentials = new NetworkCredential(proxyUser, proxyPwd, proxyDom);
and get a webresponse passing trow by proxy or not.
mmm for perfect understanding that i give you a piece of php web page resolver.
proxyPwd compose a Base 64 cipher, the format is (USER, PASSWORD)
see the php example of non converted parameters:
PHP Code:
$http_method = 'http';
$hostname = 'www.antionline.com';
$cgi = '/azrael/aoexample/';
$proxy = 'http://proxy.crackenfind.net';
$proxypwd = base64_encode("aleksei:antionlinemember");
#$proxypwd = "aleksei:antionlinemember";
$XMLRequest = '<?xml version="1.0" encoding="ISO-8859-1"?>\n';
$XMLRequest .= '<message xmlns="http://antionline.com/messageadmin">\n';
$XMLRequest .= ' <Header>\n';
$XMLRequest .= ' <ClientId>Web request test</ClientId>\n';
$XMLRequest .= ' <TransactionId>dklfj24ru743u3fj320fy49f84gyf</TransactionId>\n';
$XMLRequest .= ' </Header>\n';
$XMLRequest .= ' <Body>\n';
$XMLRequest .= ' <code>#66#16#33\n';
$XMLRequest .= ' <code>\n';
$XMLRequest .= ' </Body>\n';
$XMLRequest .= '</message>\n';
$ServiceId = 'antionline:com.messageadmin:proxy.crackenfind.net';
$data_string = "ServiceId=".$ServiceId."&XMLRequest=".$XMLRequest;
$curl_handle = curl_init ("http://www.antionline.com/messageadmin");
curl_setopt ($curl_handle, CURLOPT_PROXY, $proxy);
curl_setopt ($curl_handle, CURLOPT_PROXYPORT, 8080);
curl_setopt ($curl_handle, CURLOPT_PROXYUSERPWD, $proxypwd);
curl_setopt ($curl_handle, CURLOPT_HTTPPROXYTUNNEL,1);
curl_setopt ($curl_handle, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($curl_handle, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($curl_handle, CURLOPT_POST, 1);
curl_setopt ($curl_handle, CURLOPT_POSTFIELDS, $data_string);
$result = curl_exec ($curl_handle);
if (curl_error($curl_handle))
{
printf("Error %s: %s", curl_errno($curl_handle), curl_error($curl_handle));
die ("No such web request");
}
curl_close ($curl_handle);
echo $result;
$proxypwd = base64_encode("aleksei:antionlinemember"); is the format in base64, the function that generate that seems like this java encoder:
Code:
try {
URLConnection connection = _src.openConnection();
if (_proxyUser != null) {
sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder(); String encoded = encoder.encode(
new String(_proxyUser + ":" + _proxyPwd).getBytes());
connection.setRequestProperty("Proxy-Authorization", "Basic " + encoded);
}
connection.connect();
copyConnectionToFile(connection);
} catch (IOException ex) {
log("Failure accessing " + _src + ": " + ex.getMessage(), Project.MSG_ERR);
}
i'm so bad expalining without code, but the base64 is a simple quest.
see the wikkipedia for knowing base64 format an encoder theory:
http://en.wikipedia.org/wiki/Base64
so best wishes!
AzRaEL
[NuKE] high council
www.crackenfind.net
-
August 28th, 2006, 08:22 AM
#7
are you sayin the above java code will unmask it...coz thats what i wanna do.....ur hava code involves connections and stuff.....this is strictly abut unmasking the thing
-
August 28th, 2006, 08:36 AM
#8
No only java: perl, php (c for girls), c++, C# (c for girls), and all web bassed object languajes are capable for do that.
This is a basic encoder using c for girls (C#)
Code:
public class Base64Encoder
{
byte[] source;
int length,length2;
int blockCount;
int paddingCount;
public Base64Encoder(byte[] input)
{
source=input;
length=input.Length;
if((length % 3)==0)
{
paddingCount=0;
blockCount=length/3;
}
else
{
paddingCount=3-(length % 3);//need to add padding
blockCount=(length+paddingCount) / 3;
}
length2=length+paddingCount;//or blockCount *3
}
public char[] GetEncoded()
{
byte[] source2;
source2=new byte[length2];
//copy data over insert padding
for (int x=0; x<length2;x++)
{
if (x<length)
{
source2[x]=source[x];
}
else
{
source2[x]=0;
}
}
byte b1, b2, b3;
byte temp, temp1, temp2, temp3, temp4;
byte[] buffer=new byte[blockCount*4];
char[] result=new char[blockCount*4];
for (int x=0;x<blockCount;x++)
{
b1=source2[x*3];
b2=source2[x*3+1];
b3=source2[x*3+2];
temp1=(byte)((b1 & 252)>>2);//first
temp=(byte)((b1 & 3)<<4);
temp2=(byte)((b2 & 240)>>4);
temp2+=temp; //second
temp=(byte)((b2 & 15)<<2);
temp3=(byte)((b3 & 192)>>6);
temp3+=temp; //third
temp4=(byte)(b3 & 63); //fourth
buffer[x*4]=temp1;
buffer[x*4+1]=temp2;
buffer[x*4+2]=temp3;
buffer[x*4+3]=temp4;
}
for (int x=0; x<blockCount*4;x++)
{
result[x]=sixbit2char(buffer[x]);
}
//covert last "A"s to "=", based on paddingCount
switch (paddingCount)
{
case 0:break;
case 1:result[blockCount*4-1]='=';break;
case 2:result[blockCount*4-1]='=';
result[blockCount*4-2]='=';
break;
default:break;
}
return result;
}
private char sixbit2char(byte b)
{
char[] lookupTable=new char[64]
{ 'A','B','C','D','E','F','G','H','I','J','K','L','M',
'N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
'a','b','c','d','e','f','g','h','i','j','k','l','m',
'n','o','p','q','r','s','t','u','v','w','x','y','z',
'0','1','2','3','4','5','6','7','8','9','+','/'};
if((b>=0) &&(b<=63))
{
return lookupTable[(int)b];
}
else
{
//should not happen;
return ' ';
}
}
}
and a decoder:
Code:
public class Base64Decoder
{
char[] source;
int length, length2, length3;
int blockCount;
int paddingCount;
public Base64Decoder(char[] input)
{
int temp=0;
source=input;
length=input.Length;
//find how many padding are there
for (int x=0;x<2;x++)
{
if(input[length-x-1]=='=')
temp++;
}
paddingCount=temp;
//calculate the blockCount;
//assuming all whitespace and carriage returns/newline were removed.
blockCount=length/4;
length2=blockCount*3;
}
public byte[] GetDecoded()
{
byte[] buffer=new byte[length];//first conversion result
byte[] buffer2=new byte[length2];//decoded array with padding
for(int x=0;x<length;x++)
{
buffer[x]=char2sixbit(source[x]);
}
byte b, b1,b2,b3;
byte temp1, temp2, temp3, temp4;
for(int x=0;x<blockCount;x++)
{
temp1=buffer[x*4];
temp2=buffer[x*4+1];
temp3=buffer[x*4+2];
temp4=buffer[x*4+3];
b=(byte)(temp1<<2);
b1=(byte)((temp2 & 48)>>4);
b1+=b;
b=(byte)((temp2 & 15)<<4);
b2=(byte)((temp3 & 60)>>2);
b2+=b;
b=(byte)((temp3 & 3)<<6);
b3=temp4;
b3+=b;
buffer2[x*3]=b1;
buffer2[x*3+1]=b2;
buffer2[x*3+2]=b3;
}
//remove paddings
length3=length2-paddingCount;
byte[] result=new byte[length3];
for(int x=0;x<length3;x++)
{
result[x]=buffer2[x];
}
return result;
}
private byte char2sixbit(char c)
{
char[] lookupTable=new char[64]
{
'A','B','C','D','E','F','G','H','I','J','K','L','M','N',
'O','P','Q','R','S','T','U','V','W','X','Y', 'Z',
'a','b','c','d','e','f','g','h','i','j','k','l','m','n',
'o','p','q','r','s','t','u','v','w','x','y','z',
'0','1','2','3','4','5','6','7','8','9','+','/'};
if(c=='=')
return 0;
else
{
for (int x=0;x<64;x++)
{
if (lookupTable[x]==c)
return (byte)x;
}
//should not reach here
return 0;
}
}
}
But you may understand that: the ProxyPwd is a mix for (user,password) combined source and base64 coding mixed with hex transform.
The comercial criptography in this days is sucks!
no one people or the people today no understand the chyper concept. They use usually a "tool" for generate his crypto transactions. Comercial and public the real sense for private doccuments or transaction is lost.
what kind of question is a good answer?
i don't know....
greetz
Az
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|