what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

tfn2kpass.c

tfn2kpass.c
Posted Feb 25, 2000
Authored by Simple Nomad | Site razor.bindview.com

Tfn2k password recovery tool - Tfn2k asks for a password during the build, which is used to prevent someone from recovering the password from the td or tfn binaries. Usefor for forensics, or to command a whole flood network to send you mail letting you know all the machines infected, or to command an attack to stop if you can recover a binary.

tags | denial of service
SHA-256 | cfd719ba0cd05621c443ed48728a727968997b11e93221a512eaa02351d08836

tfn2kpass.c

Change Mirror Download
Tfn2k asks for a password during the build, which is used to prevent
someone from recovering the password from the td or tfn binaries. I
wrote a program that will recover the password. It will compile and run
on Solaris and Intel-based free Unix systems (didn't test it elsewhere).
It can extract the password from a Sol, Intel-based Linux, or
Intel-based FreeBSD binary td or tfn (also probably others but just tested
these). In other words, you can extract passwords from a Linux td binary
on your Sol 2.7 box.

Uses for this include:

Scenario #1 -

You are a hot cybersleuth, extracting the password as a part of a
forensics effort. If the password matches some other forensic stuff
(like the password of a suspected script kid, or the DES key that
unlocks a cache of hacker tools in a tar file), you might catch that
elusive cyberterrorist.


Scenario #2 -

You have discovered a cache of tfn2k binaries on your large network.
By recovering the password, you can compile your own tfn and send
a command to be rexec'd to each suspected system, such as:

echo "0wned!! Clean me!!" | mail yourname@youraddress.com

Optionally if you discover you are flooding someone, you could
send the command to stop the flood from your new tfn binary.


Scenario #3 -

You are under attack and Zombie Zapper didn't help (ZZ only works
against tfn, trinoo, and stacheldraht). Send the sites attacking
you this software and ask them to send you the password. Once you
have it, compile your own tfn and start telling those zombies to
leave you alone! Okay, this last one is a little far-fetched and
won't work if the attack lasts just a couple of hours and if the
addresses are forged, but it is better than nothing.

Have fun and play nice, everyone!

- Simple Nomad - No rest for the Wicca'd -
- thegnome@nmrc.org - www.nmrc.org -
- thegnome@razor.bindview.com - razor.bindview.com -

/*
* tfn2kpass - tfn2k Password Recovery. Extract password for tfn2k from a
* td or tfn binary.
*
* Written by Simple Nomad [thegnome@razor.bindview.com] 21Feb2000
*
* More fun stuff at http://razor.bindview.com/, licensing at end
* of file.
*
* Should compile and run fine on any Intel/Sun-based system:
* gcc -o tfn2kpass tfn2kpass.c
*
* Example usage:
* ./tfn2kpass tfn-binary-file
*
* Tested against binaries compiled on Intel Linux, Intel FreeBSD, and
* Solaris. Thanks for the help, Jordan <jritter@razor.bindview.com>
* and Paul <pashton@razor.bindview.com> from the RAZOR team.
*
*/

/* includes */
#include <stdio.h>
#include <stdlib.h>

/*
* Main program....
*/
int main(int argc, char *argv[])
{
FILE *ftd;
int i, search = 0, search2, found = 0, rew = 32;
unsigned char recover[32];
unsigned char password[32];
unsigned char offset;
char close[]="@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@";
char check[sizeof(close)];

/* Say hello... */
printf("tfn2kpass - Recover the password from tfn2k's 'td' or 'tfn'\n");
printf("Comments/bugs: Simple Nomad <thegnome@razor.bindview.com>\n");
printf("http://razor.bindview.com/\n\n");

if (argc!=2)
{
fprintf(stderr,"USAGE: tfn2kpass <td_filename>\n\n");
fprintf(stderr,"EXAMPLES:\n");
fprintf(stderr," tfn2kpass renamed_td\n");
exit(-1);
}

ftd=fopen(argv[1],"rb");
if (ftd == NULL)
{
fprintf(stderr,"Unable to open file %s.\n",argv[1]);
exit(-1);
}

/* first we search the file for the first marker that we
are close to the password -- the 40 @'s should be right
after the password */
while(!feof(ftd))
{
fseek(ftd,search,SEEK_SET);
fread(&check,40,1,ftd);
if (!strncmp(check,close,40))
{
found = 1;
break;
}
search++;
}

if (found)
{
found = 0; /* reset our flag for next 'find' */
search--;
search2 = search;
/* Now we'll search backward looking for the first non-zero
value, which is the offset used to mask the password.
The amount of zeroes depends upon platform as well as the
daemon type (td or tfn), so we move back one at a time.
Also it allows us to examine daemons compiled on a freebsd
box from our linux box, for example. */
while(search2!=0)
{
fseek(ftd,search2,SEEK_SET);
fread(&offset,1,1,ftd);
/* Sol bins have the needed "offset" right before the string
of @'s as well as at the end of the password field, so we
need to skip that byte. Also, if we do not shorten the
amount of bytes for a Sol bin by one, we end up with one
extra char at the beginning of the password. Go figure. */
if((offset) && (search2 == search))
{
rew--;
}
else if(offset)
{
found = 1;
break;
}
search2--;
}
if (found) /* if we found the offset, grab and print the password */
{
fseek(ftd,search2-rew,SEEK_SET);
fread(&recover,32,1,ftd);
fclose(ftd);

for (i=0;i<32;i++) password[i]=recover[i] - offset;
printf("The password is - ");
for (i=0;i<32;i++)
{
if (isprint(password[i]))
printf("%c",password[i]);
}
printf("\n\n");
}
}
if(!found) printf("The password was not found\n\n");
exit(0);
}

/*
* BindView License -

Copyright (c) 2000 BindView Corporation. All rights reserved.

By using this software, YOU AGREE to the following license terms. IF YOU
DO NOT AGREE, YOU MAY NOT USE THE SOFTWARE.

1. BindView believes that this software is safe for use in normal
circumstances, and has performed what it believes to be reasonable but
non-exhaustive testing to verify this. The software is intended for use
only by experienced and knowledgeable computer professionals; IT IS
PROVIDED "AS IS, WITH ALL FAULTS," including source code so that the user
can study the source code and independently determine the software's
suitability. BindView makes no warranty of any kind, express or implied,
and DISCLAIMS ANY AND ALL WARRANTIES, CONDITIONS, OR IMPLIED TERM OF
QUALITY, INCLUDING THE IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT,
MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE. All use of the
software is entirely at the user's own risk.

2. IN NO EVENT WILL BINDVIEW BE LIABLE FOR DAMAGES OF ANY KIND arising
from or relating to use of the software, whether such damages are direct,
indirect, incidental, consequential, exemplary, or any other kind, and
whether arising under contract, tort (including negligence), strict
liability, or otherwise.

3. BindView will not object to your distribution of complete, unmodified
copies of the distribution package of the software as provided by
BindView, PROVIDED that you do not charge a fee other than a reasonable
fee for distribution services. You may charge a fee for any warranty or
support services that you offer to purchasers of copies of the software.

4. You may modify the software and distribute copies of the modified
software, PROVIDED:

(a) that you distribute, together with the executable code of the
modified software:

(1) the source code of the modified software, which must
contain the BindView copyright notice set forth above (in
addition to your own copyright notice if any); and

(2) a copy of the complete, unmodified distribution
package of the software as provided by BindView; and

(b) that you clearly indicate in the source code and in an
accompanying documentation file that the software is based on
BindView's software and was modified by you; and

(c) that you grant users of the modified software the same rights
as are granted to you by this license.

*
*/


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close