From: Simple Nomad [thegnome@NMRC.ORG] Sent: Thursday, February 24, 2000 11:08 AM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Tfn2k Password Recovery Tfn2k asks for a password during the build, which is used to prevent someone from recovering the password from the td or tfn binaries. I wrote a program that will recover the password. It will compile and run on Solaris and Intel-based free Unix systems (didn't test it elsewhere). It can extract the password from a Sol, Intel-based Linux, or Intel-based FreeBSD binary td or tfn (also probably others but just tested these). In other words, you can extract passwords from a Linux td binary on your Sol 2.7 box. Uses for this include: Scenario #1 - You are a hot cybersleuth, extracting the password as a part of a forensics effort. If the password matches some other forensic stuff (like the password of a suspected script kid, or the DES key that unlocks a cache of hacker tools in a tar file), you might catch that elusive cyberterrorist. Scenario #2 - You have discovered a cache of tfn2k binaries on your large network. By recovering the password, you can compile your own tfn and send a command to be rexec'd to each suspected system, such as: echo "0wned!! Clean me!!" | mail yourname@youraddress.com Optionally if you discover you are flooding someone, you could send the command to stop the flood from your new tfn binary. Scenario #3 - You are under attack and Zombie Zapper didn't help (ZZ only works against tfn, trinoo, and stacheldraht). Send the sites attacking you this software and ask them to send you the password. Once you have it, compile your own tfn and start telling those zombies to leave you alone! Okay, this last one is a little far-fetched and won't work if the attack lasts just a couple of hours and if the addresses are forged, but it is better than nothing. Have fun and play nice, everyone! - Simple Nomad - No rest for the Wicca'd - - thegnome@nmrc.org - www.nmrc.org - - thegnome@razor.bindview.com - razor.bindview.com - /* * tfn2kpass - tfn2k Password Recovery. Extract password for tfn2k from a * td or tfn binary. * * Written by Simple Nomad [thegnome@razor.bindview.com] 21Feb2000 * * More fun stuff at http://razor.bindview.com/, licensing at end * of file. * * Should compile and run fine on any Intel/Sun-based system: * gcc -o tfn2kpass tfn2kpass.c * * Example usage: * ./tfn2kpass tfn-binary-file * * Tested against binaries compiled on Intel Linux, Intel FreeBSD, and * Solaris. Thanks for the help, Jordan * and Paul from the RAZOR team. * */ /* includes */ #include #include /* * Main program.... */ int main(int argc, char *argv[]) { FILE *ftd; int i, search = 0, search2, found = 0, rew = 32; unsigned char recover[32]; unsigned char password[32]; unsigned char offset; char close[]="@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"; char check[sizeof(close)]; /* Say hello... */ printf("tfn2kpass - Recover the password from tfn2k's 'td' or 'tfn'\n"); printf("Comments/bugs: Simple Nomad \n"); printf("http://razor.bindview.com/\n\n"); if (argc!=2) { fprintf(stderr,"USAGE: tfn2kpass \n\n"); fprintf(stderr,"EXAMPLES:\n"); fprintf(stderr," tfn2kpass renamed_td\n"); exit(-1); } ftd=fopen(argv[1],"rb"); if (ftd == NULL) { fprintf(stderr,"Unable to open file %s.\n",argv[1]); exit(-1); } /* first we search the file for the first marker that we are close to the password -- the 40 @'s should be right after the password */ while(!feof(ftd)) { fseek(ftd,search,SEEK_SET); fread(&check,40,1,ftd); if (!strncmp(check,close,40)) { found = 1; break; } search++; } if (found) { found = 0; /* reset our flag for next 'find' */ search--; search2 = search; /* Now we'll search backward looking for the first non-zero value, which is the offset used to mask the password. The amount of zeroes depends upon platform as well as the daemon type (td or tfn), so we move back one at a time. Also it allows us to examine daemons compiled on a freebsd box from our linux box, for example. */ while(search2!=0) { fseek(ftd,search2,SEEK_SET); fread(&offset,1,1,ftd); /* Sol bins have the needed "offset" right before the string of @'s as well as at the end of the password field, so we need to skip that byte. Also, if we do not shorten the amount of bytes for a Sol bin by one, we end up with one extra char at the beginning of the password. Go figure. */ if((offset) && (search2 == search)) { rew--; } else if(offset) { found = 1; break; } search2--; } if (found) /* if we found the offset, grab and print the password */ { fseek(ftd,search2-rew,SEEK_SET); fread(&recover,32,1,ftd); fclose(ftd); for (i=0;i<32;i++) password[i]=recover[i] - offset; printf("The password is - "); for (i=0;i<32;i++) { if (isprint(password[i])) printf("%c",password[i]); } printf("\n\n"); } } if(!found) printf("The password was not found\n\n"); exit(0); } /* * BindView License - Copyright (c) 2000 BindView Corporation. All rights reserved. By using this software, YOU AGREE to the following license terms. IF YOU DO NOT AGREE, YOU MAY NOT USE THE SOFTWARE. 1. BindView believes that this software is safe for use in normal circumstances, and has performed what it believes to be reasonable but non-exhaustive testing to verify this. The software is intended for use only by experienced and knowledgeable computer professionals; IT IS PROVIDED "AS IS, WITH ALL FAULTS," including source code so that the user can study the source code and independently determine the software's suitability. BindView makes no warranty of any kind, express or implied, and DISCLAIMS ANY AND ALL WARRANTIES, CONDITIONS, OR IMPLIED TERM OF QUALITY, INCLUDING THE IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE. All use of the software is entirely at the user's own risk. 2. IN NO EVENT WILL BINDVIEW BE LIABLE FOR DAMAGES OF ANY KIND arising from or relating to use of the software, whether such damages are direct, indirect, incidental, consequential, exemplary, or any other kind, and whether arising under contract, tort (including negligence), strict liability, or otherwise. 3. BindView will not object to your distribution of complete, unmodified copies of the distribution package of the software as provided by BindView, PROVIDED that you do not charge a fee other than a reasonable fee for distribution services. You may charge a fee for any warranty or support services that you offer to purchasers of copies of the software. 4. You may modify the software and distribute copies of the modified software, PROVIDED: (a) that you distribute, together with the executable code of the modified software: (1) the source code of the modified software, which must contain the BindView copyright notice set forth above (in addition to your own copyright notice if any); and (2) a copy of the complete, unmodified distribution package of the software as provided by BindView; and (b) that you clearly indicate in the source code and in an accompanying documentation file that the software is based on BindView's software and was modified by you; and (c) that you grant users of the modified software the same rights as are granted to you by this license. * */