When encryption is unserviceable

Some times we use encryption just to feel more secure. But many times the real truth is that the encryption is unserviceable even if we have a very difficult/big password with a strong encryption algorithm. I’ll give two examples to explain this idea.

1. Forums

We suppose that the Administator of a www.oneforum.com forum has a very strong password. We know
that the forum uses MD5 algorithm for password encryption. Then someone steals Administrator’s
cookie with some XSS vulnerability in this forum and he know the md5 hash
bbbd53e913a404b04abf373dc1dac49b. It’s easy for him to find Administrator’s UserID from members.php
for example http://www.oneforum.com/member.php?u=123 when he looks for Admin’s profile.

In this scenario crackers try to crack the md5 hash with program like John the Ripper, Cain & Abel
or Passwordpro etc. This method for a strong password will take a year, maybe more.
Is this the best way?

No.Why we have to find the real password and we use it with the standard way in the Login Form when
we can do a http request with the prefered web page in the forum (ex. Admin’s Forum ->
forumdisplay.php?f=123) including in the http header the cookie with Administrator’s data (we dont
need the real password only the hash).

A http request example in the above scenario…

GET http://www.oneforum.com/forumdisplay.php?f=123 HTTP/1.1
Host: www.oneforum.com
Cookie: bbuserid=123; bbpassword=bbbd53e913a404b04abf373dc1dac49b;


Another example that it’ll help us to understand why encryption sometimes is unservicable are Shares.

We suppose that we have access to a LAN which uses Sharing. We can find LM/NTLM hashes with many
ways (ex. Sniffing(ettercap), PwDump, Findpass, CacheDump etc). We know that if we crack this hashes
we can map a network drive with the victim’s local drives, we can execute commands or we can take a
remote desktop.

All the known tools need the real password to work … examples …

A) Map a network drive (net command)
net use z: \\administrator-cn\c$ /USER: DOMAIN\Administrator <password>

B) Remote execute commands (psexec)
psexec \\administrator-cn -u DOMAIN\Administrator -p <password> c:\winnt\notepad.exe

C) Remote desktop (mstsc)
mstsc.exe it asks for Username/Password.

…but the clear text password travels over the network?

No. Just the hash. So if we could send the hash not the password with above tools we dont need to
crack the very strong password and we see why the encryption in this situation is unservicable too.

Of course the encryption is important for more security but we have to know when it can be unservicable.
The real hackers don’t need to crack :)


Passing the hash in VBulettin
Pass-The-Hash Toolkit


Leave a Reply



June 23rd



© 2019 SuRGeoNix | Security Blog