exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

tfn2kpass.c

tfn2kpass.c
Posted Feb 25, 2000
Authored by Simple Nomad | Site razor.bindview.com

Tfn2k password recovery tool - Tfn2k asks for a password during the build, which is used to prevent someone from recovering the password from the td or tfn binaries. Usefor for forensics, or to command a whole flood network to send you mail letting you know all the machines infected, or to command an attack to stop if you can recover a binary.

tags | denial of service
SHA-256 | cfd719ba0cd05621c443ed48728a727968997b11e93221a512eaa02351d08836

tfn2kpass.c

Change Mirror Download
Tfn2k asks for a password during the build, which is used to prevent
someone from recovering the password from the td or tfn binaries. I
wrote a program that will recover the password. It will compile and run
on Solaris and Intel-based free Unix systems (didn't test it elsewhere).
It can extract the password from a Sol, Intel-based Linux, or
Intel-based FreeBSD binary td or tfn (also probably others but just tested
these). In other words, you can extract passwords from a Linux td binary
on your Sol 2.7 box.

Uses for this include:

Scenario #1 -

You are a hot cybersleuth, extracting the password as a part of a
forensics effort. If the password matches some other forensic stuff
(like the password of a suspected script kid, or the DES key that
unlocks a cache of hacker tools in a tar file), you might catch that
elusive cyberterrorist.


Scenario #2 -

You have discovered a cache of tfn2k binaries on your large network.
By recovering the password, you can compile your own tfn and send
a command to be rexec'd to each suspected system, such as:

echo "0wned!! Clean me!!" | mail yourname@youraddress.com

Optionally if you discover you are flooding someone, you could
send the command to stop the flood from your new tfn binary.


Scenario #3 -

You are under attack and Zombie Zapper didn't help (ZZ only works
against tfn, trinoo, and stacheldraht). Send the sites attacking
you this software and ask them to send you the password. Once you
have it, compile your own tfn and start telling those zombies to
leave you alone! Okay, this last one is a little far-fetched and
won't work if the attack lasts just a couple of hours and if the
addresses are forged, but it is better than nothing.

Have fun and play nice, everyone!

- Simple Nomad - No rest for the Wicca'd -
- thegnome@nmrc.org - www.nmrc.org -
- thegnome@razor.bindview.com - razor.bindview.com -

/*
* tfn2kpass - tfn2k Password Recovery. Extract password for tfn2k from a
* td or tfn binary.
*
* Written by Simple Nomad [thegnome@razor.bindview.com] 21Feb2000
*
* More fun stuff at http://razor.bindview.com/, licensing at end
* of file.
*
* Should compile and run fine on any Intel/Sun-based system:
* gcc -o tfn2kpass tfn2kpass.c
*
* Example usage:
* ./tfn2kpass tfn-binary-file
*
* Tested against binaries compiled on Intel Linux, Intel FreeBSD, and
* Solaris. Thanks for the help, Jordan <jritter@razor.bindview.com>
* and Paul <pashton@razor.bindview.com> from the RAZOR team.
*
*/

/* includes */
#include <stdio.h>
#include <stdlib.h>

/*
* Main program....
*/
int main(int argc, char *argv[])
{
FILE *ftd;
int i, search = 0, search2, found = 0, rew = 32;
unsigned char recover[32];
unsigned char password[32];
unsigned char offset;
char close[]="@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@";
char check[sizeof(close)];

/* Say hello... */
printf("tfn2kpass - Recover the password from tfn2k's 'td' or 'tfn'\n");
printf("Comments/bugs: Simple Nomad <thegnome@razor.bindview.com>\n");
printf("http://razor.bindview.com/\n\n");

if (argc!=2)
{
fprintf(stderr,"USAGE: tfn2kpass <td_filename>\n\n");
fprintf(stderr,"EXAMPLES:\n");
fprintf(stderr," tfn2kpass renamed_td\n");
exit(-1);
}

ftd=fopen(argv[1],"rb");
if (ftd == NULL)
{
fprintf(stderr,"Unable to open file %s.\n",argv[1]);
exit(-1);
}

/* first we search the file for the first marker that we
are close to the password -- the 40 @'s should be right
after the password */
while(!feof(ftd))
{
fseek(ftd,search,SEEK_SET);
fread(&check,40,1,ftd);
if (!strncmp(check,close,40))
{
found = 1;
break;
}
search++;
}

if (found)
{
found = 0; /* reset our flag for next 'find' */
search--;
search2 = search;
/* Now we'll search backward looking for the first non-zero
value, which is the offset used to mask the password.
The amount of zeroes depends upon platform as well as the
daemon type (td or tfn), so we move back one at a time.
Also it allows us to examine daemons compiled on a freebsd
box from our linux box, for example. */
while(search2!=0)
{
fseek(ftd,search2,SEEK_SET);
fread(&offset,1,1,ftd);
/* Sol bins have the needed "offset" right before the string
of @'s as well as at the end of the password field, so we
need to skip that byte. Also, if we do not shorten the
amount of bytes for a Sol bin by one, we end up with one
extra char at the beginning of the password. Go figure. */
if((offset) && (search2 == search))
{
rew--;
}
else if(offset)
{
found = 1;
break;
}
search2--;
}
if (found) /* if we found the offset, grab and print the password */
{
fseek(ftd,search2-rew,SEEK_SET);
fread(&recover,32,1,ftd);
fclose(ftd);

for (i=0;i<32;i++) password[i]=recover[i] - offset;
printf("The password is - ");
for (i=0;i<32;i++)
{
if (isprint(password[i]))
printf("%c",password[i]);
}
printf("\n\n");
}
}
if(!found) printf("The password was not found\n\n");
exit(0);
}

/*
* BindView License -

Copyright (c) 2000 BindView Corporation. All rights reserved.

By using this software, YOU AGREE to the following license terms. IF YOU
DO NOT AGREE, YOU MAY NOT USE THE SOFTWARE.

1. BindView believes that this software is safe for use in normal
circumstances, and has performed what it believes to be reasonable but
non-exhaustive testing to verify this. The software is intended for use
only by experienced and knowledgeable computer professionals; IT IS
PROVIDED "AS IS, WITH ALL FAULTS," including source code so that the user
can study the source code and independently determine the software's
suitability. BindView makes no warranty of any kind, express or implied,
and DISCLAIMS ANY AND ALL WARRANTIES, CONDITIONS, OR IMPLIED TERM OF
QUALITY, INCLUDING THE IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT,
MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE. All use of the
software is entirely at the user's own risk.

2. IN NO EVENT WILL BINDVIEW BE LIABLE FOR DAMAGES OF ANY KIND arising
from or relating to use of the software, whether such damages are direct,
indirect, incidental, consequential, exemplary, or any other kind, and
whether arising under contract, tort (including negligence), strict
liability, or otherwise.

3. BindView will not object to your distribution of complete, unmodified
copies of the distribution package of the software as provided by
BindView, PROVIDED that you do not charge a fee other than a reasonable
fee for distribution services. You may charge a fee for any warranty or
support services that you offer to purchasers of copies of the software.

4. You may modify the software and distribute copies of the modified
software, PROVIDED:

(a) that you distribute, together with the executable code of the
modified software:

(1) the source code of the modified software, which must
contain the BindView copyright notice set forth above (in
addition to your own copyright notice if any); and

(2) a copy of the complete, unmodified distribution
package of the software as provided by BindView; and

(b) that you clearly indicate in the source code and in an
accompanying documentation file that the software is based on
BindView's software and was modified by you; and

(c) that you grant users of the modified software the same rights
as are granted to you by this license.

*
*/


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close