Hacking WS FTP.INI ------------------ ``````````````````````````````````````````````````````````` ` ``````````````````````````````````````````````````````` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` * ***** *********** ` ` ` ` * * * * * ` ` ` ` * * * * * ` ` ` ` ******* ***** * ` ` ` ` * * * * * ` ` ` ` * * * * * ` ` ` ` * * * * * * *********** * ` ` ` ` ` ` ` ` http://4n4rchy.hypermart.net ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ``````````````````````````````````````````````````````` ` ``````````````````````````````````````````````````````````` by, Netherpunk, Anarchist Rampage Inc. I pretty much stumbled onto this bug by myself. Others have probably found it before me, so I'll let you decide. I actually rewted a few web servers with this thing, so it can be pretty usefull if you know what you are looking for. First, most everything that has password options in windows gives you the option to save your password, usually by checking a check box labeled "save password". Now, being a windows expert myself, I could say that windows or the program will cache this password in some file very lightly encrypted. Now this is not only stupid, but it is also a security risk if your computer is accessable over any network. Never ever save your passwords anywhere. Memorise them in your head. And also never use the same password for everything. Now that we know Ws Ftp has the "save password" option, you will want to know where the password is located. You guessed by the title of the text didn't you? WS_FTP.INI is the file that stores the ftp sessions that are both default and user defined in Ws Ftp. Now when you open WS_FTP.INI, you will find normail default settings. Here is an example of the default session to winsite.com. [WinSite] HOST=ftp.winsite.com UID=anonymous [Smithsonian Images] HOST=photo1.si.edu UID=anonymous DIR="/images/gif89a/" Now let us view an example of an ftp session to a sample host with a cached password. [Primehost] HOST=sampleftp.host.com UID=admin PWD=VE0496D09AC505584A460E9F9B1ABCD9F79A4AB9E9B PASVMODE=1 TIMEOFFSET=0 LOCDIR=\ rdir0="/" rdir1="/Backups" rdir2="/Website" rdir3="/Website/Common" ldir0=C:\ Notice the encypted password? Thats what we want to see. Now that you know what you are looking for, where do you get it and what do you do with it. Well, as for finding WS_FTP.INI, that is up to you. Some morons upload every file including WS_FTP.INI to their site. You can also try computers in cyber cafes as well. Now, some might do things the hard way and try to decrypt the password in some *nix platform. There are c scripts that do this for .INI files. But what if you are on windows? Get Ws Ftp first of all. Than copy the session from the victim's .INI and paste it in your own .INI file. Then open Ws Ftp and connect. That's pretty simple, far to easy for most. Have fun. This is a big security risk due simply to Ipswitch's lack of effort as far as security is concerned. Ws Ftp or any FTP program for that matter, can be a big security risk for those who aren't conscious about it. The bottom line is, never save your passwords. Cached password files use weak encryption, and in some cases like that of WS_FTP.INI, anyone can use the cached FTP session. Happy Hacking!