Hacker's fragile network transmission encryption [allyesno]

Author: allyesno

Team: freexploit

Date: 2005-06-11

Site: http://blog.csdn.net/freexploit

The hacker's door is undoubtedly a very good backdoor. So, from the very beginning, I carefully observed and studied him. One day, a kid was threatening me.

Honestly and respectfully give me the XX tool of a hacker's door (this guy is not bad, haha), so that I can be right at the hacker's door

Encryption has aroused interest.

The hacker's door has a fatal weakness in local encryption.

There is already a password reader for the locally encrypted file. You can use it here. When hackers remotely transmit passwords

When using NC to transmit a string, it is plain text, so it is easy to capture the password. You can also use the sniffer to sniff.

Many people change the hacker's door for security, so that the password reader becomes invalid, while the hacker's door is used for remote access.

In self-built client hdclient.exe, we find that what we sniff is not a plaintext password, but a bunch of garbled characters.

Is it safe to change the service end and use hdclient.exe to connect? I will use the sniffing METHOD FOR THE hdclient below

For analysis.

First, we will write a simple bat script for sniffing. I use NC as the sniffer here. The NC can enable the port and sniff again.

Actually, everything works. You like it .. The code is not pasted. You can download the code from the attachment below.

Run ncforever-Look

After we run this script locally to sniff port 127.0.0.1 80, we randomly use a few passwords to test it.

Usage: hdclient destip [port] [-P Password] [-T logintype]

A: hdclient 127.0.0.1 80-P 111 (pass password 111)
B: hdclient 127.0.0.1 80-p 222 (pass password 222)
C: hdclient 127.0.0.1 80-P 333 (pass password 333)

The intercepted data corresponds to the following:

A: [| r/KS <pH> + R. V2? Wnxxxh @ MO-vD4peee
B: [| r/KS <phvvv + R. V2? Wnfffh @ MO-vD4pqqq
C: [| r/KS <phggg + R. V2? Wn333h @ MO-vD4pggg

It's too obvious. You can see it carefully.

There are three unchanged strings in the data (there are three unchanged strings next to the Sancha Road in the guoshu restaurant !)

1. [| r/KS <pH
2. + R. V2? Wn
3. h @ MO-vD4p

The variable string in the middle is

A: >>> XXX eee
B: vvv fff qqq
C: ggg 333 ggg

Our bold guess is the encrypted string. In terms of its form, we use a fixed method to encrypt the string.

If there is no guess, it is

Number 1 corresponds to> X E
Number 2 corresponds to V f Q
Number 3 corresponds to G 3G

We will mix the passwords for testing.

Hdclient 127.0.0.1 80-P 123

The interception is as follows:

[| R/KS <pH> VG + R. V2? Wnxf3h @ MO-vD4peqg

Separate it from a fixed string to obtain:

> VG xf3 EQG
123 123 123

Prove that Our guess is correct

The following describes how to obtain the encryption algorithm. There are two possibilities,

1. A known encryption algorithm 2 is used. The password dictionary is used. I prefer the second possibility. Let's extract a simple password table first.

The following uses ncforever to sniff and compares the obtained password table (ASCII ):

Number

Decipher: 0123456789 0123456789 0123456789

Encrypt: '> VG: eb9 ~ % Dxf3 # ym % Zo peqg * t7oc {

Letter

Decrypt1: abcdefghijklmnopqrstuvwxyz

Encrypt1: sm0plq3) u = v17n {wtr28if4e, z aj [rygsn <YJ/| pkikmch ^-(WTC

Decrypt2: abcdefghijklmnopqrstuvwxyz

Encrypt2: C7 'I/tgli]-> 9n & 48mv ~ <Q: lfz S = rts2p ?, Y. + wvuj | [) B! U (h0

Decrypt3: abcdefghijklmnopqrstuvwxyz

Encrypt3: [9du. 831 <6! X % na :~ | FZ? T #/gz c] hmh2vwdf, o @ 4-iy + ljq ^ U )'

Symbol (representing space)

Decrypt :'~! @ # $ % ^ & * ()-_ = +/| [{]};: '", <.> /?

Encrypt: $ ZQ} * 5oba; Ul! '] @/+ & 6_x # D "F? Ox. d

I was puzzled by the passwords. Let's take a look at w32dasm. In the serial test, we found this stuff "HQ" * 5 oadul; @ F! O. '> VG: eb9 "where> VG and password table

123 of the password is also corresponding. OK, then you can make a bold guess that the hdclient does store a password table corresponding to the plaintext.

"HQ" * 5 oadul; @ F! O. '> VG: eb9 "to 9 ends, and the character corresponding to 9 should be 7 obviously does not conform to the logic. Open UE and search for strings such as eb9.

Well, they are all there: the w32dasm string test is not completely displayed, and the UE is very clear.

HQ "* 5 oadul; @ F! O. '> VG: eb9 ~ % # X?] XD} AJ [rygsn <YJ/| pkikmch ^-(WTC/6b '$ sm0plq3) u = v17n {wtr28if4e, Z & + _ z

Do you know why it is in this order? Open the ASCII table for comparison, exactly the same :)

That is to say, the encryption algorithm of the password may assign the ASCII (DEC) 32-126 value to the encrypted string in order and use the most basic replacement password.

(Substitution cipher). One-to-one ing is performed between the password and the encrypted string, and the sequence remains unchanged. (Simple encryption method)

Acⅱ (DEC) 32-126 transmits encrypted characters, while the rest are plain text characters. For example, the password I intercepted when I sent Chinese characters to love you is my love for you.

(Unicode is not encrypted)

Decrypt :! "# $ % & '() * +,-.:; <=>? @ [/] ^ _ '{| }~

Encrypt: HQ "* 5 oadul; @ F! O # X?] XD}/6b '$ & + _ z

We learned from the sniffer That the 111 password will be encrypted into [| r/KS <pH >>> + R. V2? Wnxxxh @ MO-vD4peee

111 there will be >>> xxx eee in three forms, while the plaintext dictionary in hdclient can correspond to the first one, and the other two are not explicitly displayed.

Although xxx eee does not have a corresponding string, I guess it is changed according to 1. You can see through the password table before and after the comparison

XXX is password 1. After encryption, the encryption value is obtained as the password again.

Eee encrypts the password once and then encrypts it as the password again. Then, the encrypted value is changed to the encrypted value.

Process:

1-> X:

1. encrypted to> encrypted to X

1-> E:

1. encrypted to> encrypted to X and then encrypted to E.

Through simple analysis, there is actually no difference between this pile of Garbled text and plain text. It uses a fixed encryption method.

There are two ways for hackers to send passwords online.

Hdclient.exe 127.0.0.1 80-P [Password] only supports 23-bit passwords

Hdclient.exe 127.0.0.1 80-P Press enter. In the dialog box, only 22 passwords are supported.

The local server only supports 31-bit password encryption, so it makes no sense to have your password larger than 22/23 characters.

Seven logon methods are available for hackers.

Usage: hdclient destip [port] [-P Password] [-T logintype]

-T logon Mode

-T 0 NC logon Mode

-T 1 dedicated logon mode for hackers

-T 2-6-6 parameters are not described. We guess its function is to avoid detecting the firewall and IDs of fixed strings, and wait for decryption.

The ncforever sniffing method for the logon string type is as follows:

Type string

0 p [/KS <pH (H is a space, and the values under UE are., hexadecimal 00)

1 [| r/KS <pH (default Transmission Mode)

2 Smain-<Y (/KS <pH

3 Smain [hm/KS <pH

4G </yhmapc/KS <pH

5 H

6 h

These garbled strings are decrypted based on the above known password comparison table. The results are as follows:

0 nclogin (NC logon Mode)

1. login Login (CMD logon Mode)

2 graphviewlogin (Chart observation logon mode)

3 graphctrlogin (the word cannot be found)

4 filetranslogin (File Transfer Mode logon Mode)

5 (meaningless)

6 (meaningless)

Now we know that these garbled characters are encrypted logon control symbols.

The following table lists the ASCII passwords.

Encrypt: HQ "* 5 oadul; @ F! O. '> VG: eb9 ~ % # X?] XD} AJ [rygsn <YJ/| pkikmch ^-(WTC/6b '$ sm0plq3) u = v17n {wtr28if4e, Z & + _ z
Decrypt :! "# $ % & '() * +,-./0123456789:; <=>? @ Abcdefghijklmnopqrstuvwxyz [/] ^ _ 'abcdefghijklmnopqrstuvwxyz {| }~

When we use the sniffer to obtain the encrypted string of the hacker's door on the Internet, we can crack it according to the password table.

When a hacker sends a password, he encrypts it three times and connects it together. Therefore, when decrypting the password, you only need to select the first encrypted string.

The general format of the encrypted string is as follows. For example, we transmit the 10 characters as the password.

P [/KS <pH> 'P [/KS <pH> 'P [/KS <pH> '(P [/KS <pH strings are encrypted strings)

[| R/KS <pH> '+ R. V2? Wnxdh @ MO-vD4peP ([| r/KS <pH with space + R. V2? Wn and @ MO-vD4p are encrypted strings)

Smain-<Y (/KS <pH> '2 | sup !? Tu. V2? Wnxdv + ciwqdh ^ O-vD4peP (Smain-<Y (/KS <pH and 2 | sup !? Tu. V2? Wn and V + ciwqdh ^ O-vD4p are encrypted strings)

Smain [hm/KS <pH> '2 | sup) |. V2? Wnxdv + ciwhl + O-vD4peP (Smain [hm/KS <pH and 2 | sup) |. V2? Wn and V + ciwhl + O-vD4p are encrypted strings)

G </yhmapc/KS <pH>'s ?. T) | SW [. V2? Wnxd2dohl + C4 O-vD4peP (G </yhmapc/KS <pH and s ?. T) | SW [. V2? The WN and the 2 dohl + C4 O-vD4p are encrypted strings)

H> 'nsdpep (encrypted strings are used between NHP)

You can decrypt the extracted encrypted string corresponding to the password table. Here we provide a simple decryption program for downloading the attachment.

Analysis Postscript:

The analysis encryption time is 2 days and the decryption program is written in BAT for two weeks! (N long)

Attachment download

Attachment blacklist and weak network transmission encryption .rar (downloads: 0)

Attachment: hacker's weak network transmission encryption .rar [required0Community meta download]