phonebooth Posted March 27, 2007 Share Posted March 27, 2007 I have to use this special web browser that locks down my entire computer when I work on stuff for my online classes and its really annoying, I have realized that the only reason I has to be use is because there is a password built into the browser that the website requests and you cant continue with out it. Any ideas on finding it? I tried to capture packets (from another computer you cant run password sniffers or packet capturing software with the browser running, there is a list of at least 30 page's long of things that cant be running including paint). I also tried cain but it only captures my password and not the second automatic password. Anyways here is a cookie that was captured by ethereal Cookie:lol=username%3Dheck.no%26password%3DtCr2DZDAbqWZo %26expiry%3D1175033745 %26hash%3D52770e1a5f700cd6f020f815217c4dc9.... proctor=0d9ad48b34cd08911339. I'm hoping that the 3DtCr2DZDAbqWZo or the D52770e1a5f700cd6f020f815217c4dc9 is a password hash, which would make 0d9ad48b34cd08911339 the hash of the automatic password. Or am I completely wrong and those are just session Id's or something else. If they are hashes does anyone recognize the hash? Quote Link to comment Share on other sites More sharing options...
remkow Posted March 27, 2007 Share Posted March 27, 2007 the 3DtCr2DZDAbqWZo hash should be read as tCr2DZDAbqWZo. This is because %3D is the hex value for the = this also means that D52770e1a5f700cd6f020f815217c4dc9 should be read as 52770e1a5f700cd6f020f815217c4dc9 52770e1a5f700cd6f020f815217c4dc9 is a normal MD5 hash, crack it to see the value. tCr2DZDAbqWZo probably is a DES hash, but I'm not 100% sure about it, just a quick guess. Quote Link to comment Share on other sites More sharing options...
cooper Posted March 27, 2007 Share Posted March 27, 2007 I doubt that password is anything but the actual password, _maybe_ ROT13d or BASE64 encoded or something. After all, if you transmit a hash (as opposed to transmit the original, and let the server compute the hash for it and then compare it against the stored hash), the hash becomes the only thing an attacker needs. It effectively becomes the password. Quote Link to comment Share on other sites More sharing options...
Sparda Posted March 27, 2007 Share Posted March 27, 2007 Have you tried replicating the browsers user agent? It could be that simple. Quote Link to comment Share on other sites More sharing options...
daedalus Posted March 27, 2007 Share Posted March 27, 2007 What is the browser called? daedalus Quote Link to comment Share on other sites More sharing options...
phonebooth Posted March 27, 2007 Author Share Posted March 27, 2007 Changing the user agent doesn't work, First thing I tried plus and the user agent is the Firefox user agent. I only know its a password because a password box comes up I click no because I was not supplied a password and then the default password is put in the box. I have tried cracking 52770e1a5f700cd6f020f815217c4dc9 at a couple sites and they all came up with nothing. The browser is respondus lockdown browser. Anyways if 52770e1a5f700cd6f020f815217c4dc9 is a password hash then I'm guessing its for my password and I know what that is. Quote Link to comment Share on other sites More sharing options...
Sparda Posted March 28, 2007 Share Posted March 28, 2007 Have you looked at the programs executable as ASCII? Things like that are sometimes stored as ASCII in the program. Quote Link to comment Share on other sites More sharing options...
Shaun Posted March 28, 2007 Share Posted March 28, 2007 Can you get a copy of the program to post here? Quote Link to comment Share on other sites More sharing options...
Shaun Posted March 28, 2007 Share Posted March 28, 2007 I doubt that password is anything but the actual password, _maybe_ ROT13d or BASE64 encoded or something. After all, if you transmit a hash (as opposed to transmit the original, and let the server compute the hash for it and then compare it against the stored hash), the hash becomes the only thing an attacker needs. It effectively becomes the password. It doesn't seem to be Rot13 and it's has the wrong number of characters to be Base64 (unless it's padded by the server before decoding) Quote Link to comment Share on other sites More sharing options...
Sparda Posted March 28, 2007 Share Posted March 28, 2007 Perhaps the easier solution is to just run the thing in a VM. Then you have both limited and unlimited access at the same time. Plus sniffing the traffic from a VM is much easier then having to use an external device. Quote Link to comment Share on other sites More sharing options...
remkow Posted March 28, 2007 Share Posted March 28, 2007 It doesn't seem to be Rot13 and it's has the wrong number of characters to be Base64 (unless it's padded by the server before decoding) Like I said, it probably is DES and if you know the password in plaintext, try hashing it to MD5 and to DES, so you can see if the hash is of your password, or from something else. Quote Link to comment Share on other sites More sharing options...
Shaun Posted March 28, 2007 Share Posted March 28, 2007 Well, it could be DES, since that's the cipher most often encoded like that (at least by crypt), although it could be Triple DES as well (which would make more sense considering how insecure DES is). Quote Link to comment Share on other sites More sharing options...
moonlit Posted March 28, 2007 Share Posted March 28, 2007 [OT]I gotta say I actually lol'd when I read Horza's sig: There are 01 types of people in the world, those who understand little-endian bit order and those who don't. :D[/OT] Quote Link to comment Share on other sites More sharing options...
remkow Posted March 28, 2007 Share Posted March 28, 2007 Took me a few seconds to crack with john the ripper. C:Toolsjohn>john-mmx pass.txt Loaded 1 password hash (Traditional DES [64/64 BS MMX]) 112688Â Â Â Â Â Â Â Â Â Â (phonebooth) guesses: 1Â Â time: 0:00:00:12 (3)Â Â c/s: 285148Â Â trying: 11289c - 112659 tCr2DZDAbqWZo = 112688 Quote Link to comment Share on other sites More sharing options...
Shaun Posted March 28, 2007 Share Posted March 28, 2007 Oh, well obviously whoever wrote that software doesn't care about security - why would anyone use standard DES anymore? Heh. Quote Link to comment Share on other sites More sharing options...
Shaun Posted March 28, 2007 Share Posted March 28, 2007 [OT]I gotta say I actually lol'd when I read Horza's sig:There are 01 types of people in the world, those who understand little-endian bit order and those who don't. :D[/OT] :) Thank you, I thought of it myself as well, unlike the people who use the old 10 types. Quote Link to comment Share on other sites More sharing options...
phonebooth Posted March 28, 2007 Author Share Posted March 28, 2007 Thanks but I know that but I Know what my password is and tCr2DZDAbqWZo is the hash for my password. I'm trying to figure out if 0d9ad48b34cd08911339 is a hash and if it is what is the password. As for the virtual machine, I never thought of that and I'm currently installing windows in A VM, hopefully that solves my problems and then I wont need the password. Quote Link to comment Share on other sites More sharing options...
Shaun Posted March 28, 2007 Share Posted March 28, 2007 Wait, I just reread your first post, you actually have a copy of this browser at home? Have you tried opening it in a disassembler to see what it's doing? Edit: Also have you checked to see if that string is always the same? If it changes it probably isn't a hash of the password. Quote Link to comment Share on other sites More sharing options...
phonebooth Posted March 28, 2007 Author Share Posted March 28, 2007 -1 for me +1 for respondus. I just I got my VM working all nice and Installed the browser and I get a nice little error message Respondus LockDown Browser can't be used in virtural machine software such as, virtual PC, VMWare and parallels. Seeing if the string is the same I will have to wait for my next assignment next week unless I finish this weeks stuff early and move on depends on how motivated I am. As for the disassembler I have not tried that, I don't even have a disassembler can some one give me some names. Quote Link to comment Share on other sites More sharing options...
remkow Posted March 28, 2007 Share Posted March 28, 2007 I'm trying to figure out if 0d9ad48b34cd08911339 is a hash. Well obviously it's a MD5 hash.. maybe use some rainbow tables on it Quote Link to comment Share on other sites More sharing options...
Shaun Posted March 28, 2007 Share Posted March 28, 2007 It's a hash of something, but not necessarily the password. If it does always stay the same then he doesn't even need to know what it is, he just needs to mimic whatever the browser does. Quote Link to comment Share on other sites More sharing options...
Shaun Posted March 28, 2007 Share Posted March 28, 2007 As for the disassembler I have not tried that, I don't even have a disassembler can some one give me some names. I like OllyDbg (technically a debugger with a disassembler). Some software has protection against reverse engineering though, and if you don't know anything about assembly then you probably won't get much out of looking at it in a disassembler (that's why I asked if you could put a copy up for us to look at, I wasn't sure if you'd be able to do anything yourself). Quote Link to comment Share on other sites More sharing options...
remkow Posted March 28, 2007 Share Posted March 28, 2007 yea, providing us with the app would really help.. ps. horza, what is it with you and double posts?? 3 double posts in one topic lol Quote Link to comment Share on other sites More sharing options...
phonebooth Posted March 28, 2007 Author Share Posted March 28, 2007 Here it is Have fun, Browser Quote Link to comment Share on other sites More sharing options...
Shaun Posted March 28, 2007 Share Posted March 28, 2007 yea, providing us with the app would really help..ps. horza, what is it with you and double posts?? 3 double posts in one topic lol I like to respond to each post in an individual post. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.