Jump to content

help me make sense of this


phonebooth
 Share

Recommended Posts

I have to use this special web browser that locks down my entire computer when I work on stuff for my online classes and its really annoying, I have realized that the only reason I has to be use is because there is a password built into the browser that the website requests and you cant continue with out it. Any ideas on finding it?

I tried to capture packets (from another computer you cant run password sniffers or packet capturing software with the browser running, there is a list of at least 30 page's long of things that cant be running including paint). I also tried cain but it only captures my password and not the second automatic password.

Anyways here is a cookie that was captured by ethereal

Cookie:lol=username%3Dheck.no%26password%3DtCr2DZDAbqWZo

%26expiry%3D1175033745

%26hash%3D52770e1a5f700cd6f020f815217c4dc9....

proctor=0d9ad48b34cd08911339.

I'm hoping that the 3DtCr2DZDAbqWZo or the D52770e1a5f700cd6f020f815217c4dc9 is a password hash, which would make 0d9ad48b34cd08911339 the hash of the automatic password. Or am I completely wrong and those are just session Id's or something else. If they are hashes does anyone recognize the hash?

Link to comment
Share on other sites

  • Replies 97
  • Created
  • Last Reply

Top Posters In This Topic

the 3DtCr2DZDAbqWZo hash should be read as tCr2DZDAbqWZo. This is because %3D is the hex value for the =

this also means that D52770e1a5f700cd6f020f815217c4dc9 should be read as 52770e1a5f700cd6f020f815217c4dc9

52770e1a5f700cd6f020f815217c4dc9 is a normal MD5 hash, crack it to see the value.

tCr2DZDAbqWZo probably is a DES hash, but I'm not 100% sure about it, just a quick guess.

Link to comment
Share on other sites

I doubt that password is anything but the actual password, _maybe_ ROT13d or BASE64 encoded or something. After all, if you transmit a hash (as opposed to transmit the original, and let the server compute the hash for it and then compare it against the stored hash), the hash becomes the only thing an attacker needs. It effectively becomes the password.

Link to comment
Share on other sites

Changing the user agent doesn't work, First thing I tried plus and the user agent is the Firefox user agent. I only know its a password because a password box comes up I click no because I was not supplied a password and then the default password is put in the box. I have tried cracking 52770e1a5f700cd6f020f815217c4dc9 at a couple sites and they all came up with nothing. The browser is respondus lockdown browser.

Anyways if 52770e1a5f700cd6f020f815217c4dc9 is a password hash then I'm guessing its for my password and I know what that is.

Link to comment
Share on other sites

I doubt that password is anything but the actual password, _maybe_ ROT13d or BASE64 encoded or something. After all, if you transmit a hash (as opposed to transmit the original, and let the server compute the hash for it and then compare it against the stored hash), the hash becomes the only thing an attacker needs. It effectively becomes the password.

It doesn't seem to be Rot13 and it's has the wrong number of characters to be Base64 (unless it's padded by the server before decoding)

Link to comment
Share on other sites

It doesn't seem to be Rot13 and it's has the wrong number of characters to be Base64 (unless it's padded by the server before decoding)

Like I said, it probably is DES

and if you know the password in plaintext, try hashing it to MD5 and to DES, so you can see if the hash is of your password, or from something else.

Link to comment
Share on other sites

Took me a few seconds to crack with john the ripper.

C:Toolsjohn>john-mmx pass.txt

Loaded 1 password hash (Traditional DES [64/64 BS MMX])

112688           (phonebooth)

guesses: 1  time: 0:00:00:12 (3)  c/s: 285148  trying: 11289c - 112659

tCr2DZDAbqWZo = 112688

Link to comment
Share on other sites

[OT]I gotta say I actually lol'd when I read Horza's sig:
There are 01 types of people in the world, those who understand little-endian bit order and those who don't.

:D[/OT]

:) Thank you, I thought of it myself as well, unlike the people who use the old 10 types.

Link to comment
Share on other sites

Thanks but I know that but I Know what my password is and tCr2DZDAbqWZo is the hash for my password. I'm trying to figure out if 0d9ad48b34cd08911339 is a hash and if it is what is the password.

As for the virtual machine, I never thought of that and I'm currently installing windows in A VM, hopefully that solves my problems and then I wont need the password.

Link to comment
Share on other sites

Wait, I just reread your first post, you actually have a copy of this browser at home? Have you tried opening it in a disassembler to see what it's doing?

Edit: Also have you checked to see if that string is always the same? If it changes it probably isn't a hash of the password.

Link to comment
Share on other sites

-1 for me +1 for respondus.

I just I got my VM working all nice and Installed the browser and I get a nice little error message Respondus LockDown Browser can't be used in virtural machine software such as, virtual PC, VMWare and parallels.

Seeing if the string is the same I will have to wait for my next assignment next week unless I finish this weeks stuff early and move on depends on how motivated I am.

As for the disassembler I have not tried that, I don't even have a disassembler can some one give me some names.

Link to comment
Share on other sites

As for the disassembler I have not tried that, I don't even have a disassembler can some one give me some names.

I like OllyDbg (technically a debugger with a disassembler). Some software has protection against reverse engineering though, and if you don't know anything about assembly then you probably won't get much out of looking at it in a disassembler (that's why I asked if you could put a copy up for us to look at, I wasn't sure if you'd be able to do anything yourself).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...