help me make sense of this

[phonebooth]

I have to use this special web browser that locks down my entire computer when I work on stuff for my online classes and its really annoying, I have realized that the only reason I has to be use is because there is a password built into the browser that the website requests and you cant continue with out it. Any ideas on finding it?

I tried to capture packets (from another computer you cant run password sniffers or packet capturing software with the browser running, there is a list of at least 30 page's long of things that cant be running including paint). I also tried cain but it only captures my password and not the second automatic password.

Anyways here is a cookie that was captured by ethereal

Cookie:lol=username%3Dheck.no%26password%3DtCr2DZDAbqWZo

%26expiry%3D1175033745

%26hash%3D52770e1a5f700cd6f020f815217c4dc9....

proctor=0d9ad48b34cd08911339.

I'm hoping that the 3DtCr2DZDAbqWZo or the D52770e1a5f700cd6f020f815217c4dc9 is a password hash, which would make 0d9ad48b34cd08911339 the hash of the automatic password. Or am I completely wrong and those are just session Id's or something else. If they are hashes does anyone recognize the hash?

[remkow]

the 3DtCr2DZDAbqWZo hash should be read as tCr2DZDAbqWZo. This is because %3D is the hex value for the =

this also means that D52770e1a5f700cd6f020f815217c4dc9 should be read as 52770e1a5f700cd6f020f815217c4dc9

52770e1a5f700cd6f020f815217c4dc9 is a normal MD5 hash, crack it to see the value.

tCr2DZDAbqWZo probably is a DES hash, but I'm not 100% sure about it, just a quick guess.

[cooper]

I doubt that password is anything but the actual password, _maybe_ ROT13d or BASE64 encoded or something. After all, if you transmit a hash (as opposed to transmit the original, and let the server compute the hash for it and then compare it against the stored hash), the hash becomes the only thing an attacker needs. It effectively becomes the password.

[Sparda]

Have you tried replicating the browsers user agent? It could be that simple.

[daedalus]

What is the browser called?

daedalus

[phonebooth]

Changing the user agent doesn't work, First thing I tried plus and the user agent is the Firefox user agent. I only know its a password because a password box comes up I click no because I was not supplied a password and then the default password is put in the box. I have tried cracking 52770e1a5f700cd6f020f815217c4dc9 at a couple sites and they all came up with nothing. The browser is respondus lockdown browser.

Anyways if 52770e1a5f700cd6f020f815217c4dc9 is a password hash then I'm guessing its for my password and I know what that is.

[Sparda]

Have you looked at the programs executable as ASCII? Things like that are sometimes stored as ASCII in the program.

[Shaun]

Can you get a copy of the program to post here?

[Shaun]

I doubt that password is anything but the actual password, _maybe_ ROT13d or BASE64 encoded or something. After all, if you transmit a hash (as opposed to transmit the original, and let the server compute the hash for it and then compare it against the stored hash), the hash becomes the only thing an attacker needs. It effectively becomes the password.

It doesn't seem to be Rot13 and it's has the wrong number of characters to be Base64 (unless it's padded by the server before decoding)

[Sparda]

Perhaps the easier solution is to just run the thing in a VM. Then you have both limited and unlimited access at the same time. Plus sniffing the traffic from a VM is much easier then having to use an external device.

[remkow]

It doesn't seem to be Rot13 and it's has the wrong number of characters to be Base64 (unless it's padded by the server before decoding)

Like I said, it probably is DES

and if you know the password in plaintext, try hashing it to MD5 and to DES, so you can see if the hash is of your password, or from something else.

[Shaun]

Well, it could be DES, since that's the cipher most often encoded like that (at least by crypt), although it could be Triple DES as well (which would make more sense considering how insecure DES is).

[moonlit]

[OT]I gotta say I actually lol'd when I read Horza's sig:

There are 01 types of people in the world, those who understand little-endian bit order and those who don't.

:D[/OT]

[remkow]

Took me a few seconds to crack with john the ripper.

C:Toolsjohn>john-mmx pass.txt

Loaded 1 password hash (Traditional DES [64/64 BS MMX])

112688           (phonebooth)

guesses: 1  time: 0:00:00:12 (3)  c/s: 285148  trying: 11289c - 112659

tCr2DZDAbqWZo = 112688

[Shaun]

Oh, well obviously whoever wrote that software doesn't care about security - why would anyone use standard DES anymore? Heh.

[Shaun]

[OT]I gotta say I actually lol'd when I read Horza's sig:

There are 01 types of people in the world, those who understand little-endian bit order and those who don't.

:D[/OT]

:) Thank you, I thought of it myself as well, unlike the people who use the old 10 types.

[phonebooth]

Thanks but I know that but I Know what my password is and tCr2DZDAbqWZo is the hash for my password. I'm trying to figure out if 0d9ad48b34cd08911339 is a hash and if it is what is the password.

As for the virtual machine, I never thought of that and I'm currently installing windows in A VM, hopefully that solves my problems and then I wont need the password.

[Shaun]

Wait, I just reread your first post, you actually have a copy of this browser at home? Have you tried opening it in a disassembler to see what it's doing?

Edit: Also have you checked to see if that string is always the same? If it changes it probably isn't a hash of the password.

[phonebooth]

-1 for me +1 for respondus.

I just I got my VM working all nice and Installed the browser and I get a nice little error message Respondus LockDown Browser can't be used in virtural machine software such as, virtual PC, VMWare and parallels.

Seeing if the string is the same I will have to wait for my next assignment next week unless I finish this weeks stuff early and move on depends on how motivated I am.

As for the disassembler I have not tried that, I don't even have a disassembler can some one give me some names.

[remkow]

I'm trying to figure out if 0d9ad48b34cd08911339 is a hash.

Well obviously it's a MD5 hash.. maybe use some rainbow tables on it

[Shaun]

It's a hash of something, but not necessarily the password. If it does always stay the same then he doesn't even need to know what it is, he just needs to mimic whatever the browser does.

[Shaun]

As for the disassembler I have not tried that, I don't even have a disassembler can some one give me some names.

I like OllyDbg (technically a debugger with a disassembler). Some software has protection against reverse engineering though, and if you don't know anything about assembly then you probably won't get much out of looking at it in a disassembler (that's why I asked if you could put a copy up for us to look at, I wasn't sure if you'd be able to do anything yourself).

[remkow]

yea, providing us with the app would really help..

ps. horza, what is it with you and double posts?? 3 double posts in one topic lol

[phonebooth]

Here it is Have fun, Browser

[Shaun]

yea, providing us with the app would really help..

ps. horza, what is it with you and double posts?? 3 double posts in one topic lol

I like to respond to each post in an individual post.