Sender: Flashsky (Flash), Letter Area:
Network Security Essence
Title: Ideas of vss password breaking algorithm
Sending station: security focus (2002-09-20 19:41:07)
Today, a colleague came to me, saying that VSS's Admin Password forgot. The source code management of the project group can't be managed. I took the VSS program anti-assembly, God, the VSS certification process is really old soil, and of course, the password can be changed only for people with local administrator privileges. And the VSS itself is shared by the file, the security is very poor, but if you don't know its password, the organization of its files is still more trouble. If you know the password, you will easily handle more. So I am embarrassed by this post. In fact, this article focuses on how to get VSS password, but tell the idea of algorithm crack. The VSS password authentication process is like this, read from the UM file in the Date directory read the password, and this file is anyone who can share the VSS directory. Generally, this directory will set a relatively low level. shared. VSS encrypted password is actually a two hash: the following format: 55 55 FF D2 41 64 6D 69-6E 00 00 00 00 00 00 00 UU..Admin ....... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- i .......... 00 00 00 00 00 00 00 00-00 00 00 00 38 00 00 00 ............ 8 ... 55 55 90 80 47 75 65 73-74 00 00 00 00 00 00 00 UU..Guest ....... 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ........... ..... 00 00 00 00 55 69 00 00-3C 02 00 00 00 00 00 00 .... Ui .. <....... 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 .......... Where 1A 69 is admin, 55 69 is a guest's hash tracking the VSS algorithm can draw the following encryption algorithm, and Before encryption, the skewers of the string will be converted to uppercase formats. Void EnvssPasswd (Char * Passwd, Char * Enpasswd, Int Len) {const char incstr [15] = / "briandavidharry /"; char passwd1 [200]; int i; word a; word b; if (len> 15) Return 0; Memcpy (Passwd1, Passwd, Len); Memcpy (Passwd1 LEN, INCSTR, 15-LEN); Passwd1 [15] = 0; len = 15; b = 0; a = 0; for (i = 0; I
{
A = passwd1 [i];
A = a ^ 0x96;
A = a * (i 1);
B = a;
}
Printf (/ "% 02x /", b);
}
OK, in fact, we tell this, the password cracking of VSS is not worth it, but on a thinking, you can see that the password is only 2 lengths, so there is certainly a lot of hash uniform passwords. Therefore, there is no need to really find the password, just find a password with the same hash. Of course, if it is only a violent, the effect will be relatively poor, because the above algorithm will cause the same number of bits to be more close, and the difference between the different bits is relatively large. If you don't know the number of passwords, one The effect of the poor will not be ideal. So how do you to determine the number of your password? Actually, according to the above encryption algorithm, we can know the rules of its password hash, the following implementation is based on this algorithm to find the number of cryptographings, and then perform exhaustive implementation within the bits, make the calculated speed very high :
The key point is this sentence:
D = a - b;
IF ((D / NUM)> 154 && (D / NUM) <250)
Because we know, X ^ 80 will definitely be greater than 128, and the minimum generated should be greater than 154 for the possible password combination of '0' to 'Z'. Thus, it is possible to determine if this length may exist.
INT devsSPasswd (Char Enp [4], Char * DNP)
{
Const char INCSTR [15] = / "briandavidharry /";
INT I;
Int J;
INT K;
Long C1;
Long C2;
Long C4;
INT C3;
Word a;
Word B;
Word C;
Word D;
Word e;
Int Num;
A = HEXTOINT (Enp [2]) * 16 * 16 * 16 HEXTOINT (Enp [3]) * 16 * 16 HEXTOINT (Enp [0]) * 16 HEXTOINT (Enp [1]);
C3 = / 'z /' - / '0 /' 1;
FOR (i = 0; i <15; i )
{
DNP [i] = 0;
B = 0;
For (j = 0; j <15-i; j )
{
C = incswstr [j];
C = C ^ 0x96;
C = C * (j 1 i);
B = C;
}
IF (i == 0 && b == a)
{
Printf (/ "Password is NULL / N /");
Return 0;
}
D = a - b;
Num = 0;
C2 = 1;
For (j = 0; J
{
Num = NUM J 1;
C2 = C3 * C2;
}
IF (Num> 0)
{
C1 = 0;
IF ((D / NUM)> 154 && (D / NUM) <250)
{
MEMSET (DNP, / '0 /', i);
Sleep (100);
Do {
C4 = 1;
For (j = 1; J
{
C4 = C4 * C3;
IF (C1% C4 == 0)
DNP [J] = / '0 /';
Else
{
DNP [J] ;
Break;
}
}
B = 0;
For (k = 1; k
{
C = DNP [k];
C = C ^ 0x96;
C = C * (k 1);
B = C;
}
E = D-B; IF ((E ^ 0x96)> = / '0 /' && (e ^ 0x96) <= / 'z /')
{
DNP [0] = (e ^ 0x96);
Printf (/ "% s / n /", DNP);
Return I;
}
C1 ;
WHILE (C1)
}
}
}
Return 0;
}
Of course, this algorithm is not very meaningful to the VSS password itself. It has the direct copy of UM.DAT write permissions. Others know that the user's UM.DAT file is overwritten, or modify the hash, do not know, or directly Use Um.dat overwritten by sharing copy data files or in the VSS program to reach the password, write this thing is the focus of emphasis on the idea of breaking algorithms