hack_wsftp.txt

1999-08-17T00:00:00
ID PACKETSTORM:12335
Type packetstorm
Reporter Netherpunk
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Hacking WS FTP.INI  
------------------  
  
  
```````````````````````````````````````````````````````````  
` ``````````````````````````````````````````````````````` `  
` ` ` `  
` ` ` `  
` ` ` `   
` ` ` `  
` ` ` `  
` ` * ***** *********** ` `  
` ` * * * * * ` `  
` ` * * * * * ` `  
` ` ******* ***** * ` `  
` ` * * * * * ` `  
` ` * * * * * ` `  
` ` * * * * * * *********** * ` `   
` ` ` `   
` ` http://4n4rchy.hypermart.net ` `   
` ` ` `  
` ` ` `  
` ` ` `  
` ` ` `  
` ``````````````````````````````````````````````````````` `  
```````````````````````````````````````````````````````````  
by, Netherpunk, Anarchist Rampage Inc.  
  
  
  
I pretty much stumbled onto this bug by myself. Others have probably found it before me, so  
I'll let you decide. I actually rewted a few web servers with this thing, so it can be pretty  
usefull if you know what you are looking for.  
  
First, most everything that has password options in windows gives you the option to save your  
password, usually by checking a check box labeled "save password". Now, being a windows expert  
myself, I could say that windows or the program will cache this password in some file very   
lightly encrypted. Now this is not only stupid, but it is also a security risk if your   
computer is accessable over any network. Never ever save your passwords anywhere. Memorise   
them in your head. And also never use the same password for everything.  
  
Now that we know Ws Ftp has the "save password" option, you will want to know where the password  
is located. You guessed by the title of the text didn't you? WS_FTP.INI is the file that   
stores the ftp sessions that are both default and user defined in Ws Ftp. Now when you open   
WS_FTP.INI, you will find normail default settings. Here is an example of the default session to  
winsite.com.  
  
[WinSite]  
HOST=ftp.winsite.com  
UID=anonymous  
[Smithsonian Images]  
HOST=photo1.si.edu  
UID=anonymous  
DIR="/images/gif89a/"  
  
Now let us view an example of an ftp session to a sample host with a cached password.  
  
[Primehost]  
HOST=sampleftp.host.com  
UID=admin  
PWD=VE0496D09AC505584A460E9F9B1ABCD9F79A4AB9E9B  
PASVMODE=1  
TIMEOFFSET=0  
LOCDIR=\  
rdir0="/"  
rdir1="/Backups"  
rdir2="/Website"  
rdir3="/Website/Common"  
ldir0=C:\  
  
Notice the encypted password? Thats what we want to see.   
  
Now that you know what you are looking for, where do you get it and what do you do with it.   
Well, as for finding WS_FTP.INI, that is up to you. Some morons upload every file including   
WS_FTP.INI to their site. You can also try computers in cyber cafes as well. Now, some might  
do things the hard way and try to decrypt the password in some *nix platform. There are c   
scripts that do this for .INI files. But what if you are on windows? Get Ws Ftp first of all.  
Than copy the session from the victim's .INI and paste it in your own .INI file. Then open  
Ws Ftp and connect. That's pretty simple, far to easy for most. Have fun.  
  
This is a big security risk due simply to Ipswitch's lack of effort as far as security is   
concerned. Ws Ftp or any FTP program for that matter, can be a big security risk for those who  
aren't conscious about it. The bottom line is, never save your passwords. Cached password   
files use weak encryption, and in some cases like that of WS_FTP.INI, anyone can use the cached  
FTP session.  
  
Happy Hacking!`