Title

Saturday, April 16, 2011

Breaking protocol radmin

In the beginning a little bit about radmin (for studies using the method of spear)

- The server stores the password hash in the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ RAdmin \ v2.0 \ Server \ Param eters
"Parameter" = hex: 02, ba, 5e, 18,7 e, 25,89, be, 6f, 80, da, 00,46, aa, 7e, 3c / / password 12345678
Password encryption algorithm MD5, and the first password is supplemented with null characters up to 100 characters, then encrypted with the current
Check ... works!

- Help for radmin says:
"Radmin works in encrypted mode ... all data transmitted between computers is encrypted ... randomly generated key. Used 128-bit Twofish algorithm ..."
I think Mona believe developers ... Or not?

Run a sniffer, say Taffy ...
Packet contents (the data in hex) for authentication by password:

1) Client: 01 00 00 00 01 00 00 00 1B 1B - 10 bytes
2) Server: 01 00 00 00 21 A8 99 B4 A7 1B 2A 5F 62 5E 69 EA 5E 82 8C 1D 41 63 1E F7 B7 10 B7 9D 7D D2 0F 92 97 E8 C1 59 82 2E ED B1 56 51 - 42 bytes
3) Client: 01 00 00 00 21 89 2D 73 09 BC 5D 00 4E F9 3A CF 71 13 EA B4 D0 B0 F0 A8 F8 F7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 42 bytes
4) Server: 01 00 00 00 01 00 00 00 0A 0A - 10 bytes

Assumption:
1) It looks like an ordinary team with code $ 1B1B, a proposal to authorize the
2) are likely key to encrypt packets
3) Your password! Or rather its hash (MD5 hash of the logic, as in the registry of the server), because size of the answer is always 26 bytes (not counting the 16 zeros).
4) The result of the authorization, $ 0A0A - okay, $ 0B0B - failure

sorters for "key" (2) and "zashifrovanovogo Password" (3) ... used component TDCP_twofish.
When transcripts (3) key (2) expected to find the MD5 hash of the password 12345678: 02 ba 5e 18 7e 25 89 be 6f 80 da 00 46 aa 7e 3c
did not work ... Why?

- Can not transmitted over the network MD5 hash of the password and some other thread, but just a hash
- Can not traffic is encrypted 128-bit

No comments:

Post a Comment