Full Disclosure mailing list archives
Decrypt info in referenced file @ web.config
From: Richard Miles <richard.k.miles () googlemail com>
Date: Mon, 31 May 2010 15:50:35 +0000
Hello I'm doing a test and I obtained a copy of the web.config file, the interesting is that there is a line like that "<add key="PasswordFile" value="C:\Inetpub\site\Users.acl" />" this called my attention to be on the inetpub folder and I was able to download it. It's with base64, when decoding it is messed up, so I believe it's encrypted. I found something on the web.config that is related with encryption and hashing, but I'm unsure if it's used to encrypt this file. <machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" /> <add key="CryptoEngine" value="False" /> <add key="CryptoHashKey" value="SpartanLosHeros" /> SHA1 is a hash function, and based on the name of the file I believe the contents contain usernames, so I don't believe they are using a hash function. The CryptoHashKey may be the key used to encrypt. But this CryptoEngine configured to false sounds strange. I find no reference to crypt algorithms on this file. Based on your experience do you believe this CryptoHashKey is the key used to encrypt this file? What algorithm? There is a default one used by .NET? I have no experience with .NET, someone with experience can point me what it can be, or where discover the key and algorithm used? Maybe a application that I enter the supposed key and the encrypted data and it show me all the possibilities available with .NET? Thank you _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Decrypt info in referenced file @ web.config Richard Miles (Jun 01)