Penetration Testing mailing list archives
RE: Craking Serv-u passwords stored in .ini file.
From: "Ferruh Mavituna" <ferruh () mavituna com>
Date: Thu, 2 Sep 2004 21:19:09 +0300
Previous version of Serv-u was keep passwords in plain text format. Now it's MD5(length+2). To get access password file of Serv-u you should access files on server. You need read permissions to access that file. I think it's pretty secure for a FTP Server. Ferruh Mavituna http://ferruh.mavituna.com PGP Key: http://ferruh.mavituna.com/pgpkey.asc
-----Original Message----- From: Scovetta, Michael V [mailto:Michael.Scovetta () ca com] Sent: Thursday, September 02, 2004 8:21 PM To: M. D.; pen-test () securityfocus com Subject: RE: Craking Serv-u passwords stored in .ini file. Nekro-- Maybe I'm just ignorant here, but if you are referring to the recent collision attacks on MD5, how does such an attack compromise serv-u security? Being able to create two strings that hash to the same value is orders of magnitude easier than finding a string that hashes to some particular hash value. From what I see, the serv-u hash security is weak not because of the weakness of MD5 or any other hashing algorithm, but rather because a simple dictionary attack (performaed 26^2 times) would be more effective than attempting a preimage attack on the final hashed value. If there's something here that I'm not getting, please let me know. Regards, Michael Scovetta -----Original Message----- From: M. D. [mailto:nekromancer () lycos com] Sent: Wednesday, September 01, 2004 11:37 AM To: pen-test () securityfocus com Subject: RE: Craking Serv-u passwords stored in .ini file. Dear colleagues, Googling around shows THIS: http://www.cat-soft.com/serv-u-list/08%2014-Apr-99%20To%2005-Aug-02/msg0 9499.html With that information and any good MD5 hash cracker (Lepton's Crack comes to mind, but feel free to chose any other, I'm a bit biased being one of the authors ;-) I think that you can try to bruteforce these passwords. Hope this info helps. Cheers, Nekromancer -- _______________________________________________ Find what you are looking for with the Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default .asp?SRC=lycos10 ------------------------------------------------------------------------ ------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ------- -------------------------------------------------------------------------- ---- Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------- -----
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: Craking Serv-u passwords stored in .ini file. Bénoni MARTIN (Sep 01)
- <Possible follow-ups>
- RE: Craking Serv-u passwords stored in .ini file. Smith III, Edward Mr. CAA/ISC (Sep 01)
- RE: Craking Serv-u passwords stored in .ini file. Jose Maria Lopez (Sep 01)
- RE: Craking Serv-u passwords stored in .ini file. Ferruh Mavituna (Sep 01)
- RE: Craking Serv-u passwords stored in .ini file. M. D. (Sep 02)
- Re: Craking Serv-u passwords stored in .ini file. Jérôme (Sep 02)
- Re: Craking Serv-u passwords stored in .ini file. Hans Porter (Sep 02)
- Re: Craking Serv-u passwords stored in .ini file. Marius Huse Jacobsen (Sep 09)
- Re: Craking Serv-u passwords stored in .ini file. Hans Porter (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Scovetta, Michael V (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Ferruh Mavituna (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Altheide, Cory B. (IARC) (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Ferruh Mavituna (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Scovetta, Michael V (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Altheide, Cory B. (IARC) (Sep 02)
- Re: Craking Serv-u passwords stored in .ini file. Nigel Stepp (Sep 04)
- RE: Craking Serv-u passwords stored in .ini file. M. D. (Sep 03)
- RE: Craking Serv-u passwords stored in .ini file. avarni (Sep 04)
- Re: Craking Serv-u passwords stored in .ini file. Hans Porter (Sep 07)
- Re: Craking Serv-u passwords stored in .ini file. Jérôme (Sep 03)
- RE: Craking Serv-u passwords stored in .ini file. M. D. (Sep 08)