Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 13:46

View unanswered posts | View active topics


Board index » aluigi.org » Password_recovery

All times are UTC [ DST ]




Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 5 posts ] 
  Print view Previous topic | Next topic 
Author Message
xenocide0999
 Post subject: Smart FTP
PostPosted: 27 Jan 2009 03:01 

Joined: 16 Jan 2009 22:16
Posts: 19
Smart FTP: www.smartftp.com

Path locally to password: C:\Documents and Settings\<name>\Application Data\SmartFTP\Client 2.0\Favorites\Quick Connect\<profilename>.xml

<profilename>.xml
<Host>ftp.example</Host>
<User>example</User>
<Password>82228E2FD77CB05A7FDBD54E3496</Password> <- password should be example

Any idea what encryption its using?
Top
 Profile  
 
 
SomaFM
 Post subject: Re: Smart FTP
PostPosted: 27 Jan 2009 06:41 

Joined: 16 Aug 2007 06:25
Posts: 367
I believe Luigi has code for that available in his smartftppwd tool:
Quote:
http://aluigi.org/pwdrec/smartftppwd.zip
- decrypts the password passed at command-line, passwords are located in the XML files in %APPDATA%\SmartFTP\Client 2.0\Favorites (3.0)
Top
 Profile  
 
xenocide0999
 Post subject: Re: Smart FTP
PostPosted: 27 Jan 2009 06:54 

Joined: 16 Jan 2009 22:16
Posts: 19
Thanks for the response.

Converting this to .net shouldn't be the problem;
Code:
int smartftp_pwd(u8 *pwd) {
    HCRYPTPROV  phProv;
    HCRYPTHASH  phHash;
    HCRYPTKEY   phKey;
    DWORD       pwdlen;
    int         i;

    for(i = 0; pwd[i << 1]; i++) {
        pwd[i] = hex2byte(pwd + (i << 1));
    }
    pwd[i] = 0;
    pwdlen = i;

    if(!CryptAcquireContext(&phProv, NULL, MS_ENHANCED_PROV, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) return(-1);
    if(!CryptCreateHash(phProv, CALG_MD5, 0, 0, &phHash)) return(-1);
    if(!CryptHashData(phHash, (void *)L"SmartFTP", 16, 0)) return(-1);
    if(!CryptDeriveKey(phProv, CALG_RC4, phHash, 0x00800000, &phKey)) return(-1);
    if(!CryptDecrypt(phKey, 0, 1, 0, pwd, &pwdlen)) return(-1);
    CryptDestroyKey(phKey);
    CryptDestroyHash(phHash);
    CryptReleaseContext(phProv, 0);
    return(0);
}

but what does this exactly do?
Code:
u8 hex2byte(u8 *hex) {
    static const u8 hextable[256] =
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x00\x00\x00\x00\x00\x00"
        "\x00\x0a\x0b\x0c\x0d\x0e\x0f\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x0a\x0b\x0c\x0d\x0e\x0f\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

    return((hextable[hex[0]] << 4) | hextable[hex[1]]);
}


Is the outputted password format encrypted by "CryptEncrypt" api then hexed?
Top
 Profile  
 
aluigi
 Post subject: Re: Smart FTP
PostPosted: 27 Jan 2009 17:29 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
hex2byte is a simple hex_string to byte converter (works byte per byte but doesn't matter), so if your input is like:

616263646566676869

the resulted binary data is the following string:

abcdefghi

"61" = 'a', "62" = 'b' and so on
Top
 Profile  
 
desxor
 Post subject: Re: Smart FTP
PostPosted: 31 Jan 2009 22:23 

Joined: 01 Sep 2008 07:40
Posts: 31
Here is some work I have done for SmartFTP, the decryption I used was Luigi's function so I left it out, but you can get it for free from the main site. The below code will automatically get all the stored logins (HOST/PORT, USERNAME, PASSWORD), recursively:

Code:
void SmartFTPDecryptDataForThisMachine(VOID)
{
   char *szAppData = getenv("APPDATA");

   strcat(szAppData, "\\SmartFTP\\Client 2.0\\Favorites");

   WIN32_FIND_DATA w32FD;
   char szDirPath[MAX_PATH];
   char szTempPath[MAX_PATH];
   HANDLE hFind = INVALID_HANDLE_VALUE;

   strcpy(szDirPath, szAppData);
   strcat(szAppData, "\\*");

   hFind = FindFirstFile(szAppData, &w32FD);
   if (hFind == INVALID_HANDLE_VALUE) {
      printf("\nhFind == INVALID_HANDLE_VALUE\n");
      exit(1);
   }

   do
   {
      if (w32FD.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
      {
         if(strcmp(w32FD.cFileName, ".") != 0 && strcmp(w32FD.cFileName, "..") != 0) {
            sprintf(szTempPath, "%s\\%s", szDirPath, w32FD.cFileName);
            DecryptStoredSmartFtpDir(szTempPath);
         }
      }
      else {
         if (strstr(w32FD.cFileName, ".xml")) {
            sprintf(szTempPath, "%s\\%s", szDirPath, w32FD.cFileName);

            DecryptStoredSmartFtpLogin(szTempPath);
         }
      }
   }
   while (FindNextFile(hFind, &w32FD) != 0);

   FindClose(hFind);
}

void DecryptStoredSmartFtpDir( char szDirPath[MAX_PATH] )
{
   WIN32_FIND_DATA w32FD;
   char szDir[MAX_PATH];
   HANDLE hFind = INVALID_HANDLE_VALUE;

   strcpy(szDir, szDirPath);
   strcat(szDir, "\\*");

   hFind = FindFirstFile(szDir, &w32FD);
   if (hFind == INVALID_HANDLE_VALUE) {
      printf("\nhFind2 == INVALID_HANDLE_VALUE\n");
      exit(1);
   }

   do
   {
      if (strstr(w32FD.cFileName, ".xml")) {
         char szTempPath[MAX_PATH];
         sprintf(szTempPath, "%s\\%s", szDirPath, w32FD.cFileName);

         DecryptStoredSmartFtpLogin(szTempPath);
      }
   }
   while (FindNextFile(hFind, &w32FD) != 0);

   FindClose(hFind);
}

void DecryptStoredSmartFtpLogin( char szFilePath[MAX_PATH] )
{
   char lpBuffer[1024];
   char *delim = "<>";
   char **tokens = NULL;
   char line[MAXLINE];
   int i = 0, lcount = 0;

   FILE *hVDF = fopen(szFilePath,"r");
   if(!hVDF) exit(-1);

   while(fgets(line, MAXLINE, hVDF) != NULL)
   {
      lcount++;

      if(strlen(line) < MINLEN)
         continue;

      tokens = split(line, delim);

      if (lcount == 3) {
         uint8_t *pwd2 = tokens[20];

         if(strstr(tokens[11], "/Host") || strstr(tokens[17], "/User")) break;

         if(!smartftp_pwd(pwd2))  {
            printf("Addr: %s:%s\nUser: %s\nPass: %s\n\n", tokens[11], tokens[14], tokens[17], (void *)pwd2);
         }
      }

        for(i = 0; tokens[i] != NULL; i++)
            free(tokens[i]);

        free(tokens);
   }
}


maybe it will help you, enjoy
Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 5 posts ] 

Board index » aluigi.org » Password_recovery

All times are UTC [ DST ]

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: