RE: Craking Serv-u passwords stored in .ini file.

From: Ferruh Mavituna (ferruh@mavituna.com)
Date: Thu Sep 02 2004 - 14:19:09 EDT

• Next message: Ferruh Mavituna: "RE: Craking Serv-u passwords stored in .ini file."
• Previous message: tclahr@br.ibm.com: "Web direcroty and files browser"
• In reply to: Scovetta, Michael V: "RE: Craking Serv-u passwords stored in .ini file."
• Next in thread: Altheide, Cory B. (IARC): "RE: Craking Serv-u passwords stored in .ini file."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Previous version of Serv-u was keep passwords in plain text format.

Now it's MD5(length+2). To get access password file of Serv-u you should
access files on server. You need read permissions to access that file.

I think it's pretty secure for a FTP Server.

Ferruh Mavituna
http://ferruh.mavituna.com
PGP Key: http://ferruh.mavituna.com/pgpkey.asc

> -----Original Message-----
> From: Scovetta, Michael V [mailto:Michael.Scovetta@ca.com]
> Sent: Thursday, September 02, 2004 8:21 PM
> To: M. D.; pen-test@securityfocus.com
> Subject: RE: Craking Serv-u passwords stored in .ini file.
>
> Nekro--
>
> Maybe I'm just ignorant here, but if you are referring to the recent
> collision attacks on MD5, how does such an attack compromise serv-u
> security? Being able to create two strings that hash to the same value
> is orders of magnitude easier than finding a string that hashes to some
> particular hash value.
>
> From what I see, the serv-u hash security is weak not because of the
> weakness of MD5 or any other hashing algorithm, but rather because a
> simple dictionary attack (performaed 26^2 times) would be more effective
> than attempting a preimage attack on the final hashed value.
>
> If there's something here that I'm not getting, please let me know.
>
> Regards,
>
> Michael Scovetta
>
> -----Original Message-----
> From: M. D. [mailto:nekromancer@lycos.com]
> Sent: Wednesday, September 01, 2004 11:37 AM
> To: pen-test@securityfocus.com
> Subject: RE: Craking Serv-u passwords stored in .ini file.
>
> Dear colleagues,
>
> Googling around shows THIS:
>
> http://www.cat-soft.com/serv-u-list/08%2014-Apr-99%20To%2005-Aug-02/msg0
> 9499.html
>
> With that information and any good MD5 hash cracker (Lepton's Crack
> comes to mind, but feel free to chose any other, I'm a bit biased being
> one of the authors ;-) I think that you can try to bruteforce these
> passwords.
> Hope this info helps.
> Cheers,
>
> Nekromancer
>
> --
> _______________________________________________
> Find what you are looking for with the Lycos Yellow Pages
> http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default
> .asp?SRC=lycos10
>
>
> ------------------------------------------------------------------------
> ------
> Ethical Hacking at the InfoSec Institute. All of our class sizes are
> guaranteed to be 12 students or less to facilitate one-on-one
> interaction
> with one of our expert instructors. Check out our Advanced Hacking
> course,
> learn to write exploits and attack security infrastructure. Attend a
> course
> taught by an expert instructor with years of in-the-field pen testing
> experience in our state of the art hacking lab. Master the skills of an
> Ethical Hacker to better assess the security of your organization.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------
> -------
>
>
>
>
>
> --------------------------------------------------------------------------
> ----
> Ethical Hacking at the InfoSec Institute. All of our class sizes are
> guaranteed to be 12 students or less to facilitate one-on-one interaction
> with one of our expert instructors. Check out our Advanced Hacking course,
> learn to write exploits and attack security infrastructure. Attend a
> course
> taught by an expert instructor with years of in-the-field pen testing
> experience in our state of the art hacking lab. Master the skills of an
> Ethical Hacker to better assess the security of your organization.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------
> -----

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Ferruh Mavituna: "RE: Craking Serv-u passwords stored in .ini file."
• Previous message: tclahr@br.ibm.com: "Web direcroty and files browser"
• In reply to: Scovetta, Michael V: "RE: Craking Serv-u passwords stored in .ini file."
• Next in thread: Altheide, Cory B. (IARC): "RE: Craking Serv-u passwords stored in .ini file."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:03 EDT