Step 1: I fired up an excellent tool Process Monitor from SysInternals (Now Microsoft owned), opened up the database manager tool and reset my users password. I then reviewed all the events that had just happened, initially looking to see what files has been read from thus attempting to gain clues to how the change password operation might be working. Then later looking at what files had been written to ultimately hoping to see where the password might be saved.
Step 2: From analysis of the sdb.upc file I could see my users in plain text. I could be on to something interesting.
Step 3: After taking a backup of the upc file I changed the password once more and compared the two files. I could see clearly the only change made, this must be an encrypted version of the password.
Step 4: Now I was interested in see if the password was being salted with perhaps with a user name, hostname or some other secret. Comparing the password hashes across different servers, different versions and different database names showed no difference at all. Handy… for us.
A quick check proves I can simply copy and paste hashes between password files to reset them. I tried simply setting the password hash to all zeros which works nicely but only for version 7.6 as later versions generate an error.
If you’re reading this then the chances are you have at least a mild interest in IT security. I’ve been competing in the UK Cyber Security Challenge this year and I urge you to get involved. So far it’s been a fantastic experience and really got my interest sparked in this area. This year there has been a variety of different of paths from secure network design, penetration testing (or hacking) and forensics. There’s been theory and hands on challenges for example where you’ve had the opportunity to try out your skills against the clock to hack into as many servers as possible to gain root and administrator access. If more considered approach is more your thing then the Linux forensic investigation competition was brilliant and my personal favourite, here you had to identify 24 different compromises and identify how they were pulled off and how you could defend against them. I’ve seen some really clever cunning exploits and learnt a ‘stack’ of new tricks.
The top man James Lyne from Sophos explains more
As this is my blog it’s just about ok to blow my own trumpet with my results so far…
Those that have known me for some time know that wherever possible I like to get my catch phrase in “Bartlett Remains unimpressed”.
This is where it all began… Computing December 1999
Page 3 – Business Sites Open to Abuse
INTERNET service provider Global Internet has admitted that it left user names and passwords for 200 business web sites in an easily accessible ﬁle – but has no plans to warn its customers, writes Steve Ranger. The ﬁle could be downloaded by any of Global lnternet’s customers whose sites were hosted on the same machine. The file was protected by simple encryption, which could easily be broken by tools available on the Internet, said Matt Bartlett, who found the file. ‘Anyone who’s used Linux or Unix usually knows this sort of thing, especially those involved in administration tasks,’ said Bartlett, an IT technician at Global Internet customer Wilts Wholesale Electrical. ‘Now we know about it, we’ll change our passwords. But what about the other companies?’ Peter Venmore, a director at Global Internet, blamed human error and said: ‘We have a dozen of these servers and they are set up correctly.’ Warning customers to change their passwords is ‘not necessarily required’, he said, because ordinary users will be unable to decrypt the file. He admitted, however: If you want to throw a dictionary programme at it and the passwords are in plain text then you would be able to get access.’ Global Intemet is continuing its investigation, but Bartlett remains unimpressed. ‘All this is basic security, there is nothing clever involved,’ he said.
What clever devious way did I get hold of this password file?
Analysis of the original image shows a hidden comment within the raw content. Looks like base 64 encoded as the string is all printable characters and ends with ‘==’. Converted to hex using this online tool and pasted back into the original file.
Every website needs a little something, sometimes great content isn’t enough.
Have you noticed the header image on the front of this website is clickable, zoomable and browseable. Well at least one person has asked how its done and that’s good enough for me. Basically its like Microsofts SilverLight DeepZoom technology but using Flash.
Step 1: Downloaded a list of sap transactions from SE16N using table TSTC and saved these off as a text file.
Step 2: Wrote a little windows script host .vbs file to read the transaction text file and using the sendkeys function to inject those into the SAP GUI window for example ‘/oabaw’, then call Gadwin to screen capture the current active window and save as a jpg file, and finally send keys alt+f4 to close the transaction. Repeat this a few hundred times. Ending up with a folder looking like this.
Step 3: Using shape collage I created a high res static image of all the files. I then popped into see my favourite marketing department to borrow their copy of Photoshop and exported using the Zoomify option but…. using a replacement swf based on OpenZoom from Daniel Gasienica!
Step 4: Finally I made a slight modification to the header page in wordpress to serve up the flash instead of the regular image and we’re done!