Encrypted passowrds and text.

[bruce1271]

Anyone know a way to read files caught by tcpdump or sniffit that are encrypted(like ICQ files) or hotmail passwords?? Just curious. Any scripts out there that would do this?

[jemfinch]

Um, the point of encryption is so you can't read sniffed traffic.

I don't know exactly what you mean by "ICQ files", but from what I've read of the ICQ protocol, passwords aren't encrypted, they're just roasted, which is about the dumbest thing in the world. Anyway...

Jeremy

[YaRness]

?

you can find that kinda stuff anywhere. just search for it.

hey jeremy, what's roasting?

[jemfinch]

I know more in-depth AOL's TOC protocol method of roasting, so I'll explain from that.

Basically, they run your password through an "obscurer" function. In TOC, iirc the algorithm, it takes each character of your password, XORs it cyclically with the string "Tik/Toc", and sends the hexadecimal representation of that character down the pipe.

Of course, this is no security whatsoever. First, your password roasts to the same thing every time! So someone sniffing your connection doesn't even need to know your password, they can just send your roasted password just like they sniff it. Second, it's not roasted with anything, and the roast isn't by any stretch a one-way function. It's remarkably easy to "unroast" a password, just turn a hexadecimal number into a char, XOR it cyclically with "Tik/Toc" again, and you've got the original password.

It amazes me sometimes that the same people who designed a rather ingenious way of keeping false clients off their network (taking md5sums of the program itself! who'da thunk it?) couldn't have written a better authentication mechanism than "roasting" a password before sending it over the wire. It's not hard!

The way it should've been done (and the way I did it with by "botnet" I wrote for my IRC bot in python) is like this: The server sends a "challenge", which is just a random string of bytes, at least 16 bytes long. The client takes this string of bytes, appends the password, and sends back the md5 hash of that string. The server, knowing the password and the random string of bytes, knows which md5 hash to expect, and can authenticate based on that. But someone sniffing the connection can't find out the password from the hash, because md5 is one-way (it can't be undone.) And that same sniffer can't just recycle old responses, because the challenge string changes each time (it's random, remember? )

That's a really easy authentication method, and I'm amazed that the AIM folks didn't do it.

/me mutters something about "more than you wanted to know"...

Jeremy

[bruce1271]

I thought sniffit wasnt able to "listen" on other people's hosts. Only your own?? Or is that just in the documentation to say"Dont be listening to others" just to cover themselves. any good documentation on any of this is helpful. thanks

[Strike]

bruce: with Ethernet, it uses a "bus" system, so that every host on a network is attached to one line that everyone shares. So, any traffic being sent out from a host on that bus or to a host on that bus can be heard by any other host on that bus. You just have to set your card into "promiscuous" mode so that it doesn't filter out packets that aren't specifically targeted for its MAC address. So, any host with which you share a bus is sniffable.

[TheLinuxDuck]

Originally posted by Strike:
<STRONG>bruce: with Ethernet, it uses a "bus" system, so that every host on a network is attached to one line that everyone shares. So, any traffic being sent out from a host on that bus or to a host on that bus can be heard by any other host on that bus. You just have to set your card into "promiscuous" mode so that it doesn't filter out packets that aren't specifically targeted for its MAC address. So, any host with which you share a bus is sniffable.</STRONG>

Crud, that's something I never even thought about. On the internet, there is no such thing as privacy, I guess...

[jemfinch]

Originally posted by TheLinuxDuck:
Crud, that's something I never even thought about. On the internet, there is no such thing as privacy, I guess...

It's worse than you think If you run Debian (or have access to a Debian box, or feel like looking stuff up on the internet,) apt-get install "hunt", and read the attached documentation.

No non-ssl connection on your segment is safe. I know someone on IRC who, to speed development of his software, let people who were developing with it have root on his box. This person is also a channel owner for a channel on OPN. One day, one of those developers used hunt to hijack his connection and add himself to the channels oplist (not maliciously, just to see if he could, really )

Needless to say, Glyph wasn't happy. And the hijacker is no longer a regular in #python, unfortunately. I don't think things worked out well after that

Jeremy