How the Cyber Patrol password cracker works
bennett@peacefire.org
This file explains how the CPCrack decrypts the Cyber Patrol
password under Windows,
where the password is stored in an encrypted form in
win.ini. To understand this explanation, the
only definitions that you'll need to know are the following:
- bits and bytes
- ASCII representation of characters
- decimal, hexadecimal and binary notation
- bitwise AND'ing, OR'ing and XOR'ing
- bit-shifting and bit-rotating
- plaintext, cyphertext, and encryption
If you would like to find the definitions of these terms, we
recommend the
Free
On-Line Dictionary Of Computing. All of these terms are widely
used in computing, and you can probably find at least one page
that explains them more clearly than we could. Other than that,
all you need to understand this document is a fairly mathematical/logical
mind.
Where CPCrack gets the encrypted password
CPCrack uses the GetProfileString() function to obtain to find
a line in the file c:\windows\win.ini that looks like this:
[TCPIP Other]
Server=45500058514051D4
In this case, this value stores the encrypted password "APPLES".
(Cyber Patrol passwords are case-insensitive, so you could enter
"apples" or "ApPLeS" as your password and you would still gain access.
Most high-security systems use case sensitive passwords, but this often
cause problems when people can't log in because they're typing their
password with the Caps Lock key on. Cyber Patrol probably made their
passwords case-insensitive to avoid this problem.)
This 16-character string represents an 8-byte value in hexadecimal,
with each pair of characters representing one byte. (Note that almost
all of the characters are numbers, except for the "D" at the end.)
CPCrack first converts this 16-character string into the 8-byte
value that it represents. At that point, the actual decryption
process begins.
How Cyber Patrol encrypts its passwords
Before writing CPCrack, we had to discover how Cyber Patrol itself
stored its encrypted passwords. We discovered this by changing the
plaintext password one bit at a time, and observing which bits
changed in the encrypted password.
Assume your password is represented by the sequence "abcdefgh". This
does not mean that the first letter of your password is 'a', the second
letter is 'b', etc. This means that, in our calculations, 'a' stands
for the first letter of your password, 'b' stands for the second
letter, and so on. Remember that Cyber Patrol converts all passwords
to upper case before storing them, so "apples" would be stored as
"APPLES".
Also, if your password is less than 8 characters
long, the remaining characters will be filled with NULL bytes, so in
this case the complete password to be stored is "APPLES\0\0". Each
"\0" represents a NULL byte, which consists of 8 zero bits. This is not to
be confused with the ASCII representation of the 0 character itself,
which is different from an actual NULL byte,
so if your password is "APPLES", then trying to log in with the password
"APPLES00" will not work.
To show how Cyber Patrol stores its encrypted password, we will use
the following notation:
-
a >> 3 means the byte value represented by 'a', rotated
three bits to the right. Similarly a << 2 means 'a' rotated
two bits to the left. Note that this is bit rotation and not
bit shifting, so bits that "fall off the right end" will be added back
on the left-hand side, and no information is lost. C programmers
take note: this is not what ">>" means in C. In C, "a >> 3"
means shift 'a' 3 bits to the right -- shift, not rotate, so the
extra bits will fall off the end and be lost. The ">>" is used
here because it's convenient; don't take home any of my bad habits.
-
|
|
This represents the process of XOR'ing XA and YB
to get the two-character string consisting of (X xor Y) followed
by (A xor B). Whenever two values are written on top of each
other, it is assumed that they are XOR'ed.
|
So, if your plaintext Cyber Patrol password is 'abcdefgh', then
Cyber Patrol stores the encrypted password as:
Now comes the real work: decrypting the password with only this
information to go on. We know what each byte in the 8-byte string
above is, and from there we want to find the original password
'abcdefgh'.
How CPCrack decrypts the password
The steps that CPCrack goes through are straightforward. Each step
involves taking one or more of the bytes already known to us, and
bit-shifting it or XOR'ing it with a known value. The only restriction
is that, at each step, we can only use byte values that are already
known to us, or bit-rotations of those byte values.
For example, at the first step, we already know what
the value of
is, because it's the first byte of the encrypted password:
xor'ed with 0x04 and then rotated one bit to the right. But we
don't know what 'a', 'g', 'g >> 2', etc. are individually. To work
towards getting the original value of 'abcdefgh' we use the fact
that XOR'ing twice with the same thing cancels out -- i.e.
(X xor Y xor Y) = X.
Now, in each of the following steps, we use these color codes:
- red indicates a byte value that was
already known, either because it was one of the eight bytes of
the original encrypted password, or it was obtained
from a calculation in a previous step
- green indicates the byte value being
calculated in the current step
Step 1 is explained all the way through. The rest of the steps are given
but are not explained in the same detail.
Step 1
|
|
|
|
|
|
|
|
|
| b << 1 |
| g >> 2 |
| h >> 1 |
| 0x04 |
|
| | | | | | |
|
|
| | | | | | |
Here, the value
| b << 1 |
| g >> 2 |
| h >> 1 |
| 0x04 |
|
was shown in red because we already knew this value; it
was obtained by taking the second byte of the original encrypted
password, shifting it one bit to the left,
and xor'ing it with 0x04.
We xor this with the value in the cell above it. 'g >> 2' appears
twice, so it cancels out, and 'h >> 1' appears twice, so it cancels
out as well, and the two occurrences of 0x04 also cancel
out, and we are left with
which we can then use in the next step.
Steps 2 through 15 are outlined
on a separate page. At the end of Step 15, the values of all 8
characters in the password 'abcdefgh' have been obtained.
bennett@peacefire.org