[ILUG-BOM] [OT] cyberoam client logon algorithm

Amish Mehta amish@[EMAIL-PROTECTED]
Thu Dec 20 12:10:31 IST 2001


Hi,

Probably I shouldnt post this here but this looks to be best source
for good crackers. :-). Just last sunday i was trying to figure out
how cyberoam client encrypts password, but I failed :-). Here is
sample file attached, u can open in Excel as tab sepatated file and
'text' formatting of all fields instead of general formatting.

Basically first field is timestamp and then each of passwords character is replaced by 3 digit number based on some algorithm.
There is one more key probably used and I dont know if it is related
to adaptor address. In my case its 00:50:BA:8D:42:F4. This exists
in all authentication requests.(see sample)

The 3 digit number seems to change with time as its the only
thing changing, rest known keys remaining the same.

If somebody wants to reverse engineer the client I can send them
the exe(setup too) if its legal to do so(is it?).

Once algorithm is known, I will try to come up with Linux client
as early as possible.

Thanks.
Amish.
-------------- next part --------------
	l	o	f	e	r		
1008393054	245	078	003	203	195		

	q	w	e	r	t	y	
1008393043	014	205	213	164	121	254	
1008393166	251	198	207	201	151	176	
1008393170	011	016	123	052	245	179	
1008393174	237	125	105	007	247	160	
1008393573	162	122	154	189	007	140	

	a	b	c	d	x	y	z
1000095839	009	242	068	010	084	145	255
1000095787	229	043	090	137	000	135	147
1008392304	104	214	145	142	233	039	066
1008392340	086	130	243	248	236	047	229
1008393178	244	123	000	160	107	030	112
1008393576	006	069	117	070	173	068	201	

	e	f	g	h	i	j	k	l
1008392325	066	201	111	194	167	115	189	011


00:50:BA:8D:42:F4	This key	may have	been used	in	algorithm.

00-40-F4-27-24-12	This is	my Adapter	address,
	dont know	if it is	used in	algorithm	or is	related	to above	key.

172.16.161.2	This is	my IP	address,	which	may also	have been	used.

This	is the	sample	request	sent.

172.16.161.2.1157	>	172.16.1.1.6060:	udp 112
0x0000	4500	008c	3f05	0000	4011	4138	ac10	a102	E...?... at .A8....
0x0010	ac10	0101	0485	17ac	0078	101b	2131	3132	.........x..!112
0x0020	0061	6d69	7368	0000	0000	0000	0000	0000	.amish..........
0x0030	0000	0000	0000	0000	0000	0000	0000	0031	...............1
0x0040	3030	3030	3935	3831	3630	3937	3132	3431	0000958160971241
0x0050	3237	0000	0000	0000	0000	0000	0000	0000	27..............
0x0060	0000	0000	0000	0000	0000	0000	0000	0000	................
0x0070	0000	0000	0000	0000	0000	0030	303a	3530	...........00:50
0x0080	3a42	413a	3844	3a34	323a	4634			:BA:8D:42:F4


More information about the Linuxers mailing list