From ct@rstpacket.ath.cx Fri Jun 22 08:44:16 2001
Date: Sat, 9 Jun 2001 13:57:03 +0200
From: christophe ternat <ct@rstpacket.ath.cx>
To: project@honeynet.org
Subject: Scan 16
1 - Identify the encryption algorithim used to encrypt the file.
Each caracter is encrypted by the function a = ~a;
2 - How did you determine the encryption method?
First of all, I recode a cat program to display heaxadecimal value
of each caracter. This is:
$> cat hexacat.c
#include <fcntl.h>
#include <stdio.h>
int main(int c, char **v)
{
int fd;
char ch;
if (c != 2)
{
fprintf(stderr, "usage: %s file.\n", **v);
exit (1);
}
fd = open(*(v + 1), O_RDONLY, 0600);
while (read(fd, &ch, 1) > 0)
printf ("%#x ", ch);
printf ("\n");
close(fd);
return (0);
}
After it, execute the with the "somefile" we can see:
$> ./hexacat ./somfile
0xffffffa4 0xffffff99 0xffffff96 0xffffff93 0xffffff9a 0xffffffa2
0xfffffff5 0xffffff99 0xffffff96 0xffffff91 0xffffff9b 0xffffffc2
0xffffffd0 0xffffff9b 0xffffff9a 0xffffff89 0xffffffd0 0xffffff8f
0xffffff8b 0xffffff8c 0xffffffd0 0xffffffcf 0xffffffce 0xffffffd0
0xffffff9d 0xffffff96 0xffffff91 0xffffffd0 0xffffff99 0xffffff96
0xffffff91 0xffffff9b 0xfffffff5 0xffffff9b 0xffffff8a 0xffffffc2
0xffffffd0 0xffffff9b 0xffffff9a 0xffffff89 0xffffffd0 0xffffff8f
0xffffff8b 0xffffff8c 0xffffffd0 0xffffffcf 0xffffffce 0xffffffd0
0xffffff9d 0xffffff96 0xffffff91 0xffffffd0 0xffffff9b 0xffffff8a
0xfffffff5 0xffffff93 0xffffff8c 0xffffffc2 0xffffffd0 0xffffff9b
0xffffff9a 0xffffff89 0xffffffd0 0xffffff8f 0xffffff8b 0xffffff8c
0xffffffd0 0xffffffcf 0xffffffce 0xffffffd0 0xffffff9d 0xffffff96
0xffffff91 0xffffffd0 0xffffff93 0xffffff8c 0xfffffff5 0xffffff99
0xffffff96 0xffffff93 0xffffff9a 0xffffffa0 0xffffff99 0xffffff96
[... cut here ...]
As we can see brievly, many caracters are their value which is smaller
then 0xFF and bigger then 0x80. Also I try to decode all caracter with
his complement. This is:
$> cat decode.c
#include <fcntl.h>
#include <stdio.h>
int main(int c, char **v)
{
int fd;
char ch;
if (c != 2)
{
fprintf(stderr, "usage: %s file.\n", **v);
exit (1);
}
fd = open(*(v + 1), O_RDONLY, 0600);
while (read(fd, &ch, 1) > 0)
printf ("%c", ~ch);
printf ("\n");
close(fd);
return (0);
}
And execute this program with the crypted file.
Here it is. I think that's the good decryption. So I think found it.
3 - Decrypt the file, be sure to explain how you decrypted the file.
$> ./decode ./somefile
[file]
find=/dev/pts/01/bin/find
du=/dev/pts/01/bin/du
ls=/dev/pts/01/bin/lsZ
file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER
[ps]
ps=/dev/ pts/01/bin/psr
ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys
lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc
[netstat]
netstat=/dev/pts/01/bin/netstat
net_filters=47018,6668
[login]
su_loc=/dev/pts/01/bin/su
ping=/dev/pts/01/bin/ping
passwd=/dev/pts/01/bin/passwd
shell=/bin/sh
su_pass=l33th4x0r
4 - Once decrypted, explain the purpose/function of the file and why it
was encrypted
We can see many informations about a rootkit file configuration.
It define some aliases and filter to apply to certain program.
We also can see one password which must give a priviliged access.
This file must be crypted to bypass the administrator attention.
5 - What lesson did you learn from this challenge?
Be carefull with the unknown file.
6 - How long did this challenge take you?
Maybe less than 1 hour.
Bonus Question:
This encryption method and file are part of a security toolkit.
Can you identify this toolkit?
SunOS Rootkit v2.5 (C) 1997-2001 Tragedy/Dor
--
Christophe Ternat