Saturday, September 20, 2014

#MeetingMaker User Password Recovery

Meeting Maker 7x / 8x User Password Recovery

First get comfortable with reading binary data.

Second, open up a Meeting Maker Server Export in said binary file viewer.

Third, figure out how to turn all this gobbledygook into something semi-useful (as we have done below), but barring that, search for your USER NAME or USER LOGIN, in the example below we use “Adam Ant” with User Login “adam”

Adam’s password is encrypted in the line beginning with “OVNI 0103” (which will ALWAYS immediately follow his USER LOGIN)

The first digit “1” tells me the password is 1-byte long.  In this example I know his password is “b” but it is encrypted in the export file as “c”

You should start to suspect a pattern.

If the clear password is “aa” (61 61h) the hex string is “63 8C”

The pattern holds.  The first encrypted character = character + LENGTH of password

Now we proceed to the next digits in turn and build a table (a, aa, aaa, aaaa, b, bb, bbb...) you get the idea) which we will leave as an exercise for the reader. 

Going down the column is less clear than going across the rows.  Going from “a” to “b” everything augments by one (and this has held across a range of experimentation), meaning we can in a pinch use each “a” length cipher as a base to figure out anything of that length.

So the algorithm:
1.       Find a user
2.       Read the password length
3.       Subtract length from the first digit to get the hex of the first character
4.       Use the “a” column in your table as an offset for all the other letters in the password sequence. 
5.       Do not ask for any more information you script kiddies in India – this is more than adequate.
So the 7 digit string “7B 96 BA E9 04 38 26” deciphers as “theman5”
7 letter “50 A4 B6 EA 04 FD 24” deciphers as “Ivana33”
5 letter “70 8F D0 E1 14” is “kayak”
Go wild.

No comments: