From ct@rstpacket.ath.cx Fri Jun 22 08:44:16 2001
Date: Sat, 9 Jun 2001 13:57:03 +0200
From: christophe ternat <ct@rstpacket.ath.cx>
To: project@honeynet.org
Subject: Scan 16


1 - Identify the encryption algorithim used to encrypt the file.

	Each caracter is encrypted by the function a = ~a;

2 - How did you determine the encryption method?

	First of all, I recode a cat program to display heaxadecimal value
	of each caracter. This is:
	
	$> cat hexacat.c
	#include <fcntl.h>
	#include <stdio.h>

	int	main(int c, char **v)
	{
	  int	fd;
	  char	ch;
	
	  if (c != 2)
	    {
	      fprintf(stderr, "usage: %s file.\n", **v);
	      exit (1);
	    }
	  fd = open(*(v + 1), O_RDONLY, 0600);
	  while (read(fd, &ch, 1) > 0)
	    printf ("%#x ", ch);
	  printf ("\n");
	  close(fd);
	  return (0);
	}

	After it, execute the with the "somefile" we can see:

	$> ./hexacat ./somfile
	0xffffffa4 0xffffff99 0xffffff96 0xffffff93 0xffffff9a 0xffffffa2 
	0xfffffff5 0xffffff99 0xffffff96 0xffffff91 0xffffff9b 0xffffffc2 
	0xffffffd0 0xffffff9b 0xffffff9a 0xffffff89 0xffffffd0 0xffffff8f
	0xffffff8b 0xffffff8c 0xffffffd0 0xffffffcf 0xffffffce 0xffffffd0 
	0xffffff9d 0xffffff96 0xffffff91 0xffffffd0 0xffffff99 0xffffff96 
	0xffffff91 0xffffff9b 0xfffffff5 0xffffff9b 0xffffff8a 0xffffffc2 
	0xffffffd0 0xffffff9b 0xffffff9a 0xffffff89 0xffffffd0 0xffffff8f 
	0xffffff8b 0xffffff8c 0xffffffd0 0xffffffcf 0xffffffce 0xffffffd0 
	0xffffff9d 0xffffff96 0xffffff91 0xffffffd0 0xffffff9b 0xffffff8a 
	0xfffffff5 0xffffff93 0xffffff8c 0xffffffc2 0xffffffd0 0xffffff9b 
	0xffffff9a 0xffffff89 0xffffffd0 0xffffff8f 0xffffff8b 0xffffff8c 
	0xffffffd0 0xffffffcf 0xffffffce 0xffffffd0 0xffffff9d 0xffffff96 
	0xffffff91 0xffffffd0 0xffffff93 0xffffff8c 0xfffffff5 0xffffff99 
	0xffffff96 0xffffff93 0xffffff9a 0xffffffa0 0xffffff99 0xffffff96 
	[... cut here ...]

	As we can see brievly, many caracters are their value which is smaller
	then 0xFF and bigger then 0x80. Also I try to decode all caracter with
	his complement. This is:

	$> cat decode.c
	#include <fcntl.h>
	#include <stdio.h>

	int	main(int c, char **v)
	{
	  int	fd;
	  char	ch;
	
	  if (c != 2)
	    {
	      fprintf(stderr, "usage: %s file.\n", **v);
	      exit (1);
	    }
	  fd = open(*(v + 1), O_RDONLY, 0600);
	  while (read(fd, &ch, 1) > 0)
	    printf ("%c", ~ch);
	  printf ("\n");
	  close(fd);
	  return (0);
	}

	And execute this program with the crypted file.
	
	Here it is. I think that's the good decryption. So I think found it.


3 - Decrypt the file, be sure to explain how you decrypted the file.

	$> ./decode ./somefile
	[file]
	find=/dev/pts/01/bin/find
	du=/dev/pts/01/bin/du
	ls=/dev/pts/01/bin/lsZ
	file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER

	[ps]
	ps=/dev/	pts/01/bin/psr
	ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys
	lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc
	
	[netstat]
	netstat=/dev/pts/01/bin/netstat
	net_filters=47018,6668
	
	[login]
	su_loc=/dev/pts/01/bin/su
	ping=/dev/pts/01/bin/ping
	passwd=/dev/pts/01/bin/passwd
	shell=/bin/sh

	su_pass=l33th4x0r
	

4 - Once decrypted, explain the purpose/function of the file and why it
    was encrypted
	
	We can see many informations about a rootkit file configuration.
	It define some aliases and filter to apply to certain program.
	We also can see one password which must give a priviliged access.
	This file must be crypted to bypass the administrator attention.

5 - What lesson did you learn from this challenge?

	Be carefull with the unknown file.

6 - How long did this challenge take you?

	Maybe less than 1 hour.

Bonus Question:
This encryption method and file are part of a security toolkit.  
Can you identify this toolkit?

	SunOS Rootkit v2.5 (C) 1997-2001 Tragedy/Dor

--
Christophe Ternat