samedi 24 avril 2010

Packet Tracer analysis

Packet Tracer analysis

Hi,
/My life on
I have a friend who's teaching Network courses at our school. During those courses his students have to do some labs (configure router&switches, to apply the CCNA curriculum) using the rack we have or Packet Tracer (a tool from Cisco to simulate a Cisco network and train yourself, at configuring the devices). I used Packet Tracer some years ago, and the new version has quite a few new functions. One the new function (I don't remember it when I used Packet Tracer, may be it already existed before ^^) is the activity wizard. You can create your graded lab (*.pka file), give it to your students and after a pre-defined time in the lab get it back and Packet Tracer will give you the grade of the student according to the configurations he made on lab's network, nice isn't it?
/My life off

Well I'm gonna show you how to read those *.pka file, which contains the lab, cuz if you can read it you have all the responses =) and the corresponding grade ^^ =D
I'm using the version 5.2.0.0068, so the described method might change in the future version.

If you try to open a *.pka file, you won't be able to read anything in clear. Let's look at how packet Tracer handles those files and see if we can get them clear without knowing the activity wizard password.

(I'm using OllyDbg for the reversing/debugging that follows.)
Launch PT (Packet Tracer) and attach Olly to it. I've spend quite a lot of time reversing PT but we will go straight to the point ^^. After putting some breakpoints on library file management functions, (if we look at the PT's directory we can see that is uses QT4 dlls see http://doc.trolltech.com/4.1/qfile.html for file management under QT4), our pka file is open at (if we open it by the way of the "open - recent files")

CPU Disasm
Address Hex dump Command
0040E3B2 FF15 F4FB8D01 CALL DWORD PTR DS:[<&QtCore4.?open@QFile@@UAE_NV?$QFlags@W4OpenModeFlag@QIODevice@@@@@Z>]

Some bytes further our pka file is red and closed by the readAll and close function (inherited from QIODevice).

CPU Disasm
Address Hex dump Command
0040E3CA FF15 C4FB8D01 CALL DWORD PTR DS:[<&QtCore4.?readAll@QIODevice@@QAE?AVQByteArray@@XZ>]
0040E3D0 C645 FC 03 MOV BYTE PTR SS:[LOCAL.1],3
0040E3D4 8D4D EC LEA ECX,[LOCAL.5]
0040E3D7 FF15 0CFC8D01 CALL DWORD PTR DS:[<&QtCore4.?close@QFile@@UAEXXZ>]

The readAll function returns us a QByteArray with the content of our file.
A pointer on this QByteArray is pushed at 0x0040E3E4 as argument to the function 0x0040E570.

CPU Disasm
Address Hex dump Command
0040E3E4 50 PUSH EAX
0040E3E5 8B4D A8 MOV ECX,DWORD PTR SS:[LOCAL.22]
0040E3E8 8B11 MOV EDX,DWORD PTR DS:[ECX]
0040E3EA 8B4D A8 MOV ECX,DWORD PTR SS:[LOCAL.22]
0040E3ED 8B82 4C010000 MOV EAX,DWORD PTR DS:[EDX+14C]
0040E3F3 FFD0 CALL EAX

This function (at 0x0040E570) is used to clear the file in memory, to be readable by the program. Let's see how this function clears the file.

In this function there is a loop from 0x0040E635 to 0x0040E684.
First, this loop will first get the QByteArray size in memory:

0040E641 FF15 A4FB8D01 CALL DWORD PTR DS:[<&QtCore4.?size@QByteArray@@QBEHXZ>]

(The loop will the QByteArray size times (for each character of the QByteArray)).
Second, on each iteration the program will get the character at the beginning of the QByteArray + offset of the loop.

0040E64F 51 PUSH ECX
0040E653 FF15 ACFB8D01 CALL DWORD PTR DS:[<&QtCore4.?at@QByteArray@@QBE?BDH@Z>

Third, the program makes a XOR between the character extracted and the QByteArray size minus the position of the current character.

0040E65F FF15 A4FB8D01 CALL DWORD PTR DS:[<&QtCore4.?size@QByteArray@@QBEHXZ>]
0040E665 2B45 E4 SUB EAX,DWORD PTR SS:[LOCAL.7]
0040E668 33F0 XOR ESI,EAX

And finally the result is wrote to a new QByteArray.

0040E67E FF15 B4FB8D01 CALL DWORD PTR DS:[<&QtCore4.??4QByteRef@@QAEAAV0@D@Z>]

This new QByteArray is now uncompressed by the function call at 0x0040E696. This function uses qUncompress.

00427773 FF15 A0FB8D01 CALL DWORD PTR DS:[<&QtCore4.?qUncompress@@YA?AVQByteArray@@PBEH@Z>]

And the new QByteArray returned is now the clear XML file of the practice ; ) and u can see all the responses ^^ You can also see the hashed password protecting the lab at the marker
<activity pass="" timertype="" enabled="" countdownms="">
, it's a MD5 without salt.

QT developed a customized IDE for QT development so i coded a little program to get the XML file from a .pka protected file (their IDE is really nice and easy to use ^^).

Hope someone will find this helpful.


#include <qtcore/qcoreapplication>
#include <qfile>
#include <qdir>
#include <iostream>

using namespace std;

int main(int argc, char *argv[])
{
QCoreApplication a(argc, argv);

QFile fileToDecipher;
QFile decipheredFile;
qint64 cipheredFileSize;
unsigned char stock;
string fileName;
QByteArray inputFile, outputFile;

cout << "Please type the filename to decipher : ";
cin >> fileName;
cout << endl;

fileToDecipher.setFileName(QString::fromStdString(fileName));
decipheredFile.setFileName(QString(QString::fromStdString(fileName)).prepend("deciphered_"));

if (!fileToDecipher.open(QIODevice::ReadOnly))
{
cout << "ERROR : Can't open the specified file." << endl << "Program aborted." ;
cin.ignore();
cin.ignore();
return -1;
}
if(!decipheredFile.open(QIODevice::ReadWrite))
{
cout << "ERROR : Can't create the decphered file." << endl << "Program aborted." ;
cin.ignore();
cin.ignore();
return -1;
}

cipheredFileSize = fileToDecipher.size();
cout << "Size of the Packet Tracer file : " << cipheredFileSize << endl;
cout << "Deciphering the file ..." << endl;

inputFile = fileToDecipher.readAll();

for(int i=0; i < cipheredFileSize;i++)
{
stock = (unsigned char)(cipheredFileSize-i)^inputFile[i];
outputFile[i] = stock;
}

outputFile = qUncompress(outputFile);
decipheredFile.write(outputFile);

decipheredFile.close();
fileToDecipher.close();

printf("Done.");
cin.ignore();
cin.ignore();
return 0;
}


PS: if you just wanna bypass the activity wizard protection just nop the check at 0x00410B7A ;-)

57 commentaires:

Anonyme a dit…

Hi, how can I find out what a password is for the packet tracer activity wizard?

biji a dit…

Hi, the password is hashed and stored in the <activity pass="" timertype="" enabled="" countdownms=""> (it wasn't printed because of the markers, I didn't see it before, now it's corrected ;). It's a md5 hash without salt so you have to crack it, you can do it by using a rainbow table, just google rainbow table, and you will see that the topic is pretty well covered :p. Good luck!

Anonyme a dit…

Sorry, but where would I find those variables? I'm new to this. Where would I go, in OllyDbg, to find the activity pass="" line?

biji a dit…

It's not in ollydbg, the *.pka file is "encrypted" as described in the article, once you decrypt it (with the source program I gave at the end of the article), you will have a XML file, if you open that XML file you will find a activity pass="" line and the hashed password is inside it :)

Anonyme a dit…

The source code is in C++ console application? I copied and pasted it and I got errors.

Anonyme a dit…

Oh, it's suppose to be for QT IDE. Whoops, I didn't see that. I'm downloading QT IDE right now.

Anonyme a dit…

Okay, I've downloaded QT Creator and I went to New Project, Qt C++ Project, Qt Console Application. I pasted your code in and I got errors.

Sorry for being a noob, I'm new to this.

Anonyme a dit…

Yay! I got it to work! In your post, the include headers are missing. I think this is an issue due to Blogger.

Anyways, the headers for the program are:

qbytearray.h, qfile.h, QtCore, and iostream

:)

Anonyme a dit…

Okay, I got the program to decipher the pka, but it did not generate an XML file. Instead, it re-made the PKA file.

biji a dit…

Yep, there was a blogger issue with the < and > (again) for the includes thx for pinting it out :)
May be you have a *.pka file that is a newer version than the one I had when I wrote the article ... so the "cipher" might be different, but if you have the same version it should work.
If you can't get the XML send me the *.pka file by e-mail and I will see why it doesn't work.

Anonyme a dit…

I figured it out, it was because I had changed a setting in Windows which made it so files would have names with extensions, like "packet tracer lab.pka"

So, all I had to do after your program decoded the packet tracer was rename it from .pka to .xml and it worked.

I found a site online which had the hash key in its directory so it didn't actually have to crack it, but I couldn't find any working rainbow table crackers.

I downloaded ophcrack and I used the XP Fast table, but it didn't work. The md5 password did not have any special characters; only alphabetical characters.

biji a dit…

I'm glad I could help you :)
Just by curiosity why do you want to decrypt a .pka file ? was it a school lab? or something like this?

Anonyme a dit…

Yes, it was a school lab, but also because I found it interesting. I wanted to know how to crack something. Everything that's new is a challenge so I decided to challenge myself to learn the cracking concept.

Thanks for your help :)

Are you going to keep making new hacking or cracking posts? :)

biji a dit…

Are you in SUPINFO (the school name) ? When I have time and I find something interesting I post it but my studies and internship take time.

Anonyme a dit…

No, I have not heard of a school named SUPINFO. You're a good cracker :)

agippsy a dit…

Hi all,

I would like to thank you Benjamin for your sharing

At first it did not work for me, then I changed the code that you give
#-------------------------------------#
decipheredFile.setFileName(QString("c:\ppkkaa.pka"));
//decipheredFile.setFileName(QString(QString::fromStdString(fileName)).prepend("deciphered_"));

#-------------------------------------#
, and the. pka was decrypt.
I wanted to mention that the password is clear (not encrypted)
and file. pka is created in the build directory

I have a small question: I can not execute packet tracing in OllyDbg!? a suggestion

biji a dit…

Hi agippsy!
Your code works also it just changes the filename and the folder where it's saved :)
About the clear password, it can be an option during the lab creation you may be can choose to encrypt the password (i'm not sure about that).
To run packet tracer in olly you just need to hit F9 (or run button), if you are not familliar with olly you can find a lot of good tutorial on google :)

bonne chance pour ton blog ;)

agippsy a dit…

Hi Benjamin
i make a screen capture for ollyDbg with packet tracer
http://www.youtube.com/watch?v=FsM4j-lOTpk

tell me where is the problem !!?
thank's

biji a dit…

If you look at the bottom left corner of ollydbg it tells you "Exception E06D7363 - Exception is not continuable", you need to configure olly to ignore and pass the exception to packet tracer, to do so you need to go in the "Option" menu, "Exception" section, and check the "Ignore also the following custom exception or ranges" box, and click on add current exception and restart the debbuging of packet tracer. :)

agippsy a dit…

Nice WORK
thank you very much ;)

Fredrik Erlandsson a dit…

Is it possible to convert the generated xml-file back to a pka file?

That would be very nice hence then I can generate tests with just minor changes (perhaps one unique test per student)..

biji a dit…

Hi Fredrik,
Yes i guess you could do something like this, you just need to do the reverse operation. It would be something like :
- read your XML in a QByteArray
- apply the qCompress function to it
- retrieve its size
- XOR each character of the QByteArray with the retrieved size minus its position (the reverse operation of the ciphering part)
- and finnaly write it back to a file (which will be your pka file)

That would be a good way to avoid cheating and solved pka exchange during the test :)

Anonyme a dit…

Hey Ben, I'm having some troubles cracking here.

Would it be possible for you to help me crack the password for this file please.

Thanks!

http://bit.ly/eu9hLo

biji a dit…

Hi, I'm sorry but It's a crack request :/ ... (you have everything you need in the article to do it by yourself, just try ;)

Anonyme a dit…

Yep I did try to. In fact, all I was getting was a compilation error for the program you wrote (I did it in Qtcreator). Perhaps you could pass me a compiled version of that file? Would appreciate any help.

Thanks :)

Anonyme a dit…

Hi, great job!
But with PT 5.3 your source program can`t help, what changes i`m must do to get it work with file from new version?

Thanks.

biji a dit…

Hi, I haven't used packet tracer for a while, so I don't know how did they changed it (if they did). If I have some time tomorrow I'll check it. Also please send me your file so I have something to work on.
thx.

Anonyme a dit…

the file is here http://www.mediafire.com/?12l1gp07jhf7rna

biji a dit…

Hi, you can perfectly decode you pka file with the provided program :) the activity password isn't even encrypted inside ... what problems do you have when decoding the pka file ?

update: in version 5.3 to by pass the activity wizard password the instruction to nop is at 00411337

Anonyme a dit…

it's show me: "Can't create the decphered file."

You can see the pass of my pka file?

Anonyme a dit…
Ce commentaire a été supprimé par un administrateur du blog.
Anonyme a dit…

Hey, thanks for the article !

Still, I leeched the code, pasted it in Qt creator, no problems till the execution.

When I select my pka, the output in console is "Can't create the decyphered file". Any idea ?

Oh, and I can't manage to find out where to build an executable of the program usable outside of QT creator GUI.I would appreciate a protip for that, so I could use the decyphering .exe without QT.

Thanks again !

biji a dit…

Hi,
yes the password is unencrypted inside the XML.

To use the program outside Qt creator just go in the project folder, you should find a build directory and there you have your exe (can tell you where it's extacly i don't have Qt creator installed anymore), to make the exe work outside this folder you need to have the Qt dll in the same folder or you OS must know where to find them.

For the error message, i don't know, there can be various reasons, the program must be able to create the deciphered file in the folder it is, so if you run it from c: it might not work (same thing if you run it outside your home folder for linux).

PT_user! for the password ...

PartyPooper a dit…

Hey,

Fixed "Can't create the decyphered file".

First I built the release .exe with QT creator thanks to your code.
Copied all .dlls file from \mingw\bin to the folder containing my release exe.
Copied the .pka in the .exe folder, and used the executable with admin elevation.
When asked for the name in console, just type "myfile.pka", without path or directory.
After the process, modify the *.pka of the decyphered file to *.xml.

Worked like a charm.

But, I'm facing a problem. For some pkas, password in the xml is still encrypted under md5 hash.
Those pka were done with an unknown version of PT.

I could get decyphered pass with other files, but i'm stuck with those 2.

I've uploaded them here if you'd give a try. http://www.mediafire.com/?70lzocwy4292epz

Thanks again for sharing your code.

biji a dit…

Hi, you can still try to crack the md5, for instance this website http://www.authsecu.com/decrypter-dechiffrer-cracker-hash-md5/script-hash-md5.php (it's in french) seems to crack the second pka md5 password (azertyuiop didn't verify it but I guess it's valid), just google "crack md5" or stuff like that and you will fall on some good cracking databases ^^

PartyPooper a dit…

Yep, one of them was azertyuiop.
Easiest to crack.

My cluster is still running the bruteforce on the second one.
10 char at the moment :/

Anonyme a dit…

Please, I need the password of 3 PKA files, you can send me you email for send you the PKA files??
please, write me to rilltt@uci.cu

biji a dit…

Hi, I'm sorry but u have all you need to do it by yourself :-/

Anonyme a dit…

If you open the plaintext markup with PT, it will automatically encrypt the file for you. That being said you can replace the password string with your own password (plaintext works) and run the file and open the activity wizard using the password you entered before.

biji a dit…

Hi, I didn't get everything you said (i'm not native english :/ )
Ok I think I got it :D, so you can basically replace the MD5 sum password by your own plain text password in the xml file, and pt will hash it and write it back to the xml ?

Anonyme a dit…

It can't open the .pka file.

Anonyme a dit…

it states "Can't open specified file."

biji a dit…

You need to put the file in the same folder as the program, and enter its name.

Anonyme a dit…

update: in version 5.3 to by pass the activity wizard password the instruction to nop is at 00411337

what this mean?
T.T

biji a dit…

Yop! need to replace the instruction located at this offset by nops, that's a cracking technique.
http://www.hackcommunity.com/Thread-Cracking-with-OllyDBG-NOP-Patching
this is one of the firsts link on google about "nop patching nop cracking". Dunno if it's relevant didn't check it :/
hope it helps ;)

Anonyme a dit…

or the compiled application please
gacyde@gmail.com

really confused im not programming student. im just ccna student

biji a dit…

I'm under linux right now so i can't give you a windows binary, plus you got everything you need in the article to do it yourself ^^

Anonyme a dit…

can you explain way to change your old source code to workin on new version

thanx

biji a dit…

Unless they changed the way pka files are encrypted, the source code should works on your pka files.
The program doesn't modify the packet tracer binary it just decrypt your pka file, so it becomes a clear XML file.

Anonyme a dit…

If you want to decrypt md5 hash use this site: http://www.md5decrypter.co.uk/

Anonyme a dit…

You don't have to decrypt the password in order to get access to the "Activity Wizard", just delete the MD5 password in the deciphered xml file, save it, then change the extension into .pka and here you go !
Worked fine for me !

biji a dit…

Yep that's true, if the password tag isn't present it won't ask for any password :) forgot to tell this solution.

Anonyme a dit…

Hello,
Thanks for the usefull information, I'm trying to bypass packet tracer 5.3.3.0019.

Can you help me out with the instruction address or tell me how can I find the right one by myself?

00411337 cannot be found in this version.

Regards

biji a dit…

Well I'm not using packet tracer anymore, and I don't have this version neither in my computer. But if you have a link to download it ...

Anonyme a dit…

Packet Tracer 5.3.3:
http://www.multiupload.nl/XN10UAZYTC

I found this video on youtube that shows step by step how to patch it with ollydbg.
http://www.youtube.com/watch?v=50FQTibfxvk

I compiled your QT code for deciphering the pka files, but it doesn't seem to work, it throws an error: not compatible with this version on packet tracer, when I try to open the pka.

Maybe you can check it, with the new packet tracer 5.3.3

Regards

Anonyme a dit…

What about the Packet Tracer 6?
Your method supresses the error message, but doesn't allow to get into the wizard...

biji a dit…

I'm not using packet tracer anymore, so I can't help you. May be someday I'll reuse it ...