ColdFusion Data Source Decryption

The Problem

Have you ever needed to decrypt the passwords stored in ColdFusion’s [ColdFusion Install Dir]\lib\neo-datasource.xml file? Whether you are migrating between servers or are just curious what that password is, it’s a pain as an admin to work around the extra layer of security.

Reverse Engineering the Passwords

From ColdFusion 8 (probably older) to ColdFusion 9, passwords were stored encrypted. However it is well known that Adobe hard coded the seed “0yJ!@1$r8p0L@r1$6yJ!@1rj” and used the algorithm 3DES and then stored the password with Base64 encoding. This meant that for years, if any neo-datasource.xml or neo-query.xml files were compromised, anyone could reverse engineer the passwords.

Starting with ColdFusion 10 and 11 (and likely moving forward) the passwords are now generated from a random seed found in the [ColdFusion Install Dir]\lib\seed.properties file. This makes it impossible for a leaked neo-datasource.xml file to be reverse engineered without having the seed. Furthermore, there are likely multiple algorithms as you will find the algorithm “AES/CBC/PKCS5Padding” in most of the seed.properties files as well.

Further Reading

While the encryption is “better” in ColdFusion 10 and later versions, we must always remember that there are some things which cannot be protected. An example of that is the effort to encrypt DVDs because, if the DVD player needed to decrypt the DVD to show it to you that means that the DVD player held the means to decrypt it. Similarly, if the ColdFusion data source passwords needed to be decrypted to establish the connection to the database, the means to decrypt any stored password must also be present. This will not change, it will only be a matter of time/effort before it is reverse-engineered.

My Solution

Since encryption can be confusing (I won’t judge Adobe/ColdFusion’s popularity here) there seems to be no easy way for an admin to decrypt these passwords. This is where my ColdFusion Decryptor program comes in. Simply feed it a single password, or an entire neo-datasource.xml file, and it spits out the decrypted information for you. You’re Welcome =)

 

ColdFusion Decryptor

Download Link: https://api.waycool.tech/ColdFusionDecryptor.exe

To Use the ColdFusion Decryptor, you first need to know what version of ColdFusion you are wanting to decrypt. If it’s 10 or higher, first fill in the ColdFusion 10+ Seed box. Once this is done, you can then either input a single encrypted string from the neo-datasource.xml file or select the whole damn neo-datasource.xml file, your choice =). After Selecting a file it will automatically be parsed. Please note that the only supported algorithm for ColdFusion 10 or newer is “AES/CBC/PKCS5Padding” (you can find your algorithm in the seed.properties file).

This should work to decrypt ColdFusion passwords from Windows or Linux servers.

It’s that simple. Have fun! As is no warranties. No Whining.

Crypto Exchange

Crypto Exchange

Today, I am sharing a program I wrote with you – Crypto Exchange. The concept of this program is simple, auto-trade cryptocurrencies in order to make a profit.

How do I get it?

The C# executable can be downloaded from https://api.waycool.tech/CryptoExchange.exe. This is a stand-alone executable that can be ran on any Windows computer running .Net 4.5 or higher.

How it works

The program works by communicating with poloniex’s (https://poloniex.com) API. This means that you will need to have an account with poloniex and have some currency to trade with. If you’re not sure how to do this, google.

Once you have the program downloaded and have your poloniex account setup, simply input your API key into the options within CryptoExchange.exe. From there you can middle-click (press down on the mouse wheel in the “Your Coins” to add a new coin, then double click the newly added row to configure your settings. Once configured, you can click the Start / Stop button to start trading.

What are all of these options?

Since some of these options may be confusing, and you are handling currency it’s important to know what all options mean. While there is no right or wrong answer to the correct settings, you certainly want to try to optimize your potential profits. I will explain each of the options below.

Options (button):

Time (in seconds) between checks: Recommended value is between 45 and 60. This setting tells the application how often it should reach out to poloniex to check the current values. If you set a value that is too low, it’s possible that poloniex may block your API access. Personally, I configure 45 here.

API Key: This is YOUR personal API key. You will get this by navigating to poloniex, navigating to the wrench icon at the top of the page, and choosing API KEYS. From here you will need to create a new API key. I would personally advise taking advantage of the “IP Access Restriction” for increased account security.

API Secret: This is YOUR personal API Secret. Again, you will find this by navigating to poloniex, navigating to the wrench icon at the top of the page, and choosing API KEYS. From here simply click “Show” next to Secret.

Enable Donations: This option will allow you to automatically donate 5% of your total profits. These profits are calculated based ONLY on trades made by this program. By default there will NOT be any donations made unless you check this box. However, once you have reached $50.00 profit, it will become required. At 5% this is only $2.50 for each $50 you make. After donating the counter to the next $50.00 is reset and you will not donate again until that is reached.

Donations are sent via Bitcoin (BTC), (Litecoin) LTC, or (Ethereum) ETH directly to my account. The program will calculate the lowest withdrawal rate among these three cryptocurrencies and try to use the lowest rate first. If you do not have enough of that currency, it will try the next. If you do not have enough of any of these cryptocurrencies the program will continue to run until you have reached the hard limit of $100 profit at which point it will stop.

Options

Coin Editor (double clicking a coin under “Your Coins”):

Coin: XXXX_To_YYYY, where XXXX is the Market you would like to trade on and YYYY is the currency to trade. For example USDT_To_Bitcoin – this would trade on the USDT market and buy/sell Bitcoin. In this example, you must have some USDT to fund the trades with.

Auto Buy %: Here you will want to enter a percentage that the currency must drop before buying. Using USDT_To_Bitcoin as an example, if BTC was 8000, and the Auto Buy % was set to “-3.0”, a buy order would be placed for BTC at 7,760 USDT. NOTE, you will want to use a NEGATIVE percentage here (buy low sell high). Using a percentage too large (-20%) will result in few/no buy orders, whereas a number too small (-0.5%) will result in very frequent buys. I would suggest sticking between -2 and -5%.

Auto Sell %: Here you will want to enter a percentage that the currency must increase before selling. Using USDT_To_Bitcoin as an example, if BTC was 8000, and the Auto Sell % was set to “3.0”, a sell order would be placed for BTC at 8,240 USDT. NOTE, you will want to use a POSITIVE percentage here (buy low sell high). Using a percentage too large (20%) will result in your order never/rarely selling with higher profits, whereas a number too small (0.5%) will result in very frequent sells with lower profits. Again, I would suggest sticking between 2 and 5%.

As a reminder when configuring Auto Buy/Sell%, keep in mind that the trading fee on poloniex is between .15 and .25%. That fee is BOTH for the buy AND the sell. Meaning that poloniex could take up to 0.5% for the total buy/sell transaction. Keeping the Auto Sell above this amount will ensure that you will not take a loss while auto trading.

Limit Buys (per hr): This setting limits the number of buys per hour to help prevent buying a crazy amount. I would advise configuring a reasonable number here depending on your other settings. Whats reasonable depends on your auto buy/sell percentages. Going back to our example, trading USDT_To_Bitcoin with Auto Buy at -3% and Auto Sell at 3%, if Limit Buys were set to 3, this would mean that if BTC drops over 9% within an hour you will only have bought 3 times. After the hour is up, the program will return buying as normal. A value of -1 here sets Limit Buys to unlimited.

XXX to Trade:  XXX will be replaced with the concurrency to you are trading. This setting tells the program how much of that currency it should buy when there is an Auto Buy. For example, trading USDT_To_Bitcoin, you should see the words “BTC to Trade: ” here. If BTC was worth 8,000 USDT, and I wanted to buy $5USDT worth of BTC, I would put the value 0.000625 in the BTC to Trade box (5/8000 = 0.000625 ). Note that this only accurate to 8 satoshi (decimal places). Obviously since the value of BTC will change, I may be selling more or less than $5USDT at any given time. It is good to check back on these numbers from time-to-time.

Dynamic Buying: If this setting is enabled, it does two things.

  1.  If the program has not bought within two hours, and it’s closer to selling than buying, it cancels the current buy order (and will automatically place a new one next check). This is to help prevent long outstanding buy orders. Without this you may find that the program will sit waiting for a buy for an extended period of time if the market is up for that currency, and will continue to wait until that buy in manually cancelled or the market drops back down.
  2.  If there are multiple buys in a row (without a sell for that coin), your next Auto Buy % will be modified. For example, if your Auto Buy % is -3.0 and there has already been two buys (and no sells for this currency) the program will multiply -3.0 by 1.5 to get -4.5%. Then when the next buy order is submitted it will be 4.5% less than the current market price instead of just 3.0% less. Multipliers are as follows: 1 buy = 1.15, 2 buys = 1.5, 3 buys = 2,  4 buys = 3.5, 5 buys = 5.5, 6 buys = 8, 7 or more buys = 10.

Dynamic Selling: If this setting is enabled, it works similar to Dynamic Buying – If there are multiple sells in a row (without a buy for that coin), your next Auto Sell % will be modified. For example, if your Auto Sell % is 3.0 and there has already been two sells (and no buys for this currency) the program will multiply 3.0 by 1.5 to get 4.5%. Then the next sell order value is modified and will be 4.5% more than the current market price instead of just 3.0% more. Multipliers are as follows (same as above): 1 sell = 1.15, 2 sells = 1.5, 3 sells = 2,  4 sells = 3.5, 5 sells = 5.5, 6 sells = 8, 7 or more sells = 10.

Enable Logging: Tells the program to kick out logs to the same directory as the program is running from. Useful to figure out what the hell just happened.

Explain Values (Button): Clicking this button simply takes the settings you just entered above and tried to explain what the program will do with them (in English).

Coin Editor

UI While Running:

The “Current Values” section is auto populated with currencies you are trading. This section lists common values such as the current value in USD/BTC, and the 24 hour highs and lows. This simply shows the same info you can see on the poloniex web site.

The “Your Coins” section shows a new line for each coin you are trading. Each Column is as follows:
Coin:  The friendly name of the currency that you are trading.
Amount: This value is the amount of that currency that you currently own.
Conversion Rate: The amount from above, multiplied by it’s current USD price.
Change: This is a simple indicator to let the user know if the program is closer to a buy or a sell. Example: If the next buy were @ 1000, the next sell were at 1200, and the current price is 1199, you could expect to see Sell: 99%. If there is no sell order, it will always show a “Buy” here.
Last Activity: Simple friendly status indicator for the currency. Note that this may not change upon starting the program unless there is was a change made.
Next Buy: The next USD price that the currency will be bought at.
Next Sell: The next USD price that the currency will be sold at.

The “Your Orders” button shows pending buy and sell orders. It also estimates your profit for the trade based on what the buy/sell price is and calculating 0.5% less (to account for the highest poloniex fees possible). If your profit amount is very small here, try increasing the amount of currency per trade (XXX to Trade), or increasing your Auto Sell %.

Refresh (button):  You can click this to forcefully fetch updated information such as current values, and your total USD amounts.

Main UI

Summing things up

If you have made it this far, you must be intrigued. Give it a shot! While I can’t make any guarantees on your success, I can say that I’ve been running Crypto Exchange for several months, with success. So far I’ve doubled my returns on investment while diversifying my cryptocurrency portfolio. I’ve occasionally been tracking my total USD value, if you are interested, check it out below.

Earnings

Plesk Password Encryption on Windows

Plesk Encryption

Plesk, love it or hate it it’s the most popular control panel used on Windows servers. I’ve had the unfortunate experience of working with the panel since Plesk 8. Fortunately, it has been improved over the years and I’ve grown to like it. Over the course of it’s life Plesk (v10 to be exact) finally made the choice to not store passwords in clear text. This was one of the best choices they could have made for the sake of security. However, this has made it difficult for IT admins to quickly replicate an end user problem. So today I discuss how to bring that symmetrically encrypted password back to clear text!

If I haven’t lost you yet, here is the one-liner to get the password in the clear on a Windows OS:

"%plesk_dir%\admin\bin\php.exe" -r "echo plesk_symmetric_decrypt('ENCRYPTED_STRING_HERE');"

What does this do?

The Windows command line command above uses the Plesk environment variable along with the path to Plesk’s PHP to run (-r means without script tags) an echo command through PHP using Plesk’s own function (plesk_symmetric_decrypt) to get the password. In short, all you need to do is replace the text ‘ENCRYPTED_STRING_HERE’ with the password from Plesk’s database and the clear text will be sent to the command line output. WayCool hu?

Additional Information

There are a few things to note regarding this:

  1. The command must be executed from the same server which the encrypted string was found on.
  2. Only passwords with the type ‘sym’ (Symmetric-key) can be decrypted using this function.
  3. Passwords with the type ‘crypt’  cannot be reverse-engineered (as far as I’m aware). These passwords use PHP’s Crypt method explained here and will likely start with ‘$5$’ in Plesk’s database .

If you are unsure where in Plesk’s database the passwords are stored, try using  HeidiSQL (or Plesk’s dbclient.exe command) and browsing the sys_users and databaseservers tables which link back to the accounts table by account_id.

 

If have any thoughts on this, be WayCool and drop a comment below!

 

–Devin