Password
Cracking Decrypted 2
PAGE
1, 2,
3
09 AC [35] 59 22 2F E6 53 33 C6 0C B4 19 DB
3=
00000011
00000111
--------XOR
00000100 = 4 (yes, it is a coincidence. Don't expect 4 to come out
always)
5=
00000101
00000110
--------XOR
00000011 = 3
35 = 43 = C
Password until now: ABC
~
09 AC 35 [59] 22 2F E6 53 33 C6 0C B4 19 DB
5=
00000101
00000001
--------XOR
00000100 = 4 (*sighs*)
9=
00001001
00001101
--------XOR
00000100 = 4
59 = 44 = D
Password until now: ABCD
~
09 AC 35 59 [22] 2F E6 53 33 C6 0C B4 19 DB
2=
00000010
00000110
--------
00000100 = 4
2=
00000010
00000111
--------
00000101 = 5
22 = 45 = E
Password until now = ABCDE
~
09 AC 35 59 22 [2F] E6 53 33 C6 0C B4 19 DB
2=
00000010
00000110
--------XOR
00000100 = 4
F=
00001111
00001001
--------XOR
00000110 = 6
2F = 46 = F
Password until now: ABCDEF
~
09 AC 35 59 22 2F [E6] 53 33 C6 0C B4 19 DB
E=
00001110
00001010
--------XOR
00000100 = 4
6=
00000110
00000001
--------XOR
00000111 = 7
E6 = 47 = G
Password until now: ABCDEFG
~
09 AC 35 59 22 2F E6 [53] 33 C6 0C B4 19 DB
5=
00000101
00000001
--------XOR
00000100 = 4
3=
00000011
00001011
--------XOR
00001000 = 8
53 = 48 = H
Password until now: ABCDEFGH
~
09 AC 35 59 22 2F E6 53 [33] C6 0C B4 19 DB
3=
00000011
00000111
--------XOR
00000100 = 4
3=
00000011
00001010
--------XOR
00001001 = 9
33 = 49 = I
Password until now: ABCDEFGHI
~
09 AC 35 59 22 2F E6 53 33 [C6] 0C B4 19 DB
C=
00001100
00001000
--------XOR
00000100 = 4
6=
00000110
00001100
--------XOR
00001010 = A
C6 = 4A = J
Password until now: ABCDEFGHIJ
~
09 AC 35 59 22 2F E6 53 33 C6 [0C] B4 19 DB
0=
00000000
00000100
--------XOR
00000100 = 4
C=
00001100
00000111
--------XOR
00001011 = B
0C = 4B = K
Password until now: ABCDEFGHIJK
~
09 AC 35 59 22 2F E6 53 33 C6 0C [B4] 19 DB
B=
00001011
00001111
--------XOR
00000100 = 4
4=
00000100
00001000
--------XOR
00001100 = C
B4 = 4C = L
Password until now: ABCDEFGHIJKL
~
09 AC 35 59 22 2F E6 53 33 C6 0C B4 [19] DB
1=
00000001
00000101
--------XOR
00000100 = 4
9=
00001001
00000100
--------XOR
00001101 = D
19 = 4D = M
Password until now: ABCDEFGHIJKLM
~
09 AC 35 59 22 2F E6 53 33 C6 0C B4 19 [DB]
D=
00001101
00001001
--------XOR
00000100 = 4
B=
00001011
00000101
--------XOR
00001110 = E
DB = 4E = N
COMPLETE PASSWORD: ABCDEFGHIJKLMN
I did this so you could see 14 encrypted characters, being decrypted.
Also you could see the decryption scheme that I used, which is always
the same as I used. But, for beginners who didn't paid attention or are
too lazy to look it up above here is the entire decryption scheme:
Number. in string | 1st char of encrypted password : 2nd
+---------------------------------------------------------------
-----+
1 00000100 00001000
2 00001110 00001110
3 00000111 00000110
4 00000001 00001101
5 00000110 00000111
6 00000110 00001001
7 00001010 00000001
8 00000001 00001011
9 00000111 00001010
10 00001000 00001100
11 00000100 00000111
12 00001111 00001000
13 00000101 00000100
14 00001001 00000101
+----------------------------------------------------------------
-----+
So...I'll give another example, here I show how to use the scheme
printed above and how to decrypt an unknown password. If you already
get it, just skip this part and read the next part. Here we go;
Encrypted password;
18A1394D
As you can see it's 8 chars long.
Well, let's go!
1= 00000001
00000100 <-- look it up in the scheme above, pos 1,1
--------XOR
00000101 --> 5
8= 00001000
00001000 <-- Scheme positions 1,2
--------XOR
00000000 --> 0
Combine those two solutions and you'll get 50h(ex); ASCII char 'P'
Ok, second couple;
A= 00001010
00001110 <-- Scheme pos. 2,1
--------
00000100 --> 4
1= 00000001
00001110 <-- Scheme pos. 2,2
--------XOR
00001111 --> F
Combine those two solutions and you'll get 4Fh; ASCII char 'O'
Ok, third couple;
3= 00000011
00000111 <-- scheme..etc
--------XOR
00000100 --> 4
9= 00001001
00000110
--------XOR
00001111 --> F
Same as the previous one...4Fh = ASCII char 'O'
Next couple; Fourth one
4= 00000100
00000001
--------XOR
00000101 --> 5
D= 00001101
00001101
--------XOR
00000000 --> 0
And you'll get 50h = 'P' so the password was POOP. Got it?
The above process is quite not necessary and there is a simpler way to
crack this Screen Saver Security feature. First of all for this hack
you need to find out which screen saver is currently being used which
is password protected. Just right click on the desktop and select
Properties and then click on Screen Saver. Now note down the name of the
currently chosen screen saver (which is also the password protected
screen saver.)
I am assuming that the Flying Through Space Screen saver
is the curreently choosen password protected Screen Saver.Now goto the
DOS prompt and launch the Microsoft Editor by typing:
C:\windows>edit /70
The /70 specifies that only 70 characters should be displayed per line,
this just makes the file that you open easier to read else you will
have to scroll a lot to your right.
Anyway before you launch this editor you need to goto the
c:\windows\system directory by using the cd system command. Now
remember that all screen savers have the default extension of .scr thus
normally a screen saver file will be something like filename.scr All
registered or installed screen savers are stored in the
c:\windows\system directory. You need to view the names of all screen
savers and then note down the name of the screen saver currently in use
in order to go on with this hack.To do this do something like the
below:
Issue the dir/0 *.scr command to view all screen saver files.
C:\WINDOWS\SYSTEM>dir/p *.scr
Volume in drive C has no label
Volume Serial Number is 231C-00F6
Directory of C:\WINDOWS\SYSTEM
BLANKS~1 SCR 9,728 05-11-98 8:01p Blank Screen.scr
MYSTIF~1 SCR 21,504 05-11-98 8:01p Mystify Your Mind.scr
FLYING~1 SCR 14,848 05-11-98 8:01p Flying Windows.scr
FLYING~2 SCR 16,384 05-11-98 8:01p Flying Through Space.scr
CURVES~1 SCR 16,896 05-11-98 8:01p Curves and Colors.scr
3DFLYI~1 SCR 203,104 05-11-98 8:01p 3D Flying Objects.scr
3DMAZE~1 SCR 478,128 05-11-98 8:01p 3D Maze.scr
3DPIPE~1 SCR 161,040 05-11-98 8:01p 3D Pipes.scr
3DTEXT~1 SCR 121,456 05-11-98 8:01p 3D Text.scr
3DFLOW~1 SCR 94,112 05-11-98 8:01p 3D Flower Box.scr
SCROLL~1 SCR 18,944 05-11-98 8:01p Scrolling Marquee.scr
SPORTS SCR 38,400 05-11-98 8:01p Sports.scr
TRAVEL SCR 38,400 05-11-98 8:01p Travel.scr
JUNGLE SCR 38,912 05-11-98 8:01p Jungle.scr
WINDOW~2 SCR 102,912 05-11-98 8:01p Windows 98.scr
SCIENCE SCR 101,888 05-11-98 8:01p Science.scr
INSIDE~2 SCR 38,400 05-11-98 8:01p Inside your Computer.scr
SPACE SCR 38,912 05-11-98 8:01p Space.scr
MYSTERY SCR 38,400 05-11-98 8:01p Mystery.scr
BASEBALL SCR 38,912 05-11-98 8:01p Baseball.scr
THE60'~2 SCR 101,888 05-11-98 8:01p The 60's USA.scr
LEONAR~2 SCR 38,400 05-11-98 8:01p Leonardo da Vinci.scr
THEGOL~2 SCR 38,400 05-11-98 8:01p The Golden Era.scr
DANGER~2 SCR 38,400 05-11-98 8:01p Dangerous Creatures.scr
NATURE SCR 38,400 05-11-98 8:01p Nature.scr
UNDERW~2 SCR 38,912 05-11-98 8:01p Underwater.scr
26 file(s) 1,925,680 bytes
0 dir(s) 91,197,440 bytes free
The last column contains the friendly name of the screen saver that
Windows uses, but the column that we are interested in is the first
column which contains the actual name of the screen saver which is
needed in order to edit it and have some kewl fun. So first look for
the friendly name in the right most column and then locate is
corresponding actual name.In this case it would be FLYING~2.scr as I
want to hack the Fyling Through Space Screen Saver.
Anyway back to the Editor, once it is launched click on File>Open and
open the file: c:\windows\system\screensavername.scr
Anyway this will bring a blue screen that is the MSDOS editor screen
with the screensaver file has been opened. The screen would look like
full of weird characters or something in machine language.
Well almost.
Let me start by describing what you would be seeing if you followed the
above steps.
Now the screen is full of weird characters like a heart , a smiley face
and other unrecognizable pieces of junk.
Well actually each symbol you see has a numerical value that you can
see at the right bottom of the screen at VALUE:###.
To see what each symbol stands for move your cursor over the symbol and
look at the right bottom screen at VALUE:###.
At the bottom you also see LINE: #### which gives you the line number.
You are not going to edit these symbols but edit the part of the files
which consists of these unrecognizable characters and text that you
actually can understand. Anyway we do not care about the non
understandable part we are just concerned with Hacking the prompt for
the screen Saver Password.
Now search for the string:
VerifyScreenSavePwd or if you do not find this look for the string:
VerifyScreenSave .
This is the line that directs Windows to prompt for the Screen Saver
Password whenever you try to do something while the Password Protected
Screen Saver is running. So if this reference or call is not there then
Windows will not now be told to display the prompt. But before editing
anything just remember that:
Now you must have noticed by now that in explorer.exe the text has a
space in between them. Now this space is not the space of the
spacebar. Let me put it this way, in the file explorer.exe the value of
a space from the spacebar i.e. the value of the space that appers on
the screen if I click the spacebar once is 32 and the value of the
spaces that are there in between characters in explorer.exe is 0.If
there was no space in between letters, it would look untidy.
The total number of characters of the file should not change else the
file will be corupted and will not work properly.
Thus to ensure this instead of deleting the entire string:
VerifyScreenSavePwd just change it to VarifyScreenSavePwd
(Notice that the 2nd letter is now a instead of e.) After this is done,
the next time Windows will not at all ask for the Screen Saver
Password.Once your work is done, just change the string back to
VerifyScreenSavePwd.
Internet connection Password
Have you ever wondered where Windows stores the Internet Connection
Password when you have enabled the 'Save Password' option in the
'Connect To' dialog box of the dial up connection?
Well this password is stored in the registry in the following registry
key:
HKEY_CURRENT_USER\RemoteAccess\
Profile\<connection name>
If you view the above key in the registry Editor then it probably will
not appear understandable. If you want to be able to understand the
contents of this key and hence be able to edit this key, then you will
have to export this particular key and view it in Notepad. The password
is stored as binary values and has to be converted into plaintext ASCII
before you are able to read it.
Windows NT Password
You have already seen how lame Windows 9x password encrypting algorithm
is and how easy it is to override the Windows Login Password prompt in
Win9x systems, well NT is a different story. First of all lets see how
the password is stored in NT....firstly the password is not encrypted,
it is hashed using the RSA hash function and then this hashed version
is passed through an algorithm to obscure it, once obscured, it is
stored in the NT registry. Alongwith a stronger password storing
technique, it also ships with various utilities which make it more
secure....Service
Pack 2 ships with a DLL which allows the system administrators to
ensure that the Passwords used by the users are strong or good enough.
The User Manager can be configured to ensure that the user passwords
satisfy a particular condition, For example, it can check if the Users
are using a password of minimum length.
If you really want to learn all about NT security, you should read the
NTBugtraq archives and join their mailing list. The NTBugtraq Archive
is the most comprehensive and exhaustive collection of NT Security
info. Visit them at www.ntbugtraq.com The site has everything that you
would want to know about NT including the algorithm used to obscure the
hashed password. There are various ways of getting administrator
privileges in NT, I am not mentioning all of them but have mentioned my
favorite....Sam Attacks. If you want to learn about all the ways of
breaking into NT, then I recommend you to read the BugTraq Archives. I
would also be writing a Manual on Hacking NT quite Soon.
PAGE
1, 2,
3
TOP |
