Jan 30, 2008

Password Crackers

I have been getting a lot of hits from Google searchers looking for ways to crack passwords for many different things, mainly people’s online e-mail, though I’m sure they were looking to crack other things as well. I mean, lets face it, people are lazy and I will go out on a limb here and say that 90% of people use one password for everything. If you find their password for one thing, there is a greater possibility that they will use it for everything from online banking, to Paypal, to MySpace. The trick is to find that one password.

I wrote before about using a Keylogger to secretly find a password, but what if you don’t have time to wait for them to get on the computer and type away so you can read the log later? What if you need to gain access now? That is where you need to find a different method. Here is a list of password attacking programs that I picked up from SecurityForest.com:

leet, l337, 1337Please remember, that use of these items may be illegal to use in some states and in some countries, please check your local laws before using any of these programs. I cannot be held responsible for someone’s misuse of these programs!

John the Ripper (Windows, Linux, BSD): John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches.

L0phtcrack (Windows): L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows NT/2000 workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It also has numerous methods of generating password guesses (dictionary, brute force, etc).

Lepton’s Crack (Windows, Linux): It can perform a dictionary-based (wordlist) attack, as well as a brute-force (incremental) password scan, including enumeration of a regular expression (useful if you know something about the password). Currently the formats supported are: standard MD4 hash, standard MD5 hash, NT MD4/Unicode, Lotus Domino HTTP password (R4), SHA-1 and
LM (LAN Manager).

Cain and Abel (Windows): Cain & Abel is a free password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary & Brute-Force attacks, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also a great tool for arp spoofing and MITM attacks. Source code is not provided.

Creddump (Windows): The program follows the same methodology used by Todd Sabin in his PWDUMP2 program to decrypt credential files. It uses the "DLL injection" technique to run a thread in the same security context of the Local Security Authority Subsystem process. The thread's executable code must first be copied to the address space of LSASS process and this requires an account with the SeDebugPrivilege user right. By default only Administrators have this right. Once injected and executed, the thread will run with the same access privileges of the Local Security Authority Subsystem and will use the native undocumented LsaICryptUnprotectData API from LSASRV.DLL to decrypt the credentials file. The thread stores the output of this API in a temporary file named cred.txt located in the same directory of the program. Finally, user's credentials are dumped and put ont the screen. Credential Manager can store various kind of passwords, they can be saved as MultiByte or WideChar strings, security BLOBS and certificates too. The choice of the final encryption method is left to the user. The program will try to recognize plaintext passwords stored as MultiByte strings or WideChar strings, and will also decode Passport and Standard (no entropy) credential BLOBS originally stored using the CryptProtectData API.

Brutus (Windows): This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more. No source code is available. UNIX users should take a look at THC-Hydra.

THC-Hydra (Windows, Linux, BSD): This tool allows for rapid dictionary attacks against network login systems, including FTP, POP3, IMAP, Netbios, Telnet, HTTP Auth, LDAP NNTP, VNC, ICQ, Socks5, PCNFS, and more. It includes SSL support and is apparently now part of Nessus. Like Amap, this release is from the fine folks at THC.

Crack 5.0a (Linux, BSD): Crack is a password cracking program that is designed to quickly locate insecurities in Unix (or other) password files by scanning the contents of a password file, looking for users who have misguidedly chosen a weak login password. Crack v5.0 is a relatively smart program, and is pre-programmed to expect a variety of crypt() algorithms to be available for cracking in any particular environment.

VNCPwdump (Windows): VNCPwdump can be used to dump and decrypt the registry key containing the encrypted VNC password in a few different ways. It supports dumping and decrypting the password by: 1) Dumping the current users registry key. 2) Retrieving it from a NTUSER.DAT file. 3) Decrypting a command line supplied encrypted password. 4) Injecting the VNC process and dumping the owners password.

Ophcrack (Linux, windows): Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance.

RainbowCrack (Linux, windows): In short, the RainbowCrack tool is a hash cracker. While a traditional brute force cracker try all possible plaintexts one by one in cracking time, RainbowCrack works in another way. It precompute all possible plaintext - ciphertext pairs in advance and store them in the file so called "rainbow table". It may take a long time to precompute the tables, but once the one time precomputation is finished, you will always be able to crack the ciphertext covered by the rainbow tables in seconds. (MD5,LM,SHA-1)

Cachedump (Windows): CacheDump will create a CacheDump NT Service to get SYSTEM right and make his stuff on the registry. Then, it will retrieve the LSA Cipher Key to decrypt (rc4/hmac_md5 GloubiBoulga) cache entries values. A John The Ripper module has been developed to attack the hashed values that are retrieved ( timing equivalent to MD4( MD4( password|U(username) ) ).

Mdcrack (Windows): MDcrack is primarily a fast cracker for (raw) MD5 and MD4 hashes, but it also supports NTLM hashes (case sensitive, MD4-based) that are actually used by Windows NT/2000/XP. It's rather dumb in which candidate passwords it tries and it doesn't support loading of entire password files, so its practical use is limited. However, it demonstrates how it's possible to compute the hashes at a very fast rate.

Don't Forget your Bauer-Power Gear!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam