more password cracking

Download More Password Cracking

Post on 01-Jun-2018

216 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 8/9/2019 More Password Cracking Decrypted.doc

    1/35

    Read till 11pages to be continued…  _____________________________________________________________ 

     

    More Password Cracking Decrypted By Ankit FadiaMailto:ankitbol!net!in

     _____________________________________________________________ 

     

    "elco#e to anot$er edition o% Password Cracking Decrypted! &n t$is #anual we will learn' you guessed it' $ow to crack passwords! &n t$is edition we $a(e e)planations to $ow to break #ore kinds o% passwords!

    Alt$oug$ t$is #anual is *uite easy to understand' & would de%initely like to #ake onesuggestion! +o truly en,oy reading t$is #anual' you need to know C relati(ely well! -owe(er' e(en i% you $a(e no idea w$at C is' & assure you t$at t$is #anual will de%initely  be o% use to you!

     

    Cracking t$e .et/ero 0Free &P2 Dial 3p Password  

    +oday' t$e nu#ber o% &nternet er(ice Pro(iders 0bot$ %ree and t$e not so %ree ones2 $as

    really reac$ed a (ery $ig$ %igure! All o% t$e# ai# at pro(iding better ser(ices and #akingt$e process o% connecting to t$e &nternet easier %or t$e user! 4ne co##on practice a#ongst bot$ &nternet er(ice Pro(iders and popular browsers like &nternet 5)plorer' $a(e t$is option called 6a(e Password7' w$ic$ #akes li%e easier %or t$e user' as it allows t$e user to not type in t$e password eac$ ti#e $e $as to connect to t$e &nternet!

     

    Alt$oug$' like all ot$er so%tware' as soon as t$e de(eloper tries to add a user %riendly %eature or #ake t$e so%tware easier to use or #ore e%%icient' $e $as to #ake at least so#e co#pro#ise in t$e security or sa%ety %ield! 4ne popular e)a#ple would be 4utlook 5)press' e(er since t$e Pre(iew Pane $as been introduced wit$in t$e e#ail client' 4utlook 5)press users $a(e beco#e prone to 5#ail8Borne 9iruses!

     

    Anyway' getting back to t$e sub,ect o% t$is tutorial' e(en including t$e 6a(e Password7 %eature $as #ade t$e 3ser7s Password unsa%e! .ow' w$at $appens is t$at' w$en you c$eck on t$is option or enable it' t$en t$e concerned so%tware 0Browser or &nternet

  • 8/9/2019 More Password Cracking Decrypted.doc

    2/35

    er(ice Pro(ider o%tware2 takes it passes it t$roug$ an algorit$# to encrypt it! 4nce' t$e Password is encrypted' it is t$en stored in t$e "indows Registry or in so#e !ini or !dat or a si#ilar %ile! .ow' t$is syste# sounds *uite sa%e' $owe(er' i% you look deeper' t$en you %ind t$at it is trouble waiting to $appen!

     

    +$e (ery %act t$at t$e encrypted password $as to be stored so#ew$ere' #akes t$is %eature (ulnerable! Also' al#ost all so%tware pro(iding t$is %eature does not use a strong algorit$#! +$is #akes t$e work o% a $acker really easy! o#e so%tware e(en stores t$e  password as plainte)t in t$e registry o' basically t$e weakest c$ain in t$is %eature is t$at #ost so%tware de(elopers are weary o% t$e %act t$at t$e encrypted password can be easily decrypted' once we study t$e so%tware inside out! o' w$at & #ean to say is t$at using t$is %eature alt$oug$ surely #akes li%e easy' %or t$ose o% you w$o cannot re#e#ber  passwords' but it does lea(e your &nternet Account (ulnerable! -owe(er' i% you are one o%  t$ose people w$o needs to write down your password on a piece o% paper and stick it to

    t$e %ront o% your #onitor' t$en t$is %eature is de%initely %or you!

     

    o $ow do & crack t$e .et/ero Dial 3p Password;

     

    Anyway' .et/ero is a %ree &P' w$ic$ asks only %or a ad(ertising bar in return %or &nternet Access! &t too pro(ides t$is 6a(e Password7 %eature' $owe(er' it too like #ost ser(ices' uses an e)tre#ely weak algorit$# to encrypt t$e password! +$e %ollowing process o% decryption works on .et/ero (ersion

     

    For t$is e)ploit' you need to $a(e local access to t$e #ac$ine' w$ic$ $as t$e .et/ero so%tware installed!

    +$is (ulnerability cannot be e)ploited unless and until you get t$e re*uired %ile' %or t$at you eit$er $a(e to $a(e local access or need to de(ise a #et$od o% getting t$e %ile' w$ic$ contains t$e password!

     

    +$e .et/ero 3serna#e and Password are stored in an AC&& %ile na#ed' id!dat' w$ic$ is located in t$e .et/ero directory! &% t$e user $as enabled t$e 6a(e Password7 option' t$en t$e 3serna#e and Password are also stored in t$e ,net/!prop %ile! +$e passwords stored in  bot$ t$ese %iles are encrypted using a (ery si#ply easy to crack algorit$#! Alt$oug$ t$e algorit$#s used to get t$e encrypted in%or#ation 0to be stored in t$e two %iles2' are not

  • 8/9/2019 More Password Cracking Decrypted.doc

    3/35

    sa#e' $owe(er t$ey are deri(ed %ro# t$e sa#e #ain algorit$#! Bot$ t$e algorit$#s di%%er  (ery slig$tly! &n t$is #anual we will learn as to $ow t$is weak algorit$# can be e)ploited!

    +$e .et/ero Password is encrypted using a substitution cip$er syste#! +$e cip$er

    syste# used is a typical e)a#ple o% a 1 to 1 #apping between c$aracters w$ere eac$single plainte)t c$aracter is replaced by a single encrypted c$aracter!

     

    Are you lost; "ell' to understand better read on!

     

    ay' t$e .et/ero application is running' and t$e user clicks on t$e 6a(e Password7 option and types $is password in t$e re*uired %ield! .ow' t$en w$at $appens is t$at' t$e .et/ero

    Application loads t$e encrypting %ile' w$ic$ contains t$e plainte)t to cip$er8te)t databaseinto #e#ory! .ow' %or e)a#ple your password is )y/ and it is stored in location 6#7 o% t$e #e#ory and t$e corresponding encrypted password abc is stored in t$e location 6n7 o%  t$e #e#ory' t$en t$e password )y/ actually is stored as abc!

     

    "ell it is *uite si#ple' rig$t; "ell' al#ost! +$e part o% t$e encryption algorit$# used by  .et/ero w$ic$ is di%%icult to understand' is t$at two encrypted c$aracters replace eac$ c$aracter o% t$e plainte)t password! +$ese two encrypted c$aracters replacing a single  plainte)t c$aracter' are $owe(er not stored toget$er!

    "$en substituting c$aracter ) stored in i o% a password 6n7 c$aracters long' t$e %irst encrypted c$aracter would be stored in 6i7 and t$e ne)t in 6ni!7

    +$e two encrypted c$aracters are deri(ed %ro# t$e %ollowing table:

       1 a M  %  g + > E  " e G y C 8888888888888888888888888888888888888 g  H a b c d e % g $ i , k l # n o +  p * r s t u ( w ) y / I  J K %   A B C D 5 F L - &  @  M . 4   P  R  + 3 9 " N O  Q  S T _    = 1 ? < E U G  V > : W X Y Z ; M  P  [ \ ] ^  ` 0 2   ' 8 ! 

     .4+5: P represents a single space and t$e abo(e c$art represents AC&& c$aracters!

  • 8/9/2019 More Password Cracking Decrypted.doc

    4/35

     

    +o encrypt a string o% lengt$ 6n7' we need to %ind eac$ c$aracter in t$e abo(e table and  place t$e colu#n $eader into i and place t$e row $eader into ni!

    For e)a#ple:  50a2 Y ag   50aa2 Y aagg   50a*A12 Y aaaaaag+%M   50Habcde%g$i,kl#no2 Y 1aM%g+>E"eGyCgggggggggggggggg

    4n t$e ot$er $and' w$ile decrypting t$e password o% lengt$ ?n' t$en & will be beco#e t$e ele#ent in t$e ele#ent in t$e abo(e table w$ere t$e colu#n is $eaded by i and t$e row $eaded by ni intersect!

    For e)a#ple:

      D0a%2 Y A  D0aa%%2 Y AA   D0aaMM%g%g%g2 Y AaBbCc

    Decrypting t$e password #anually would be *uite %un' but would de%initely be a (ery ti#e consu#ing process! Any$ow' & do suggest you try to decrypt t$e .et/ero Password #anually atleast once! For t$ose o% you' w$o do not en,oy decrypting passwords #anually' & also $a(e a C progra#' w$ic$ will do it %or you!

     

    +$e %ollowing C progra# de#onstrates $ow t$e .et/ero Password is decrypted! i#ply co#pile and e)ecute in t$e directory in w$ic$ t$e ,net/!prop e)ists!

     ___________________________________________________________ 

     

    \include Xstdio!$Z

    \include Xstring!$Z

     

    \de%ine 3&D_&5 GE

    \de%ine PA_C&P-5R_&5 1?V

    \de%ine PA_PA&._&5 GE

  • 8/9/2019 More Password Cracking Decrypted.doc

    5/35

    \de%ine B3F_&5 ?UG

     

    const c$ar dec+ableQGSQ1GS Y I

      I`H`'`a`'`b`'`c`'`d`'`e`'`%`'`g`'`$`'`i`'`,`'`k`'`l`'`#`'`n`'`o`J'

      I`p`'`*`'`r`'`s`'`t`'`u`'`(`'`w`'`)`'`y`'`/`'`I`'``'`J`'`K`'=J'

      I``'`A`'`B`'`C`'`D`'`5`'`F`'`L`'`-`'`&`'``'`@`'``'`M`'`.`'`4`J'

      I`P`'``'`R`'``'`+`'`3`'`9`'`"`'`N`'`O`'``'`Q`'``'`S`'`T`'`_`J'

      I`=`'`1`'`?`'``'`:`'`W`'`X`'`Y`'`Z`'`;`J'

      I` `'``'`[`'`\`'`]`'`^`'``'```'`0`'`2`'``'``'`'`'`8̀ '`!`'``J

    JW

     

    int n/_decrypt0c$ar cCip$erPassQPA_C&P-5R_&5S'

    c$ar cPlainPassQPA_PA&._&5S2

    I

      int passen' i' id)1' id)?W

      passen Y strlen0cCip$erPass2?W

     

    i% 0passen Z PA_PA&._&52

      I

      print%0[5rror: Plain te)t array too s#alln[2W

      return 1W

      J

     

  • 8/9/2019 More Password Cracking Decrypted.doc

    6/35

      %or 0i Y =W i X passenW i2

      I

      switc$0cCip$erPassQiS2

      I

      case `1`:

      id)? Y =W breakW

      case `a`:

      id)? Y 1W breakW

      case `M`:

      id)? Y ?W breakW

      case ``:

      id)? Y `:

      id)? Y VW breakW

View more