This post is basically a continuation from my previous post on breaking in to computers by changing the admin/root passwords, gaining admin privileges from guest account (find here). Here we see different tools to find out :
- what is behind the asterisks or dots of the password
- the encrypted password hashes,
- how to crack the SAM file,
- the passwords saved in your browsers,
- more on Sniffing passwords.
Tools and their purpose:
SNADBOY’S REVELATION:
This application is used to read the asterisks or dots of passwords.
Install and run the application and at the login page with username and password field, drag the circled cursor from the application to reveal the password behind the asterisks or dots. Check the screen shot below:
Once the circled cursor is dragged over the asterisk or the dots used to hide the password typed, it reads the information from that and displays in the application in the clear text form.
IEPASS VIEW:
When this application is run, it searches for all the stored user names and passwords stored in the internet explorer’s protected storage and displays them corresponding to the websites that we logged on. The application shows the website visited and user name and password used to logon to that particular website.
LCP tool:
This is used to crack password hashes from the SAM file. As you may or may not know, all of the passwords on a Windows computer are stored in a SAM File.
When you type your password into a Windows NT, 2000, or XP login Windows encrypts your password using an encryption scheme that turns your password into something that looks like this:
7524248b4d2c9a9eadd3b435c51404ee
This is a password Hash. This is what is actually being checked against when you type your password in. It encrypts what you typed and bounces it against what is stored in the Registry and/or SAM File.
SAM File - Holds the user names and password hashes for every account on the local machine, or domain if it is a domain controller. Simple enough, isn’t it?
This file is located on your computer’s hard drive in the directory
“C: WINDOWS\System32\Config” The file’s name is SAM. You may be thinking, “Wow, this was incredibly easy, you can copy the file anywhere and read the content., but unfortunately its not so simple. When you attempt to copy this file, you get an error saying some sort of “Access is denied. File is in use.” The SAM file is in use by the system, so you cannot just go to task manager, and end the process. You need to find alternate methods of starting up the computer without using the SAM file. As far as I know, this can be done several ways. Somewhat easier way of obtaining the SAM file is using a MSDOS boot disk.
Method of Obtaining SAM file:
Just insert a floppy, right click on it in My Computer, and click on format floppy. When the menu appears, mark the box for “Create a MS-DOS startup boot disk”, and then click the start button.
After you have made your disk, restart your computer with the disk still in the drive. Make sure your BIOS settings boot from the floppy drive before the hard-drive. When the computer boots, you should see a screen similar to the command prompt and “A:>” is most likely the prompt you will see. First you need to change drives to the c drive. This is done various ways on different computers. “cd C:” or “C:” usually work.
Next you will need to use the copy command to copy the SAM and SYSTEM files to other areas of the hard drive. The syntax for the copy command is as follows without the quotes : “C:Copy (file to be copied) (destination)” so the correct command will look like this “C:\Copy C:\WINDOWS\System32\Config\SAM C:\” This will copy the SAM file to the C drive. Replace “SAM” with “SYSTEM” to get the system file. Next you might want to rename these files. This is the syntax for the Rename command: “C:ren (file to be renamed) (new file name)”. The command, which will rename your files for you, will be “C:ren C:SAM xyz” if you saved it to the C drive. This will rename you SAM file to xyz. Now restart your computer without the boot disk in and start up windows. Copy the files onto a floppy. The reason these methods work, are because the SAM file is not in use when you aren’t running Windows, and when u copied and renamed the file, it did not get used by windows when you logged on. Now on to the easy part, cracking the SAM file.
Run the LCP tool, import the SAM file and this tool sorts out all the user accounts with the corresponding NTLM and LM hashes of the passwords of the user accounts. If the assigned password is a dictionary work then it is cracked in a matter of seconds but if the password assigned is a strong one, then it may take some time to crack the password hash.
This tool uses methods like brute force attacks, dictionary attack or hybrid attacks to crack the hash.
Other tools used for cracking hash are tomas, brutusA2. There are also web based tools which can crack the passwords online if you input your hash. Some of the sites are:
www.exploit-db.com (previously milw0rm.com)
and so on…
We can also use Packet Sniffers to capture all of the packets of data that pass through a given network interface. If the captured data has a password hash, we can use the above tools to recover the plain text used to produce a particular cipher text. More on Packet Sniffer in my next post! till then, happy cracking!!
No comments:
Post a Comment