pwlhack.zip (120
kb) - DOS based .pwl cracker, 22 times faster than cain, with
source codePC (In)Security
by: Crimson Knight
Real Audio: "What A
Wonderful World" alt (596 kb)
by: Louis (Satchmo) Armstrong, first 60
secs
Everything about a PC is insecure, your CMOS password, your Windows logon, your screensaver password and even your network. So where should we start, at the beginning with the boot process. When your computer boots up it uses the information in the CMOS. The information in the CMOS is sustained by a little, watch type battery. You can put a password in your CMOS setup so that only you can start up your computer, but your password is not safe. If you have access to the computer, you can run a program to figure out the CMOS password. Using a program named cmospwd.exe a user can crack the CMOS password, cmospwd.exe will work on many computers. Even if you cannot figure out the CMOS password you can use a program like bios310.exe to reset the BIOS password. [Just a word of note: The CMOS password that you get will not be the same password that was originally intended. Let me explain, the CMOS hash is very weak. (hash is just another name for a mathematical function like x2) If the hash function is weak, two different words can have the same hash. So the string "aabcd" might have the same hash value as "cat," and if they have the same hash they both will work. An example of a strong hash function would be MD5.]
When you logon to Windows 95/98, it usually saves the hash of the password in a pwl file. The pwl files are named after the user's logon name, username.pwl, for example if a username was Tom, the pwl file would be named tom.pwl; pwl files are kept in the Windows directory. A program named cain10.exe can crack peoples' passwords, by either using a dictionary or trying to "brute force" them. A "dictionary attack" just sees if a person chose a password that is in a dictionary, although the term dictionary attack can apply to any wordlist, like a list of common first names or of Star Trek terms. A brute force attack tries all the combinations of a character set, like just numbers. Trying to brute force a user's password takes up a lot of time, since the computer has to go through many combinations until it finds the right one.
Your network is wide open to anyone with a small program named sniffer.zip. Sniffer.exe is a DOS based "sniffer" program, which can capture all the data going across the network and save it to your hard drive. This means that if someone checks his e-mail, you have a copy of it, or if someone prints something up, you have a copy of it. Absolutely anything that goes across the network you are privy to. The notorious thing about sniffer.exe and all sniffer programs is that they are totally passive, no one knows you are running this program, not even the administrator. You can run sniffer.exe on one computer and with it you can monitor all of the computers on the network. Sniffer.exe has three modes in which you can capture data or packets that go across the network: raw ethernet, IP and fully decoded protocol. The most interesting is the raw ethernet option. (Ethernet is just a kind of network.) In raw ethernet mode you capture a lot of garbage along with some readable documents that are being printed up or e-mail that is being read. The IP mode, internet protocol, only logs the address of the computer and the full protocol option, which has the IP stuff with it, decodes web pages that people are viewing.
So far we have only talked about Windows 9x, but what if your office or school has just upgraded to the ultra secure Windows NT 4.0, is their any hope of hacking this "secure" operating system - yes! NT stores the user's name and its corresponding password hash in a file named sam. You cannot access the sam password file while NT is running unless you have administrative privileges but do not despair. You easily can gain administrator access by downloading and running sechole.zip. If all goes well, your name was added to the administrative workgroup; you might want to restart your computer because sechole might make your system unstable. Now all you have to do is to re-logon and *poof* you have admin rights on your local computer. Now run Lophtcrack 2.5 and go under the Tools menus and choose Dump Passwords from Registry; now you probably want to go save your booty on your a: drive, delete Lophtcrack and crack those passwords on your home machine. You might also want to remove yourself from the admin workgroup after your done playing administrator in order to thoroughly cover your trail.
If your admin has already patched the sechole.exe security flaw, you can also try getadmin.zip or ntdll.zip; but you can still try another trick to get a copy of the sam file. All you need is a DOS bootdisk, which contains command.com and the files contained in ntfsdos.zip. Ntfsdos.exe allows DOS to read NT's NTFS (Network File System) file system. Boot from your DOS bootdisk and then run ntfsdos.exe, the sam file is located at d:\winnt\system32\config\ Copy the sam file to your a: drive, and import the sam file in Lophtcrack. If you still cannot extract the password hashes from the sam file because your network admin has installed Syskey, you can use pwdump2.zip to dump the password hashes from the registry but you need administrator access. And for added fun you can sniff password hashes over the network by using Lophtcrack. NT is hackers' playground. :-)
Well, these are just a few examples of PC insecurities. The unnerving thing about these security holes is that they cannot be easily fixed. There is no way that you can replace your CMOS password hash function, it is impossible. Windows 9x stores the user password in pwl files, so they can always be hacked. And all networks are susceptible to being sniffed, even the Internet. Companies should patch these security flaws and write more secure software, but "big business" is slow and uncaring. As long as M$crosoft and other companies continue to dominant the PC scene, security will always be second to the almighty dollar.
Program Files
bios.zip alt (64 kb) - DOS, cmospwd.exe and bios310.exe, finds most BIOS passwords
cain10.exe alt (490 kb) - Win9x program that cracks Win95/98 .pwl files, screensaver passwords and does other attacks, you might also want to get the date crack for cain cain_reg.zip (5 kb)
pwlhack.zip (120
kb) - DOS based .pwl cracker, 22 times faster than cain, with
source code
sniffer.zip (132 kb) - a great DOS based sniffer program that works on Win9x/NT networks
lcrak2-5.zip (324 kb) - Lophtcrack 2.5, a NT cracker for Win9x/NT, and also try smbgrind.zip (172 kb) which elimates duplicates in your SMB sniffer files
sechole.zip (36 kb) - lets you become administrator on a local NT workstation, DOS
getadmin.zip (48 kb) - another security exploit like sechole for NT, DOS
ntdll.zip (44 kb) - like sechole and also includes a patch for this flaw, DOS
ntfsdos.zip (31 kb) - ntfsdos 2.0 lets you read a NT partition through DOS to get the sam password file
pwdump2.zip (22 kb) - dumps the password hashes from NT's registry even if Syskey is installed, but requires administrator access, DOS
xsort.zip (52 kb)
- three helpful DOS programs to help you manage your wordlist;
lets you extract words from a file, eliminate duplicates, convert
case, etc.
explorer.zip (103 kb) - if you don't have a "run" button: download this file, open it with Write or your favorite word processor and then double click on the explorer icon
access97.zip (44 kb) - recovers the password for Access 97 databases, DOS
cleaner.zip (144 kb) - Cleaner 1.9c removes many trojan programs, Win9x
revolve.exe (1.23 MB) - a Windows program that reads a password through asterisks that might be used to hide a password
winzip70.exe (940 kb) - Winzip 7.0 for Windows, make sure you run reg.exe, very good program
pkunzip.exe (31 kb) - DOS based unzip program, just in case you do not have this file by now
Text Files
buffer.zip (36 kb) - a simple explanation of buffer overflows and how to write them using C, learn to write overflows for your favorite operating system like Windows or Linux
daemon9.zip (27 kb) - a clear explanation of syn flooding and ip spoofing, includes functional Linux source code
ntfaq.zip (26 kb) - NT hacking faq by Simple Nomad, a good intro to NT security
walsh.zip (97 kb) - the uncensored Australian Walsh report about encryption technologies, the interesting parts are highlighted in red
phrack54.zip (189 kb) - the latest issue of the great hacker zine Phrack, get back issues from Phrack or zine archive
hakcrack.zip (267 kb) - an insightful book by Bruce Sterling entitled "Hacker Crackdown"
jarg400.zip (518 kb) - the outlandish hacker jargon file, full of history, comedy and tech talk
small.zip (416 kb)
- 319,000 common passwords, the best little wordlist you'll find
Favorite Links
hacker-howto.html - tells you where to start if you want to become a hacker, you should also read his open-source software development paper entitled The Cathedral and the Bazaar
www.l0pht.com - the L0pht, a great hacker hangout, home of Lophtcrack
www.hackernews.com - hacker news from around the globe, updated daily
www.promo.net/pg - a mirror site for Project Gutenberg that has a large, growing selection of texts that anyone can read and download
www.distributed.net - lets you participate in a worldwide effort, by using your extra CPU cycles, to help break different computer encryption algorithms
www.delorie.com - home of DJGPP, a free C/C++ compiler for DOS
www.pgpi.com - has the latest version of PGP, the BEST encryption program out there
please send me any comments concerning computer security, my pgp key is here
shout outs to: Jeremy Atherton in Idaho, the letter
"B" and the number "9" :?)
Real Audio provided by: MusicMatch
Jukebox 3.0 and TNO, mus-box.zip
(36 kb)
this page came from: members.tripod.com/RedKnight611
