Showing posts with label cracking. Show all posts

Monday, 24 July 2017

Cracking zip passwords with fcrackzip

Fcrackzip is a small utility that can become a handy tool when you want to look for lost zip password.
Fcracksip i a available in the ubuntu repository and you can install it as
$ sudo apt-get install fcrackzip

To see the available options with fcrackzip , try the following.

$ fcrackzip --help

You can look for a password like this.

$ fcrackzip -c a -p aaaaaa sample.zip

The above cimmand will check the encrypted files in sample.zip for all lowercase 6 character passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz).

fcrackzip supports brute force mode as well as dictionary mode. The man page has some more interesting options you can try.

{ Read More }

Cracking Cleanersoft Free Hide Folder Security

Introduction

Cleanersoft Free Hide Folder is a "security" tool used to hide your folders. The program uses a simple interface that is protected by a password that lets you hides and unhides selected folders. Our target objectives here will be to find where it is hiding the information about what folders are hidden and recover the password.

Finding where the folder information is stored

Well, We will use the easiest approach, see what files and registry keys the program (fhide.exe) writes to using Process Monitor while hiding a folder (in this case C: est). This should show us where it is writing to and it seems this approach worked out well.

Well, What have we here. We see a file operation on my C: est folder, it renamed the folder "CHKDSK.100��" and that is followed by a registry key creation at "HKCUSoftwareMicrosoftWindowsCurrentVersionNamespacegetPrefix0".

First lets confirm the folder was renamed. since it is hidden I will run the command line command "DIR /A:SH CHKDSK.*" (the /A:SH will show hidden and system files and folders). Wow... Its right there, great hiding trick.... is it accessible? Run a "cd CHKDSK.100��". Looks like we can.

Okay, Lets see whats hidden here with a "Dir" command and we see private.txt. Okay, well it should be encrypted right? guess again... "Type private.txt".

Well We are off a bad start for security. But how do we know where these are hidden if we didnt hide them? How can we find them? Well lets check out that registry key. Okay. Lets take a look at the keys here.

getPrefix0 = E
Declaration0 = X:*XSPWHP.377��
Javax0 = X:*gvhg

Hmmm.... Declaration0 and Javax0 both start with X:*, interesting. well. Lets make another hidden folder called C: est123 which becomes CHKDSK.101��. Well, now we have 3 new keys. they are the same names as above but instead we have a one at the end instead of zero.

getPrefix1 = E
Declaration1 = X:*XSPWHP.373��
Javax1 = X:*gvhg321

Okay, Starting to see a pattern. It looks like Declaration is for the new hidden file name. Javax is for what its unhidden name. getPrefix stayed the same. It appears to be a simple substitution cipher. The easy way to figure it out? Well, Let make a folder called C:abcdefghijklmnopqrstuvwxyz1234567890 and put it side by side with encrypted value and we have a key chart ;-).

C:abcdefghijklmnopqrstuvwxyz1234567890
X:*zyxwvutsrqponmlkjihgfedcba3215894067

Looks like the alphabet is just backwards. "/" becomes "*". The only thing different is the numbers but not that big of a deal, since we now see the key above anyways. So now we can decrypt the Declaration and Javax keys. they point to the folders, both hidden and unhidden names, just as we thought.

The last is the getPrefix key. I had one folder unhidden when I was working and the key value changed to "W". So it seems that "E" means it is hidden, "W" means not hidden. So Id Say we have this down now.

Finding The Password

Last thing to attack is the password for the program (in this case it is "Password"). Lets check more into the registry. There is one more key here:

BAR - Kzhhdliw

Surprise. my password and this key are both the same length. the 3rd and 4th characters repeat. Lets just try to decrypt it with our key chart above and... yep, thats our password... So with this information I was able to code a little tool that can exploit this to prove concept for academic reasons (And to only be used for that). I call the tool "Free Unhide Folder" (original huh?).

Resources

CleanerSoft Free Hide Folder:
http://www.cleanersoft.com/hidefolder/free_hide_folder.htm

Substitution cipher:
http://en.wikipedia.org/wiki/Substitution_cipher

Substitution cipher solver:
http://www.purplehell.com/riddletools/applets/cryptogram.htm

Free Unhide Folder (Source[vb.net 2008] and Binary):
http://packetstormsecurity.org/1010-exploits/FreeUnHideFolder.zip

{ Read More }

Friday, 21 July 2017

Cracking Android Passwords The Need for Speed

Impossibly Large Numbers Revisited

In October, 2012 I posted about a article about cracking Android passwords. I spoke primarily on the difficulty in cracking the passwords based on the sheer number of possibilities (a whopping 37,556,971,331,618,802,349,234,821,094,576!)

Don�t believe me? Let�s to a little rehashing: The key space (range of possible ASCII characters) for each position in the password is 94 (upper and lower case letters, digits, and extended characters), or hexadecimal range x21-x7F. The password can be a minimum length of 4 and a maximum of 16 characters long.

A little Python 3 math

>>> total = 0
>>> for i in range(4,17):
... total = total + 94**i
...
>>> print(total)
37556971331618802349234821094576
>>> #python will even put in the commas!
>>> print({:,}.format(total))
37,556,971,331,618,802,349,234,821,094,576

And voil�, we have 37.6 trillion-quadrillion possibilities! (Just rolls off the tongue, doesn�t it?) I spoke then that while the CCL Forensics python script was a great tool, python was not the best choice for password cracking because its relatively slow for that purpose. I introduced hashcat, a cross-platform password recovery application, as a better way to do business.

Hashcat-lite: Harness Feline Speed

Hashcat is coded with performance in mind and can use multi-core CPUs and GPUs (Nvidia and AMD) to perform the calculations. The CPU version, hashcat is remarkably faster than the CCL python script, and the GPU verson,oclHashcat-plus leaves the CPU version in the dust!

Using hashcat for cracking Android passwords can be a bit confusing, however, and I hope to deobfuscate the process here.

Spicy Passwords

Android uses a salted password and stores the password as a hash in the /data/system/password.key file. Well, two hashes, actually. A SHA-1 hash is calculated followed by an MD5 hash, and the values are concatenated into a single 72 byte string.

The salt, in this case a randomly generated signed, 64-bit integer, randomizes the hash and makes dictionary and brute force attacks ineffective. The integer is stored in the settings.db located in the /data/data/com.android.providers.settings/databases directory. The integer is converted a hexadecimal string (8 bytes in length) and is appended to the password. The password + salt string is then hashed and stored.

The CrackStation website has an excellent treatise on salted password hashing if you are looking for a more in-depth explanation. The Android salted password formate is not the only salted password hashing method in practice.

Creating Test Data

We can use python to create some salted hashes after the manner of Android. This is useful for testing hashcat or other tools you might use. After all, if you don�t first test, a failed crack attempt leaves you wondering if the tool failed or if you failed to use the tool properly. To create an Android style password hash, we need a 4-16 character length ASCII character

First, let�s pick a password. We�ll keep it fairly short to allow it to be cracked in a reasonable amount of time: "secret". Keeping it lower case allows us to attack it with a 26 character key space�after all, we�re about cracking the password here, not generating secure passwords!

BASH

$ password="secret"
$

Next, we need to generate a random salt integer (we could just make something up here, but we�ll use python to randomly generate a salt to keep the exercise more realistic). The maximum size of a 64-bit integer is 9,223,372,036,854,775,807. It is signed, meaning it can be positive or negative. Yes, mathematicians, that�s the definition of an integer: a positive or negative whole number including zero. But knowing its signed is important for the hexadecimal conversion in Python or other programming languages. To keep the exercise simple, however, we�ll stay in bash and generate a random number (we�re fudging a bit in generating the random number, but it works for our purposes)/

BASH

$ password="secret"
$ salt=$(($RANDOM**4))
$ echo $salt
15606337825758241
$

Note

Extracting the salt from settings.db

Recall that in an Android device, the salt would be stored in the /data/data/com.android.providers.settings/databases/settings.db in the "secure" table. The table salt can be obtained as follows:

BASH

$ sqlite3 settings.db SELECT value FROM secure WHERE 
name = "lockscreen.password_salt";
15606337825758241
$

On the BASH command line, we can convert the salt to a 8-byte hex string with the built-in function printf. The function formats and prints the a string, in this case we�ll be using the salt, according to a format string. Below, we tell print f to convert the string held in the variable $salt to hexadecimal, padding it with leading zeros if necessary until the output string is 16 characters long.

BASH

$ password="secret"
$ salt=$(($RANDOM**4))
$ echo $salt
15606337825758241
$

Now, we generate a hash by concatenating the password and hexadecimal salt into a string and hashing it. We�ll use the MD5 algorithm because it is faster to crack than SHA-1 (recall the password.key file contains both hashes). We pass the -n option to echo to prevent it from appending the output with a line feed as this would change our MD5 hash.

BASH

$ password="secret"
$ salt=$(($RANDOM**4))
$ echo $salt
15606337825758241
$ echo -n $password$salt | md5sum
b6b97079899c5f22d94f27027549cd7d -

Now we have the salted MD5 hash of the password secret using the salt 15606337825758241!

Note	Extracting the MD5 from password.key We have been generating a salted hash for testing. You�ll need to extract the MD5 from the password.key when working with real data. The following command makes short work of it. BASH $ tail -c32 password.key b6b97079899c5f22d94f27027549cd7d $

Using Hashcat

I�ll be demonstrating the Nvidia version of hashcat. You�ll want to check the help for your version of hashcat, but you�ll find the following demonstration informative.

The basic command for hashcat follows this form: --- hashcat [options] hash [mask] ---

The chief options we are interested in are the hash type (-m) and minimum/maximum password lengths (--pw-min/--pw-max). Reading the help (-h/--help) tells us that for salted MD5 passwords, we us the -m10 option. And since we are using the -m10 option, we need to append the salt to the hash using a colon (:) separator.

Our command and ouput look as follows:

BASH

$ ./cudaHashcat-lite64.bin -m10 --pw-min=4 --pw-max=16 
b6b97079899c5f22d94f27027549cd7d:15606337825758241
cudaHashcat-lite v0.13 by atom starting...

Password lengths: 4 - 16
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce 9500 GT, 1023MB, 1375Mhz, 4MCU


b6b97079899c5f22d94f27027549cd7d:15606337825758241:secret

Session.Name...: cudaHashcat-lite
Status.........: Cracked
Hash.Target....: b6b97079899c5f22d94f27027549cd7d:15606337825758241
Hash.Type......: md5($pass.$salt)
Time.Started...: Sat Jan 19 16:49:59 2013 (10 secs)
Time.Estimated.: Sat Jan 19 16:50:39 2013 (26 secs)
Plain.Mask.....: ?1?2?2?2?2?2
Plain.Text.....: ***yd3
Plain.Length...: 6
Progress.......: 1051066368/3748902912 (28.04%)
Speed.GPU.#1...: 102.8M/s
HWMon.GPU.#1...: -1% Util, 45c Temp, 100% Fan

Started: Sat Jan 19 16:49:59 2013
Stopped: Sat Jan 19 16:50:13 2013
$

Wait. Was that 14 seconds? Yes, it was!

Put on a Mask and Speed Your Results

Now, if the password gets very much longer, the exponential increase in the number of password possibilities gets quite large. Hashcat has one more trick up its sleeve (actually, there�s at least one more, but we�ll cover than another time). Hashcat makes use of masks that allow you to narrow the key space. Simply put, you can choose limited character sets to be used in the search, either from a predefined list, or lists your own creation.

The predefined character sets are:

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&()*+,-./:;<??@[]^_`{|}~
?a = ?l?u?d?s
?h = 8 bit characters from 0xc0 - 0xff
?D = 8 bit characters from German alphabet
?F = 8 bit characters from French alphabet
?R = 8 bit characters from Russian alphabet

To limit the password search to passwords containing only lowercase letters, for example, you would pass the command:

$ ./cudaHashcat-lite64.bin -m10 --pw-min=4 --pw-max=16 
b6b97079899c5f22d94f27027549cd7d:15606337825758241 
?l?l?l?l?l?l?l?l?l?l?l?l?l?l?l?l

I hope this gets you started using hashcat. It is a very effective tool, and it keeps on improving!

{ Read More }

Friday, 7 July 2017

Cracking Password Dengan John The Ripper

: Table OF contENTS :
   ---------------------
   :: [1]. PREFACE
   :: [2]. Mencari Target
   :: [3]. Password Cracking
   :: [4]. Penutup
   ::   [+] Shoutz

   ::---||-[1]. PREFACE
   ---------------------

     John The Ripper?? Siapa sich yang nggak kenal dengan tools Cracking yang kaya fitur ini.. ;) Walaupun usianya sudah uzur, tapi kemampuannya tetap bisa diandalkan. Mungkin tutorialnya dah lama yach.. sorry nich, kebetulan lagi banyak yang request, so bagi yang udah bosan dengan tutorial yang berbau John The Ripper.. ngapain juga masih baca sampai baris ini!! ;P

   ::---||-[2]. Mencari Target
   ----------------------------

     Sekarang kita akan mencari target. Biasa.. kita mampir ke rumahnya paman
   Google (google.com). Ketik keyword berikut lalu klik tombol search:

                 Inurl:/etc/passwd/

     Eits.. tunggu dulu.. maksudnya apaan nich?? Okay, gue jelasin yach....   Untuk melakukan password cracking, kita khan harus tau dimana file password yang mau di-crack. Naah, target kita kali ini adalah sistem operasi Linux.

     Pada OS Linux, file passwordnya berada di lokasi /etc/passwd. Sedangkan   shadow passwordnya berada di /etc/shadow (baca arsip lama mengenai Shadow   Password). Dengan bantuan paman google, kita berusaha mencari file password   dengan cara mengetikkan keyword diatas.

     Well.. gimana nich hasil pencariannya? pasti muncul banyak khan.. ;) Klik   salah satu link, dan isi file /etc/passwd akan ditampilkan. oleh browser. Copy- pastekan isi file tersebut pada notepad dan simpan dengan nama password.txt.

     Sekarang, kita akan melihat isi file shadow passwordnya.Misalkan url situs   korban yang anda buka tadi adalah:

          http://www.spyrozone.net/spyrokid/config/etc/passwd-

     Ubahlah alamat itu pada address bar menjadi:

       http://www.spyrozone.net/spyrokid/config/etc/shadow-

     Naah, kini isi dari file etc/shadow akan ditampilkan oleh browser. Copy-   paste isi file tersebut pada notepad, lalu simpan dengan nama shadow.txt.



   ::--||-[3]. Password Cracking
   -----------------------------

     Eh, udah punya John The Ripper belum?? Kalau belum, kamu bisa download John The Ripper di member area www.spyrozone.net. Kalau sudah, saatnya kita melakukan password craCKING!

     Extract file hasil downloadnya ke suatu folder lalu buka lewat MSDOS. Biar   gampang,copy juga file password.txt dan shadow.txt tadi ke directory yang sama   dengan John The Ripper. Setelah itu, gabungkan file password.txt dan file   shadow.txt dengan menggunakan program unshadow.exe milik John The Ripper.   Perintahnya ialah:

            unshadow password.txt shadow.txt >> crack.txt

     Setelah itu, kita gunakan john-mmx.exe untuk mengCRACK file crack.txt   dengan menggunakan perintah:

                   john-mmx crack.txt

     Tunggu dech.. lamanya hasil crack yang keluar tergantung dari seberapa panjang password korban dan seberapa rumit karakter (special characters) yang digunakan dalam password. Jika proses cracking berhasil, akan muncul:

username      (password)


::--||-[4]. Penutup
------------
     Sekian dulu dech, sebagai antisipasi agar anda tidak menjadi korban, baca ajah tulisan-tulisan saya yang terdahulu seputar keamanan account.


COPY FROM SPYROZONE.NET

{ Read More }

Wednesday, 14 June 2017

Cracking your knuckles does not actually hurt your bones or cause arthritis The sound you hear is just gas bubbles bursting

Cracking your knuckles (or any of your joints) can have therapeutic benefits. When you crack one of your joints you are pulling the bones that are connected at the joint apart from each other. This process stimulates your tendons, relaxes your muscles, and loosens your joints. Chiropractors do this for spinal joints when your back is sore and stiff, but you can do this on your own for your knuckles, toes, knees, neck, etc.

Unfortunately, there can be too much of a good thing. Cracking your knuckles will never lead to arthritis (despite what your mom keeps telling you), but scientists have discovered that it can cause tissue damage in the affected joints. Knuckle-cracking pulls your finger bones apart which stretches your ligaments. Too much stretching of your ligaments will cause damage to your fingers akin to the arm injuries sustained by a baseball pitcher who throws too many pitches. In addition to making your hand really sore, this ligament damage can also result in reduced grip strength.

How does this work? Your joints, the places in your body where you can bend, are where your bones intersect and are held together by ligaments. These joints are surrounded by a liquid called synovial fluid. When you stretch your ligaments by pulling the bones apart to crack your knuckles a gas in the synovial fluid escapes and turns into a bubble. This process is called cavitation. Cavitation ends when the bubble eventually bursts, producing that popping sound we know and love. After that, your joints wont be able to crack for another 25-30 minutes while the gas gets reabsorbed into the synovial fluid.

{ Read More }

Tuesday, 6 June 2017

Cracking Up

(The Girls Nervy by Jennifer Reeves)

(Light Work Mood Disorder [left side] by Jennifer Reeves)

---

"For instance, Mary Beth and I as we worked together on the Persians, are often speaking of Jenn Reevess hand-painted films. And wondering, just to be specific, how does she get the paint to crack like that- weve tried burning a match over it, match under it, setting it in the sun, using India ink and so on, but she produces a distinctive cracking in her painting thats absolutely hers and of course were not really supposed to have it, were playing in a way, but in the mean time were discovering other ways of creating that organic cracking of the paint or the substance of the paint."

-Stan Brakhage

---

(He Walked Away by Jennifer Reeves)

(When It Was Blue by Jennifer Reeves)

{ Read More }