Stages of checking password crackability

1. Check if password is empty.
2. Check if password is equal to the username.
3. For system (or application) provided accounts, use the Google to find default passwords provided by manufacturers’, and test them against these accounts on your system(s).
4. Check if password is in the custom assembled corporate dictionary.
5. Check if password is in the selected language’s dictionary. (see: https://eikonal.wordpress.com/2010/03/29/default-passwords/)
6. Check if password is a dictionary word + one digit.
7. Check if password is an 311tized word.
8. Is password the concatenation of multiple words.
9. Check in the database of precomputed password hashes.
10. Desperate measure: brute force cracking.

Cracking Kerberos passwords

The only tool I know residing on this niche is ntsecurity’s KerbCrack/KerbSniff (http://ntsecurity.nu/toolbox/kerbcrack/).

Usage:

kerbcrack.exe kerbcap.snf -b1 9

John the Ripper

Places

• Home – http://www.openwall.com/john/
• Custom binary builds, by various users – http://openwall.info/wiki/john/custom-builds

Simple dictionary-based cracking

For Linux systems, the hashed passwords are contained in the /etc/shadow file. To use John the ripper, one needs both that file and /etc/passwd.

• Unshadowing:
  ./unshadow.exe passwd.txt shadow.txt > passwd-unshadowed.txt
• To run John against the unshadowed password file passwdFile-unshadowed.txt using the predefined word-list mywords.lst, run
  following:
  ./john.exe –wordlist=mywords.lst passwd-unshadowed.txt
• To see the cracked passwords run:
  ./john.exe –show passwdFile-unshadowed.txt
• and to save that file:
  ./john.exe –show passwdFile-unshadowed.txt > passwdFile-cracked.txt

Articles

• “Linux Password Cracking: Explain unshadow and john commands ( john the ripper tool )” by Vivek Gite (UnixCraft) – http://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
• “Cracking OpenVMS passwords with John the Ripper” by Jean-loup Gailly – http://gailly.net/security/john-VMS-readme.html
  • John the Ripper v1.3.6 source package patched to include OpenVMS SYSUAF.DAT files parsing – http://gailly.net/security/john-VMS-readme.html. It compiles well on Cygwin.
• So far, John does not work for SHA hashes. A patch allowing one to do this is presented at:
  • “Re: “No password hashes loaded” on Ubuntu 9.04″ by Solar Designer (2009.09.02) – http://www.openwall.com/lists/john-users/2009/09/02/3
  • “Crack Password with John the Ripper on Ubuntu 9.10” by Junjun Mao (2010.02.01) – http://pka.engr.ccny.cuny.edu/~jmao/node/26

  This patch allows use of John against SSH type hashes, but requires running John on the same type of system (i.e. unix system that supports the same hashes in logon authentication module).

---

Related here: Default passwords, wordlist and Rainbow tables – https://eikonal.wordpress.com/2010/03/29/default-passwords/ | Passwords cracking – https://eikonal.wordpress.com/2010/01/06/password-crackers/

Cisco “password 7″

• “How do I Decrypt Cisco Passwords?” – http://www.topbits.com/decrypt-cisco-passwords.html
• Cisco password decryption – http://insecure.org/sploits/cisco.passwords.html

---

Local info:

• Cisco “password 7″ decryption – Perl code (2010.01.28) – https://eikonal.wordpress.com/2010/01/28/ciso-password-7-decryption-perl-code/
• Cisco “Password 7″ Cracker – javascript code (2010.01.07) – https://eikonal.wordpress.com/wp-admin/post-new.php
• Cisco “Password 7″ Cracker – C code (2010.05.21) – https://eikonal.wordpress.com/2010/05/21/cisco-%e2%80%9cpassword-7%e2%80%b3-decryption-%e2%80%93-c-code/

Infosec blogs

• A Day In The Life of an Information Security Officer – http://blogs.ittoolbox.com/security/
• An Information Security Place podcast – http://infosecplace.com/blog/
• Anti-Virus rants: http://anti-virus-rants.blogspot.com/
• Anton Chuvakin Personal Blog: http://chuvakin.blogspot.com/
• Art of Hacking – http://artofhacking.com/
• Auditcast by David Hoelzer (podcasts) – http://auditcasts.com/ | RSS – http://feeds.feedburner.com/AuditcastsWithDavidHoelzer
  • # 1 : Auditing Routers and Switches with Nipper – http://auditcasts.com/screencasts/1 | MOV – http://auditcasts.com/videos/mov/videos/1/Episode%201%20-%20Routers%20and%20Switches.mov?1307548856 | Auditing Routers & Switches with Nipper Show Notes – http://it-audit.sans.org/blog/2011/06/07/auditing-routers-switches-with-nipper-show-notes
• Audit Monkey’s blog – http://auditmonkey.wordpress.com/
• Authentium Virus Blog: http://blogs.authentium.com/virusblog/
• Browser Fun: http://browserfun.blogspot.com/
• Carna0wnage blog – http://carnal0wnage.attackresearch.com/ has a lot of metasploit tricks.
• CSO Security Insights podcast – http://www.csoonline.com/podcasts
• Cisco Security (corporate) – http://blogs.cisco.com/security
• Computer Security @ Big Blog – http://bigblog.com/computer_security.html
• Connectivity – http://itknowledgeexchange.techtarget.com/connectivity/
• CYBER ARMS – Computer Security – http://cyberarms.wordpress.com/
• CyberSecurity news – http://cybersecuritynews.org/
• D90 Tools & Techniques: http://www.d90.us/toolbox/
• Darknet.org – http://www.darknet.org.uk/
• Declan McCullagh: Politech – http://www.politechbot.com/– DEFUNCT | The Iconoclast – http://www.news.com/the-iconoclast/
• Dominic White > .tHE pRODUCT: http://singe.rucus.net/blog/
• “Defensive Computing” by MIchael Horowitz (at CNet) – http://news.cnet.com/defensive-computing/ | RSS: http://news.cnet.com/2547-1_3-0-20.xml
• Emergent Chaos by Adam Shostack and ensemble – http://www.emergentchaos.com/
• Essential Computer Security – http://www.tonybradley.com/
• ::eSploit:: – http://esploit.blogspot.com/ – looks like a blog linking to the various security/hacking resources.
• Evil Bytes by John Sawyer – http://www.darkreading.com/blog/archives/evil_bytes/index.html
• Exotic Liability (podcast): http://exoticliability.libsyn.com/| http://www.exoticliability.com/| http://www.podcastalley.com/podcast_details.php?pod_id=75883
• Focus and Planning for Success in Business: http://salmankkhan.blogspot.com/
• Fortiguard blog (corporate) – http://blog.fortinet.com/
• Frequency X (ISS) blog (corporate) – http://blogs.iss.net/
• Graham Cluley’s (Sophos) blog – http://www.sophos.com/blogs/gc/
• How To Combat Spam Blog. By Anti-Spam Activist Ryan Pitylak: http://combatspam.blogspot.com/
• I Think….Therefore This Blog – http://vasim.blogspot.com/
• InvisibleThings: http://theinvisiblethings.blogspot.com/
• Information Security Resources: http://information-security-resources.com/
  • Physical security: http://information-security-resources.com/category/physical-security/
• Insights Into Information Security – http://www.randybias.com/
• Jeremiah Grossman’s (White Hat Security) blog: http://jeremiahgrossman.blogspot.com/
• Jesper’s Blog: http://msinfluentials.com/blogs/jesper/
• Jibbering musings: http://jibbering.com/blog/
• Kaos.Theory: Fractal blog: http://theory.kaos.to/blog/
• Krebs on Security – http://www.krebsonsecurity.com/
• “The Laws of Vulnerabilities” by Wolfgang Kandek (Qualys) – http://laws.qualys.com/
• Lenny Zeltser security blog – http://zeltser.com/
  • Critical Log Review Checklist for Security Incidents – http://zeltser.com/log-management/security-incident-log-review-checklist.html
  • Analyzing Malicious Documents Cheat Sheet – http://zeltser.com/reverse-malware/analyzing-malicious-documents.html
  • Security Architecture Cheat Sheet for Internet Applications – http://zeltser.com/security-management/security-architecture-cheat-sheet.html
  • Troubleshooting Human Communications – http://zeltser.com/cheat-sheets/human-communications-cheat-sheet.html
  • Security Incident Survey Cheat Sheet for Server Administrators – http://zeltser.com/network-os-security/security-incident-survey-cheat-sheet.html
  • Initial Security Incident Questionnaire for Responders – http://zeltser.com/network-os-security/security-incident-questionnaire-cheat-sheet.html
  • Reverse-Engineering Malware Cheat Sheet – http://zeltser.com/reverse-malware/reverse-malware-cheat-sheet.html
  • Network DDoS Incident Response Cheat Sheet – http://zeltser.com/network-os-security/ddos-incident-cheat-sheet.html
  • Information Security Assessment RFP Cheat Sheet – http://zeltser.com/security-assessments/security-assessment-rfp-cheat-sheet.html
• Light Blue Touchpaper: http://www.lightbluetouchpaper.org/; Security Research, Computer Laboratory, University of Cambridge
• Marcus Ranum – http://www.ranum.com/
• Mark Rusinovich:
  • Mark’s blog: http://blogs.technet.com/markrussinovich/
  • Sysinternals blog: http://blogs.technet.com/sysinternals/
  • Sysinternals forum: http://forum.sysinternals.com/
• McAfee Avert Labs Blog: http://www.avertlabs.com/research/blog/
• Metasploit: http://metasploit.blogspot.com/
• Microsoft security response center (corporate) – http://blogs.technet.com/msrc/
• Mister Reiner – http://misterreiner.wordpress.com/
• Network Security Blog – http://www.mckeay.net/
• Network Security Consulting Blog – http://blog.emagined.com/
• Ninda Diary: http://nindadiary.wordpress.com/: cryptography| database hacking| hack tools, utilities and exploits| hardware hacking| virology| web hacking
• Patch Day Review – http://www.patchdayreview.com/
• PaulDotCom (Paul Asadoorian): site/blog – http://pauldotcom.com/| podcast (“Security Weekly”) – http://pauldotcom.com/security-weekly/, http://itunes.apple.com/us/podcast/pauldotcom-hack-naked-tv/id121896233
• Praetorian Prefect – http://praetorianprefect.com/
• Qaddisin Security Blog – http://blog.qaddisin.com/
• Rational Survivability by Chris Hoff – http://www.rationalsurvivability.com/blog/
• Ryan Pitylak’s Personal Blog – Current Events: http://ryanpitylak.blogspot.com/
• SANS Audit Blog – http://it-audit.sans.org/blog
• SANS ISC Stormcast (podcast) – http://isc.sans.org/podcast.html
• SANS Internet Storm Center – http://isc.sans.org/
• SecuriTeam Blogs: http://blogs.securiteam.com/
• Security Week – http://www.securityweek.com/
• SecBarbie by Erin Jacobs – http://www.secsocial.com/blog/
• Security Catalyst podcast – http://www.securitycatalyst.com/blog/security-catalyst-podcast/
• Security Incite by Mike Rothman – http://securityincite.com/blog/mike-rothman
• Security Uncorked – http://securityuncorked.com/
• Shell is only the Beginning: http://www.darkoperator.com/
• Schneier On Security – Bruce Scheier’s blog: http://www.schneier.com/| Cryptogram newsletter archive: http://www.schneier.com/crypto-gram-back.html| Cryptogram security podcast: http://crypto-gram.libsyn.com/
• Slight Paranoia – http://paranoia.dubfire.net/ – Analysis and opinion by Christopher Soghoian, security and privacy researcher.
• SpyChips blog by Katherine Albrecht – http://www.spychips.com/blog/index.html
• strawberryJAMM’s Security and User Experience WebLog – http://blogs.technet.com/strawberryjamm/default.aspx
• SunbeltBLOG: http://sunbeltblog.blogspot.com/, http://www.sunbeltblog.blogspot.com/
• TaoSecurity (by Richard Bejtlich) – http://taosecurity.blogspot.com/
• The Security Blog (SIC!) – http://www.thesecurityblog.com/
• ThreatPost – http://www.threatpost.com/
• Troy Jessup’s Security Blog – http://www.ndnn.org/blog/
• Troy Hunt’s blog – http://www.troyhunt.com/
  • A brief Sony password analysis – http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
  • The only secure password is the one you can’t remember – http://www.troyhunt.com/2011/03/only-secure-password-is-one-you-cant.html
  • The 3 reasons you’re forced into creating weak passwords – http://www.troyhunt.com/2011/03/3-reasons-youre-forced-into-creating.html
  • Bad passwords are not fun and good entropy is always important: demystifying security fallacies – http://www.troyhunt.com/2011/04/bad-passwords-are-not-fun-and-good.html
• Uncommon Sense Security by Jack Daniel – http://blog.uncommonsensesecurity.com/
• Unspecific – http://www.unspecific.com/
  • Nmap tools – http://www.unspecific.com/nmap/
• Usable Security – http://usablesecurity.com/
• Wirewatcher – http://wirewatcher.wordpress.com/
• Zero Day (by Ryan Naraine and Dancho Danchev) – http://www.zdnet.com/blog/security

—–
Similar collections (and partial sources) of links:

• Security Blog Log – http://wikihead.wordpress.com/2010/02/20/security-blog-log/

Cisco “password 7” decryption – Perl code

Source: somewhere from the web.

#!/usr/bin/perl -w # $Id: ios7decrypt.pl,v 1.1 1998/01/11 21:31:12 mesrik Exp $ # # Credits for orginal code and description hobbit@avian.org, # SPHiXe, .mudge et al. and for John Bashinski # for Cisco IOS password encryption facts. # # Use for any malice or illegal purposes strictly prohibited! # @xlat = ( 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 ); while () { if (/(password|md5)\s+7\s+([\da-f]+)/io) { if (!(length($2) & 1)) { $ep = $2; $dp = ""; ($s, $e) = ($2 =~ /^(..)(.+)/o); for ($i = 0; $i < length($e); $i+=2) { $dp .= sprintf "%c",hex(substr($e,$i,2))^$xlat[$s++]; } s/7\s+$ep/$dp/; } } print; }

---

Related: https://eikonal.wordpress.com/2010/05/21/cisco-%e2%80%9cpassword-7%e2%80%b3/

Cisco “Password 7” Cracker – javascript code

Source: http://www.ifm.net.nz/cookbooks/passwordcracker.html

<script language="JavaScript1.2" type="text/javascript"> <!-- // Is the character a digit? function isDigit(theDigit) { var digitArray = new Array('0','1','2','3','4','5','6','7','8','9') for (j = 0; j < digitArray.length; j++) { if (theDigit == digitArray[j]) return true } return false } // Generate a config file ready for loading function crackPassword(form) { var crypttext=form.crypttext.value.toUpperCase() var plaintext='' var xlat="dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87" var seed, i, val=0 if(crypttext.length & 1) return seed = (crypttext.charCodeAt(0) - 0x30) * 10 + crypttext.charCodeAt(1) - 0x30 if (seed > 15 || !isDigit(crypttext.charAt(0)) || !isDigit(crypttext.charAt(1))) return for (i = 2 ; i <= crypttext.length; i++) { if(i !=2 && !(i & 1)) { plaintext+=String.fromCharCode(val ^ xlat.charCodeAt(seed++)) seed%=xlat.length val = 0; } val *= 16 if(isDigit(crypttext.charAt(i))) { val += crypttext.charCodeAt(i) - 0x30 continue } if(crypttext.charCodeAt(i) >= 0x41 && crypttext.charCodeAt(i) <= 0x46) { val += crypttext.charCodeAt(i) - 0x41 + 0x0a continue } if(crypttext.length != i) return } form.plaintext.value=plaintext } --> </script> <form name="never-you-mind" id="never-you-mind" action="#"> <table border="1"> <tbody><tr><td> <p> Type 7 Password: <input name="crypttext" size="60" type="text"> </p> <p> <input value="Crack Password" onclick="crackPassword(this.form)" type="button"> </p> <p>Plain text: <input name="plaintext" size="40" type="text"> </p> </td></tr></tbody></table> </form>

---

Related: https://eikonal.wordpress.com/2010/05/21/cisco-%e2%80%9cpassword-7%e2%80%b3/

Passwords cracking

Offline crackers

• Cain and Abel – http://www.oxid.it/cain.html
• John the Ripper – http://www.openwall.com/john/
  • More details here: https://eikonal.wordpress.com/2010/05/25/john-the-ripper/
• Pwdump – Windows LM and NTLM password hashes dumper – http://en.wikipedia.org/wiki/Pwdump. Has numerous implementations:
  • http://samba.org/samba/ftp/pwdump/
  • http://www.securiteam.com/tools/5ZQ0G000FU.html
  • pwdump6 – http://www.foofus.net/~fizzgig/pwdump/
  • fgdump – http://www.foofus.net/~fizzgig/fgdump/
  • pwdump7 – http://www.tarasco.org/security/pwdump_7/index.html
  • pwdump3 – http://openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-vista-7#pwdump
    • pwdump3 > hashes.txt
    • then use johnTheRipper
• OphCrack – http://ophcrack.sourceforge.net/
  • Description: http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/
• RainbowCrack – http://project-rainbowcrack.com/
  • Pre-computed tables can be bought here – http://project-rainbowcrack.com/buy.php
• L0phtcrack – http://www.l0phtcrack.com/
• THC Hydra – http://freeworld.thc.org/thc-hydra/
• FSCrack – http://www.foundstone.com/us/resources/termsofuse.asp?file=fscrack.zip
• Brutus – http://www.hoobie.net/brutus/
• Aircrack –
• Airsnort –
• SolarWinds –
• chknull – http://phreak.org/archives/expoits/novell – checks novell accounts with no passwords — GONE
• Pandora – http://nmrc.org/project/pandora/ – a set of tools for hacking, intruding, and testing the security and insecurity of Novell Netware
• Ravan – JavaScript distributed computing system – http://www.andlabs.org/tools/ravan.html
• White Chapel – password cracking front end – https://github.com/mubix/WhiteChapel

Online tools

• Cisco Password Cracker (2007.06) – http://www.ifm.net.nz/cookbooks/passwordcracker.html
• Microsoft’s online password strength checker – https://www.microsoft.com/protect/fraud/passwords/checker.aspx?WT.mc_id=Site_Link
• Javascript Password Strength Meter – http://www.geekwisdom.com/dyn/passwdmeter. Local copy of code: https://eikonal.wordpress.com/2010/07/14/javascript-password-strength-meter/.
• WPACracker – http://www.wpacracker.com/ [ONLINE CRACKER]

Articles

• “Everyday Password Cracking” by Thorsten Fisher – http://www.irmplc.com/downloads/whitepapers/Everyday_Password_Cracking.pdf
• Password Recovery Speeds – http://www.lockdown.co.uk/?pg=combi&s=articles
• Rainbow Hash Cracking – http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html
• What is Rainbow Crack and How to do it: The Time-Memory Tradeoff Hash Cracker : How to Crack Windows passwords – http://learnethicalhacking.wordpress.com/2010/02/04/learn-how-to-hack-facebook-passwords-and-accounts-using-phishing-attack-facebook-fake-page/
• Cracking Windows Password Hashes – http://thehackingoftech.wordpress.com/2010/01/24/cracking-windows-password-hashes/
• How to recover Windows XP passwords with PwDump and MdCrack – http://winguard.blogspot.com/2009/05/how-to-recover-windows-xp-passwords.html

Generating password hashes

• Generating unix-style MD5 password hashes:
  • openssl passwd -1 -salt QIGCa pippo
  • produces: $1$QIGCa$/ruJs8AvmrknzKTzM2TYE.
• Generating password hash for native system crypt() function:
  • perl -e ‘print crypt(“pippo”, “\$1\$QIGCa”),”\n”‘
  • produces: $1Su6NR9CFU/6

VARIOUS

• Cracking Kerberos passwords
  • The only tool I know residing on this niche is ntsecurity’s KerbCrack/KerbSniff (http://ntsecurity.nu/toolbox/kerbcrack/).
  • Usage: kerbcrack.exe kerbcap.snf -b1 9

---

Related here: Default passwords, wordlist and Rainbow tables – https://eikonal.wordpress.com/2010/03/29/default-passwords/ | John The Ripper – https://eikonal.wordpress.com/2010/05/25/john-the-ripper/