Category:Password Attacks

From SecurityForest

John the Ripper : An extraordinarily powerful, flexible, and fast multi-platform password hash cracker

John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches.

http://www.openwall.com/john

L0phtcrack : Windows password auditing and recovery application

L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows NT/2000 workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It also has numerous methods of generating password guesses (dictionary, brute force, etc).

http://www.atstake.com

Lepton's Crack : Is a free GPL password cracking engine and development laboratory. It has interesting features missing from other crackers, even commercial ones.

It can perform a dictionary-based (wordlist) attack, as well as a brute-force (incremental) password scan, including enumeration of a regular expression (useful if you know something about the password). Currently the formats supported are: standard MD4 hash, standard MD5 hash, NT MD4/Unicode, Lotus Domino HTTP password (R4), SHA-1 and LM (LAN Manager).

http://www.nestonline.com/lcrack/

Cain and Abel - The poor man's L0phtcrack and arpspoofer

Cain & Abel is a free password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary & Brute-Force attacks, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also a great tool for arp spoofing and MITM attacks. Source code is not provided.

http://www.oxid.it

creddump - Decrypt Credential Manager File

The program follows the same methodology used by Todd Sabin in his PWDUMP2 program to decrypt credential files. It uses the "DLL injection" technique to run a thread in the same security context of the Local Security Authority Subsystem process. The thread's executable code must first be copied to the address space of LSASS process and this requires an account with the SeDebugPrivilege user right. By default only Administrators have this right. Once injected and executed, the thread will run with the same access privileges of the Local Security Authority Subsystem and will use the native undocumented LsaICryptUnprotectData API from LSASRV.DLL to decrypt the credentials file. The thread stores the output of this API in a temporary file named cred.txt located in the same directory of the program. Finally, user's credentials are dumped and put ont the screen. Credential Manager can store various kind of passwords, they can be saved as MultiByte or WideChar strings, security BLOBS and certificates too. The choice of the final encryption method is left to the user. The program will try to recognize plaintext passwords stored as MultiByte strings or WideChar strings, and will also decode Passport and Standard (no entropy) credential BLOBS originally stored using the CryptProtectData API.

http://www.oxid.it/creddump.html

Brutus : A network brute-force authentication cracker

This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more. No source code is available. UNIX users should take a look at THC-Hydra.

http://www.hoobie.net/brutus/

THC-Hydra : Parallized network authentication cracker

This tool allows for rapid dictionary attacks against network login systems, including FTP, POP3, IMAP, Netbios, Telnet, HTTP Auth, LDAP NNTP, VNC, ICQ, Socks5, PCNFS, and more. It includes SSL support and is apparently now part of Nessus. Like Amap, this release is from the fine folks at THC.

http://thc.org/thc-hydra/

Crack 5.0a : Unix password cracker

Crack is a password cracking program that is designed to quickly locate insecurities in Unix (or other) password files by scanning the contents of a password file, looking for users who have misguidedly chosen a weak login password. Crack v5.0 is a relatively smart program, and is pre-programmed to expect a variety of crypt() algorithms to be available for cracking in any particular environment.

http://www.crypticide.com/users/alecm/security/c50-faq.html

VNCPwdump : Dump and decrypt the encrypted VNC password

VNCPwdump can be used to dump and decrypt the registry key containing the encrypted VNC password in a few different ways. It supports dumping and decrypting the password by: 1) Dumping the current users registry key. 2) Retrieving it from a NTUSER.DAT file. 3) Decrypting a command line supplied encrypted password. 4) Injecting the VNC process and dumping the owners password.

http://www.cqure.net/tools.jsp?id=12

Ophcrack : the time-memory-trade-off-cracker

Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance.

http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/index.php

RainbowCrack : General propose implementation of faster time-memory trade-off technique.

In short, the RainbowCrack tool is a hash cracker. While a traditional brute force cracker try all possible plaintexts one by one in cracking time, RainbowCrack works in another way. It precompute all possible plaintext - ciphertext pairs in advance and store them in the file so called "rainbow table". It may take a long time to precompute the tables, but once the one time precomputation is finished, you will always be able to crack the ciphertext covered by the rainbow tables in seconds. (MD5,LM,SHA-1)

http://www.antsight.com/zsl/rainbowcrack/

Cachedump : Recover Windows cache entry information: Username and MSCASH.

CacheDump will create a CacheDump NT Service to get SYSTEM right and make his stuff on the registry. Then, it will retrieve the LSA Cipher Key to decrypt (rc4/hmac_md5 GloubiBoulga) cache entries values. A John The Ripper module has been developed to attack the hashed values that are retrieved ( timing equivalent to MD4( MD4( password|U(username) ) ).

http://www.cr0.net:8040/misc/cachedump-1.1.zip

MDcrack : High speed cracker for MD4, MD5 and NTLM v1 hashes.

MDcrack is primarily a fast cracker for (raw) MD5 and MD4 hashes, but it also supports NTLM hashes (case sensitive, MD4-based) that are actually used by Windows NT/2000/XP. It's rather dumb in which candidate passwords it tries and it doesn't support loading of entire password files, so its practical use is limited. However, it demonstrates how it's possible to compute the hashes at a very fast rate.

http://c3rb3r.openwall.net/mdcrack/