A good password has the problem of being difficult to remember. And sometimes you might need to get in to a system where the root password is long forgotten (or left with the system administrator before you).
Luckily there are ways of getting access to systems without having the password. This is of course in a sense also a security risk. That’s why you should always be aware that having unattended physical access to a computer system means the same as having root access to the operating system. Unless the information on a system is encrypted, it’s only as save as the room it’s in.

The method to use to reset the password if you lost the root (or only) password depends on the configuration of your system. But it mostly comes down to two separate tasks:

- get write access to the root partition

- change the password/circumvent control

Here are some things you can try from easy to more complicated.

1.booting into single user mode from the start menu

Some systems are configured to drop you into root shell without a password if you reboot them in single user mode. If your system has an option called single or recovery mode changes are it will drop you directly to the root prompt or as I know ubuntu does it serves up a menu with ‘drop to root shell prompt’ as an option. Sometimes you have to hit escape at startup to enter the boot menu.
Once in the root shell it’s as easy as typing passwd followed by your username and the passwd program will ask you for the new password. passwd without a name will change the root password.
If you don’t know the username anymore you can do

#cat /etc/ passwd this prints the password text file where every entry before the : is a valid username

or

#ls /home which will give you the username of the users on the system with a home directory (if the default home path is used)

If you have a system which has this boot option and you think this is just a to obvious security risk (don’t want your little sister to change your root password) you can easily remove this option by editing the file /boot/grub/menu.lst (if you use the grub boot loader) or /etc/lilo.conf (if you use lilo)
If you use Ubuntu you can set passwords for the menu options in the startup-manager from the administration menu security tab or remove the option in the advanced tab.
Grub and Lilo both have password options
to password protect grub create a md5 hash of your password ( #/sbin/grub-md5-crypt ) and edit the file /boot/grub/grub.conf add below the line timeout the following line:

password –md5 password-hash-here

grub configuration should be user root group root and 600 permissions.

to password protect boot menu entries just enter lock below the title line in the /boot/grub/menu.lst file

for protecting lilo edit the /etc/lilo.conf file before the first image stanza place the option

password=clear-text-password

2. booting into single user mode when there’s no menu entry at startup

If there’s no single or recovery option in the boot menu you can still boot into single mode by editing the startup entry. To do this in grub, while in the menu press ‘e’ this will let you edit the menu entries. Just append single to the line starting with kernel. press ‘b’ and the system will boot into single mode.
If your boot manager is Lilo you can pass Linux 1 or Linux emergency as boot parameters.
This approach won’t help you on all systems because many systems will ask you for the root password when booting into single user mode.(Debian does)

3. boot to root shell by using shell as init

If the single user mode has been disabled or is password protected just press ‘e’ in the grub boot menu and add init=/bin/bash (or any other shell executable) to the kernel line. Press ‘b’ to boot and you’ll get a root shell because the init process is replaced with bash while booting. This gives you a rather limited shell but it’s good enough, depending on your system configuration you might have to mount the root partition read/write before you can change the password. Do this by entering

#mount -no remount,rw /

After that you can use passwd again as in previous examples.

If your startup manager is Lilo you can give the boot parameters Linux init=/bin/bash

4. boot from alternative file system

This method is much less likely to be available as it requires some kind of “alternative file system” to be available. If you have non-root access and there is a writable partition (/tmp for instance) and you can place a linux file system relative to that partition for instance by downloading a minimal linux distro and unpacking it you can then give the root= option to grub and set the partition where you placed your own file system as root file system.
Executing the mount command will show the available partitions and how they are mounted. This will only work in very specific circumstances though.

5. boot from a bootable usb stick

If you have no way to access single user mode from the boot menu, or if your single user mode is password protected, you can still use an alternative boot medium. Many systems these days provide a boot option for booting from a usb stick. This is actually a very easy method. The access of boot sequence menu differs by system, most systems display a text like press esc to enter boot menu or something like that. Sometimes the system is already configured to try booting from removable medium first. Many systems also allow changing the boot sequence from the bios. Just change the boot sequence of the system to boot from usb or choose that option from the boot menu. This does require you to have a boot-able usb stick of course. There are many ways to make a usb stick boot-able one of them is described in my article about backtrack, which makes a great distro to use for this purpose by the way. Just boot from the usb device, and open a root shell. The next thing you have to do is find out which is the root partition. Use fdisk to list the available partitions:

#fdisk -l

This will show the disks available.
You can mount them with the mount command. First create a directory mkdir /newdir or mount the partition on an existing directory. Then mount the partition you think is the root.

#mount -o,rw /dev/hda1 /newdir

if mount complaints you have to specify partition type, you find the type as a letter/number combination where it says Id. To show a list of partition type name/Id combinations use /sbin/sfdisk -T

in this case use mount with -t option:

#mount -o,rw -t ext3 /dev/hda1 /newdir

check if it’s the right one with ls:

#ls /newdir (should list a root filesytem)

if it is the wrong partition, just do umount /newdir to unmount it and redo the previous steps with another partition from the list.

If it is the right partition use chroot:

#chroot /newdir

this will make the newdir your root dir

and then enter passwd to change the root password and reboot your system.

6. boot from CD

This is basically the same as option 5 but requires you to have a Linux live-cd or rescue-cd. Most linux installation cd’s double as recovery cd’s by giving you a rescue option at boot or some drop to root shell menu option anywhere in the process. You do need to have a cd/dvd player installed to use this option. The method is exactly the same as in option 5. There are a lot more systems that allow booting from cd/dvd (most older pc’s do) than from usb this makes it a more viable approach.

7. boot from network

Difficult to do in many cases, but if you have access to the bios or the system is already configured to try booting from the network, and you have a system which you can configure as a boot server, it’s more or less the same story as 5 and 6. Boot the system into a OS where you have root access and mount the disk, chroot and you are in.

If you can’t access the BIOS to change the boot sequence because it’s password protected, try searching Google for the master password for your BIOS. Or you can try removing the BIOS battery the BIOS battery is located on the motherboard and is there to keep the BIOS memory as the power is taken of the system. Unplug the system, remove the battery and wait for about 120 seconds. Be warned this will flush all BIOS information (configuration) most systems will boot fine when you reload default BIOS settings (not all). Some motherboards have jumpers for resetting BIOS, if you have the motherboard manual you can look it up. Laptops are sometimes equipped with security features which make flushing BIOS impossible or even render the system completely useless when trying to reset BIOS.

8. place an extra disk in the machine

In most cases the BIOS will auto-detect a new disk, so if you place a new disk containing a boot-able OS and make it the master and the old disk slave, you can make the system boot from the new disk.

9. remove the disk and place it in another machine

If you can’t do any of the above you can always take out the disk and place it in another Linux system. Than you can mount it, chroot to the disk and again use passwd to change the root password. Place back the disk and start the machine.

10. Try to gain root trough known vulnerabilities

If the system has been running for a long time (or not running) without anyone maintaining it, there’s a change it’s running a vulnerable service. This would probably take a lot of time to do. Try fingerprinting the system for running network services that have not been security patched. If there is a easy root exploit to run against the machine it might be possible to get in this way.

Securing your system

Securing yourself against all these options is very difficult. You can remove all removable medium drives, CD/DVD, diskette, fill your usb ports with glue, passwords on everything. The only real protection is encrypted disks on every device you can’t keep in a secure environment. If someone gains unattended physical access to your systems they have access to your data.

What you can do is make it very difficult, secure access to your computers as much as you think is appropriate considering the sensitivity of your data. When it comes to mobile devices, laptops netbooks and the like you should carefully consider what would happen if it gets lost or stolen and someone has access to all your data. Very good Encryption programs are freely available for Linux and you can even choose to encrypt your whole system, in some distributions this is an install option.

Think there is more to try? Easier ways? Think there are better ways to protect against it? Mistakes? Leave a comment. It can take a while before comments are published(different time zone)

• Internet Explorer 4.00 – 6.00: The passwords are stored in a secret location in the Registry known as the “Protected Storage”.
  The base key of the Protected Storage is located under the following key:
  “HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider”.
  You can browse the above key in the Registry Editor (RegEdit), but you won’t be able to watch the passwords, because they are encrypted.
  Also, this key cannot easily moved from one computer to another, like you do with regular Registry keys.

• Internet Explorer 7.00 – 8.00: The new versions of Internet Explorer stores the passwords in 2 different locations.
  AutoComplete passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.
  HTTP Authentication passwords are stored in the Credentials file under Documents and Settings\Application Data\Microsoft\Credentials , together with login passwords of LAN computers and other passwords.

  IE PassView can be used to recover these passwords.

• Firefox: The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version)
  These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name]
  Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.
• Google Chrome Web browser: The passwords are stored in [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data
  (This filename is SQLite database which contains encrypted passwords and other stuff)
• Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile
• Outlook Express (All Versions): The POP3/SMTP/IMAP passwords Outlook Express are also stored in the Protected Storage, like the passwords of old versions of Internet Explorer.
• Outlook 98/2000: Old versions of Outlook stored the POP3/SMTP/IMAP passwords in the Protected Storage, like the passwords of old versions of Internet Explorer.

  Both Mail PassView and Protected Storage PassView utilities can recover these passwords.

• Outlook 2002-2008: All new versions of Outlook store the passwords in the same Registry key of the account settings.
  The accounts are stored in the Registry under HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\[Profile Name]\9375CFF0413111d3B88A00104B2A6676\[Account Index]
  If you use Outlook to connect an account on Exchange server, the password is stored in the Credentials file, together with login passwords of LAN computers.

• Windows Live Mail: All account settings, including the encrypted passwords, are stored in [Windows Profile]\Local Settings\Application Data\Microsoft\Windows Live Mail\[Account Name]
  The account filename is an xml file with .oeaccount extension.
• ThunderBird: The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name]
  You should search a filename with .s extension.
• Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name]
• Google Desktop: Email passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\[Account Name]
• MSN/Windows Messenger version 6.x and below: The passwords are stored in one of the following locations:
  1. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
  2. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MessengerService
  3. In the Credentials file, with entry named as “Passport.Net\\*”. (Only when the OS is XP or more)
• MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]
• Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with “WindowsLive:name=”.
• Yahoo Messenger 6.x: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager
  (”EOptions string” value)
• Yahoo Messenger 7.5 or later: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager – “ETS” value.
  The value stored in “ETS” value cannot be recovered back to the original password.
• AIM Pro: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\AIM\AIMPRO\[Account Name]
• AIM 6.x: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
• ICQ Lite 4.x/5.x/2003: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners\[ICQ Number]
  (MainLocation value)
• ICQ 6.x: The password hash is stored in [Windows Profile]\Application Data\ICQ\[User Name]\Owner.mdb (Access Database)
  (The password hash cannot be recovered back to the original password)
• Digsby: The main password of Digsby is stored in [Windows Profile]\Application Data\Digsby\digsby.dat
  All other passwords are stored in Digsby servers.
• PaltalkScene: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Paltalk\[Account Name].

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption, in order to read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes, according to Dragos Ruiu, the PacSec conference’s organizer.

They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack

Security experts had known that TKIP could be cracked using what’s known as a dictionary attack. Using massive computational resources, the attacker essentially cracks the encryption by making an extremely large number of educated guesses as to what key is being used to secure the wireless data.

The work of Tews and Beck does not involve a dictionary attack, however.

To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a “mathematical breakthrough,” that lets them crack WPA much more quickly than any previous attempt, Ruiu said.

Tews is planning to publish the cryptographic work in an academic journal in the coming months, Ruiu said. Some of the code used in the attack was quietly added to Beck’s Aircrack-ng Wi-Fi encryption hacking tool two weeks ago, he added.

WPA is widely used on today’s Wi-Fi networks and is considered a better alternative to the original WEP (Wired Equivalent Privacy) standard, which was developed in the late 1990s. Soon after the development of WEP, however, hackers found a way to break its encryption and it is now considered insecure by most security professionals. Store chain T.J. Maxx was in the process of upgrading from WEP to WPA encryption when it experienced one of the most widely publicized data breaches in U.S. history, in which hundreds of millions of credit card numbers were stolen over a two-year period.

A new wireless standard known as WPA2 is considered safe from the attack developed by Tews and Beck, but many WPA2 routers also support WPA.

“Everybody has been saying, ‘Go to WPA because WEP is broken,’” Ruiu said. “This is a break in WPA.”

If WPA is significantly compromised, it would be a big blow for enterprise customers who have been increasingly adopting it, said Sri Sundaralingam, vice president of product management with wireless network security vendor AirTight Networks. Although customers can adopt Wi-Fi technology such as WPA2 or virtual private network software that will protect them from this attack, there are still may devices that connect to the network using WPA, or even the thoroughly cracked WEP standard, he said.

Ruiu expects a lot more WPA research to follow this work. “Its just the starting point,” he said. “Erik and Martin have just opened the box on a whole new hacker playground.”

Breaking Wi-Fi Protection with Elcomsoft Distributed Password Recovery

With growing numbers of Wi-Fi networks used by businesses and individuals all over the world, security becomes utterly important. There are currently two methods of protecting Wi-Fi networks, WEP and WPA/WPA2. Unlike enterprise, RADIUS protected networks, consumer-grade WPA and WPA2 protection methods rely on passwords and encryption to protect traffic transferred between users and network access points. However, WEP, the older protection method, is no longer considered secure even for home users, as sometimes it can be broken in less than two minutes due to security flaws discovered in the algorithm.

The newer WPA/WPA2 encryption is inherently more secure than WEP. The only way to break WPA and WPA2 encryption is to use a brute force attack, which involves trying all possible passwords in the hope to discover the only correct one. With billions of possible combinations, it can take years to break into a WPA/WPA2 protected network. However, WPA/WPA2 protected networks are not immune against distributed attacks performed with GPU-accelerated algorithms.

With the latest version of Elcomsoft Distributed Password Recovery, it is now possible to crack WPA and WPA2 protection on Wi-Fi networks up to 100 times quicker with the use of massively parallel computational power of the newest NVIDIA chips. Elcomsoft Distributed Password Recovery only needs a few packets intercepted in order to perform the attack. The new product of ElcomSoft Co. Ltd. makes it possible to quickly perform security audit of corporate Wi-Fi networks, allowing to test network security against threats such as inappropriate WLAN security policy.

Using NVIDIA Cards to Break Wi-Fi Protection Faster

Today’s video cards such as NVIDIA GeForce GTX280 can process hundreds of billions fixed-point calculations per second. Add as much as 1 GB of onboard video memory and up to 240 processing units, multiply it by two by using a couple of NVIDIA cards, and enter the whole new world of super-parallel computational power for just a few hundred dollars.

Until recently, all the power of highly parallel, super-scalar processors in 3D graphic accelerators could only be used for gaming. ElcomSoft Co. Ltd. has invented a way to utilize the massively parallel computational power of NVIDIA gaming cards for increasing the speed of password recovery . Elcomsoft Distributed Password Recovery, its flagship password recovery tool, is able to fully utilize recent NVIDIA chips used in laptop, desktop and server computers, increasing the speed of Wi-Fi password recovery up to 100 times compared to conventional CPUs.

Immune Systems:
* SafeBoot Device Encryption version 4 Build 4760 and above
* SafeBoot Device Encryption version 5.x

SafeBoot’s pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0×40:0×1e.
http://www.ivizsecurity.com/security-advisory-iviz-sr-08010.html

Let’s start at the top and work our way down. Any time a password is saved, you’re first prompted with the save password bar.

In Chrome, this object is called PasswordManager. This object is responsible for a lot of stuff, but what we really care about is what happens when you click “Save Password”.

When you click the save button, it calls the following function:

Again, pretty straight forward. The first two items will log information for debugging purposes and aren’t compiled in release mode. It then checks if it is adding a new password or updating an existing one. For the purposes of this tutorial, let’s look at adding a new password.

Most of this function is debug code. What we care about is the call to AddLogin. The WebDataService object is responsible for meta data associated with a web page.

Now we’re getting a little more complicated. Adding a password is done asynchronously and this function handles scheduling that task. It seemed to be very important that nothing interrupt Chrome’s user interface – this keeps it feeling fast and responsive. Now let’s take a look at what happens when this task is run.

We’re almost at the heart of it all. The important call here is AddLogin, so let’s dive into that.

We’ve finally reached the end of the line. This function actually builds the SQL statement for adding a new password to Chrome’s SQLite database. Of course, the password isn’t stored in plain text so Chrome has an Encryptor object responsible for encrypting the password first. Let’s take a look at that.

The important piece here is CryptProtectData, which is a Windows API function for encrypting data. Data encrypted with this function is pretty solid. It can only be decrypted on the same machine and by the same user that encrypted it in the first place.

So what’d we learn by investigating Chrome’s password management system? Well, we learned that Google uses SQLite as the storage mechanism for passwords and other web page related data. We also see that Google has done a great job extracting Windows specific code from the cross-platform stuff. The only Windows specific code here is the encryption function, which can easily be ported by creating a different Encryptor object for each OS.

Credits to: http://blog.paranoidferret.com

• Introduction
• Types of passwords stored in Internet Explorer
  • Internet Credentials
  • AutoComplete data
  • AutoComplete passwords
  • FTP passwords
  • Synchronization passwords
  • Identities passwords
  • AutoForms data
  • Content Advisor password
• Brief overview of Internet Explorer password recovery programs
• PIEPR – the first acquaintance
• Three real-life examples
  • Recovering current user’s FTP passwords
  • Recovering website passwords from unloadable operating system
  • Recovering uncommonly stored passwords
• Conclusion

Introduction

Nobody will likely dispute the fact that Internet Explorer is today’s most popular Web browser. According to the statistics, approximately 70 percent of online users prefer to use just this program. Arguments about its pros and cons may last forever; still, this browser is the leader of its industry, and this is a fact that requires no proof. Internet Explorer carries several built-in technologies, designed to make average user’s life easier. One of them – IntelliSense – is made for taking care of the routine tasks, like the automatic completion of visited webpage addresses, automatic filling of form fields, users’ passwords, etc.

Many of today’s websites require registration, which means, user would have to enter user name and password. If you use more than a dozen of such websites, you will likely need a password manager. All modern browsers have a built-in password manager in their arsenal, and Internet Explorer is not an odd. Indeed, why would one have to remember yet another password if it is going to be forgotten some time soon¹ anyway? Much easier would be to have browser do the routine work of remembering and storing passwords for you. It’s convenient and comfortable.

This would be a totally perfect solution; however, if your Windows operating system crashed or reinstalled not the way it’s supposed to be reinstalled, you can easily lose the entire list of your precious passwords. That’s the toll for the comfort and convenience. It’s good just about every website has a saving “I forgot password” button. However, this button will not always take your headache from you.

Each software developer solves the forgotten password recovery problem their own way. Some of them officially recommend copying a couple of important files to another folder, while other send all registered users a special utility that allows managing the migration of private data, and the third ones pretend they are not seeing the problem. Nevertheless, the demand creates the offer, and password recovery programs are currently on a great demand.

In this article, let’s try to classify types of private data stored in Internet Explorer, look at programs for the recovery of the data, and study real-life examples of recovering lost Internet passwords.

Types of Passwords Stored in Internet Explorer

Internet Explorer may store the following types of passwords:

• Internet Credentials
• AutoComplete Data
• AutoComplete Passwords
• FTP Passwords
• Synchronization Passwords for cached websites
• Identities Passwords
• AutoForms Data
• Content Advisor Password

Let’s take a closer look at each listed item.

Internet Credentials for websites

Internet credentials mean user’s logins and passwords required for accessing certain websites, which are processed by the wininet.dll library. For example, when you try to enter the protected area of a website, you may see the following user name and password prompt (Figure 1).

Figure 1. Internet Credentials dialog.

If the option “Remember my password” is selected in that prompt, the user credentials will be saved to your local computer. The older versions of Windows 9х stored that data in user’s PWL file²; Windows 2000 and newer store it in the Protected Storage².

AutoComplete Data

AutoComplete data (passwords will be covered further) are also stored in the Protected Storage and appear as lists of HTML form field names and the corresponding user data. For example, if an HTML page contains an e-mail address entry dialog: once user has entered his e-mail address, the Protected Storage will have the HTML field name, the address value, and the time the record was last accessed.

The HTML page title and website address are not stored. Is that good or bad? It’s difficult to determine; more likely to be good than bad. Here are the obvious pros: it saves free space and speeds up browser’s performance. If you think the last note is insignificant, try to imagine how you would have to perform several extra checkups in a multi-thousand (this is not as rare as it may seem to be) auto-fill list.

Another obvious plus is that data for identical by name (and often by subject) HTML form fields will be stored in the same place, and the common data will be used for the automatic filling of such pages. We will see this by this example. If one HTML page contains an auto-fill field with the name ‘email’, and user entered his e-mail address in that field, IE will put in the storage, roughly, ‘email=my@email.com’. From now on, if the user opens another website, which has a page with the same field name ‘email’, the user will be suggested to auto-fill it with the value that he entered on the first page (my@email.com). Thus, the browser somewhat discovers AI capabilities within itself.

The major drawback of this data storage method comes out of its advantage that we just described. Imagine, user has entered auto-fill data on a webpage. If someone knows the HTML form field name, that person can create his own simplest HTML page with the same field name and open it from a local disk. To uncover the data entered in this field, such person will not even have to connect to the Internet and open the original WWW address.

AutoComplete Passwords

In the case with passwords data, however, as you might have guessed, the data will not be filled in automatically. Since auto-complete passwords are stored along with the Web page name, and each password is bound to only one specific HTML page.

In the new version, Internet Explorer 7, both AutoComplete passwords and data are encrypted completely different; the new encryption method is free from the shortcoming just described (if that can be classified as a shortcoming.)

It is worth noticing that Internet Explorer allows users to manage auto-fill parameters manually, (Figure 2) through the options menu.

Figure 2. Internet Explorer AutoComplete settings.

FTP passwords

FTP site passwords are stored pretty much the same way. It would be relevant to notice that beginning with Windows XP FTP passwords are additionally encrypted with DPAPI⁴. This encryption method uses logon password. Naturally, this makes it much more difficult to recover such lost passwords manually, since now one would need to have the user’s Master Key⁵, SID⁶ and the account password.

Synchronization Passwords for cached websites

Synchronization passwords free user from having to enter passwords for cached websites (sites set to be available offline.) Passwords of this type are also stored in IE’s Protected Storage.

Identities passwords

So are identities passwords. The identity-based access management mechanism is not widespread in Microsoft’s products, except, perhaps, Outlook Express.

AutoForms Data

A special paragraph must cover the form auto-fill method, which constitutes a hybrid way of storing data. This method stores the actual data in the Protected Storage, and the URL, which the data belong to, is stored in user’s registry. The URL written in the registry is stored not as plaintext – it is stored as hash. Here is the algorithm for reading form auto-fill data in IE 4 – 6:

The next, seventh generation of the browser, is most likely going to make this user’s data storage mechanism its primary data storage method, declining the good old Protected Storage. Better to say, auto-fill data and passwords, from now on, are going to be stored here.

What is so special and interesting in this mechanism that made MS decide to use it as primary? Well, first of all, it was the encryption idea, which isn’t new at all but still simple and genius, to disgrace. The idea is to quit storing encryption keys and generate them whenever that would be necessary. The raw material for such keys would be HTML page’s Web address.

Let’s see how this idea works in action. Here is IE7’s simplified algorithm for saving auto-fill data and password fields:

1. Save Web page’s address. We will use this address as the encryption key (EncryptionKey).
2. Obtain Record Key. RecordKey = SHA(EncryptionKey).
3. Calculate checksum for RecordKey to ensure the integrity of the record key (the integrity of the actual data will be guaranteed by DPAPI.) RecordKeyCrc = CRC(RecordKey).
4. Encrypt data (passwords) with the encryption key EncryptedData = DPAPI_Encrypt(Data, EncryptionKey).
5. Save RecordKeyCrc + RecordKey + EncryptedData in the registry.
6. Discard EncryptionKey.

It is very, very difficult to recover password without having the original Web page address. The decryption looks pretty much trivial:

1. When the original Web page is open, we take its address (EncryptionKey) and obtain the record key RecordKey = SHA(EncryptionKey).
2. Browse through the list of all record keys trying to locate the RecordKey.
3. If the RecordKey is found, decrypt data stored along with this key using the EncryptionKey. Data = DPAPI_Decrypt(EncryptedData, EncryptionKey).

In spite of the seeming simplicity, this Web password encryption algorithm is one of today’s strongest. However, it has a major drawback (or advantage, depending which way you look at it.) If you change or forget the original Web page address, it will be impossible to recover password for it.

Content Advisor password

And the last item on our list is Content Advisor password. CA was originally developed as a tool for restricting access to certain websites. However, for some reason it was unloved by many users (surely, you may disagree with this.) If you once turned CA on, entered a password and then forgot it, you will not be able to access the majority of websites on the Internet. Fortunately (or unfortunately), this can be easily fixed.

The actual CA password is not stored as plaintext. Instead, the system calculates its MD5 hash and stores it in Windows registry. On an attempt to access the restricted area, the password entered by user is also hashed, and the obtained hash is compared with the one stored in the registry. Take a look at PIEPR source code checking Content Advisor password:

The first thing you may think about is to try to pick the password by using the brute force or dictionary attack. However, there is a more elegant way to that. You can simply remove the hash from the registry. That’s it; so simple… Well, it’s better to rename it instead, so that if you ever need it, you can restore it back. Some programs also let users check CA password, “drag out” password hint, toggle password on/off, etc.

Brief Overview of Internet Explorer Password Recovery Programs

It’s worth noticing that not all password recovery programs suspect there are so many ways to recover passwords. Most likely, this is related to the fact that some passwords (e.g., synchronization passwords) are not often used in the real life, and FTP passwords are not so simple to be “dragged out”. Here is a brief overview of the most popular commercial products for recovering passwords for the most popular browser on earth

Advanced Internet Explorer Password Recovery from the not unknown company, ElcomSoft – does not recognize AutoForm passwords and encrypted FTP passwords. Not to be excluded, the last version of the program may have learnt to do that. Simple, convenient user interface. The program can be upgraded online automatically.

Internet Explorer Key from PassWare – similarly, does not recognize certain types of passwords. Sometimes the program halts with a critical error when reading some uncommon types of IE’s URLs. Displays first two characters of passwords being recovered. The advantages worth noticing are the Spartan user interface and operating convenience.

Internet Explorer Password from Thegrideon Software – not bad, but can recover just three types of Internet Explorer passwords (this is enough for the majority of cases.) Deals with FTP passwords properly. Version 1.1 has problems recovering AutoForm passwords. Has convenient user interface, which in some way reminds one from AIEPR. One can be totally overwhelmed with the beauty and helpfulness of the company’s website.

Internet Password Recovery Toolbox from Rixler Software – offers some greater functionality than the previously covered competitors. It can recover encrypted FTP passwords and delete selected resources. However, it has some programming errors. For example, some types of IE records cannot be deleted. The program comes with a great, detailed help file.

ABF Password Recovery from ABF software – quite a good program with friendly user interface. The list of IE record types supported by the program is not long. Nevertheless, it deals with all of them properly. The program can be classified as a multi-functional one, since it can restore passwords for other programs also.

The major drawback of all programs named here is the capability to recover passwords only for user currently logged on.

As it was said above, the general body of stored Internet Explorer resources is kept in a special storage called Protected Storage. Protected Storage was developed specially for storing personal data. Therefore the functions for working with it (called PS API) are not documented. Protected Storage was first introduced with the release of the version 4 of Internet Explorer, which, by the way, unlike the third version, was written from scratch.

So, until very recent time, all programs for recovering Internet Explorer passwords used those undocumented API. That’s the reason why one significant restriction was applied to the recovery work: PS API can only work with passwords for user that is currently logged on. When the system encrypts data stored in Protected Storage, besides everything else it uses user’s SID, without which it is literally impossible (taking into account the current level of computers’ calculating performance) to recover stored passwords.

Protected Storage uses a very well thought through data encryption method, which uses master keys and strong algorithms, such as des, sha, and shahmac. Similar data encryption methods are now used in the majority of modern browsers; e.g. in Opera or FireFox. Microsoft, meanwhile, quietly but surely develops and tests new ones. When this article is written, in the pre-Beta version of Internet Explorer 7 Protected Storage was only used for storing FTP passwords.

The analysis of this preliminary version suggests that Microsoft is preparing another “surprise” in the form of new, interesting encryption algorithms. It is not known for sure, but most likely the new company’s data protection technology InfoCard will be involved in the encryption of private data.

Thus, with a great deal of confidence one can assert that with the release of Windows Vista and the 7th version of Internet Explorer passwords will be stored and encrypted with fundamentally new algorithms, and the Protected Storage interface, to all appearances, will become open for third-party developers.

It is somewhat sad, for we think the true potential of Protected Storage was still not uncovered. And this is why we think so:

• First, Protected Storage is based on module structure, which allows plugging other storage providers to it. However, for the last 10 years while Protected Storage exists, not a single new storage provider was created. System Protected Storage is the only storage provider in the operating system, which is used by default.
• Second, Protected Storage has its own, built-in access management system, which, for some reason, is not used in Internet Explorer or in other MS products.
• Third, it is not very clear why MS have decided to decline Protected Storage in storing AutoComplete data and passwords. Decline it as a tried and true data storage, and not data encryption mechanism. It would be more logically proven to keep Protected Storage at least for storing data when implementing a new encryption algorithm. Without fail, there were weighty reasons for that. Therefore, it would be interesting to hear the opinion of MS specialists concerning this subject matter.

PIEPR – the First Acquaintance

Passcape Internet Explorer Password Recovery was developed specifically to bypass the PS API’s restriction and make it possible to recover passwords directly, from the registry’s binary files. Besides, it has a number of additional features for advanced users. The program’s wizard allows you to choose one of several operating modes:

Automatic. Current user’s passwords will be recovered by accessing the closed PS API interface. All current user’s passwords currently stored in Internet Explorer will be recovered with a single click of the mouse.

Manual. Passwords will be recovered without PS API. This method’s main advantage is the capability to recover passwords from your old Windows account. For that purpose, you will need to enter path to the user’s registry file. Registry files are normally not available for reading; however, the technology used in PIEPR allows doing that (provided you have the local administrative rights.)

User’s registry file name is ntuser.dat; its resides in the user’s profile, which is normally %SYSTEMDRIVE%:\Documents and Settings\%USERNAME%, where %SYSTEMDRIVE% stands for the system disk with the operating system, and %USERNAME% is normally account name. For instance, path to registry file may look like this: C:\Documents and Settings\John\ntuser.dat

If you have ever been a happy owner of Windows 9x/ME, after you upgrade your operating system to Windows NT, Protected Storage will providently save a copy of your old private data. As a result of that, Protected Storage may contain several user identifiers, so PIEPR will ask you to select the right one before it gets to the decryption of the data (Figure 3).

Figure 3. Selecting Protected Storage owner.

One of the listed SIDs will contain data left by the old Windows 9x/ME. That data is additionally encrypted with user’s logon password, and PIEPR currently does not support the decryption of such data.

If ntuser.dat contains encrypted passwords (e.g., FTP sites passwords), the program will need additional information in order to decrypt them (Figure 4):

1. Logon password of user whose data are to be decrypted
2. Full path to the user’s MasterKey
3. User’s SID

Figure 4. DPAPI decryption dialog for FTP passwords.

Normally, the program finds the last two items in user’s profile and fills that data automatically. However, if ntuser.dat was copied from another operating system, you will have to take care of that on your own. The easiest way to get the job done is to copy the entire folder with user’s Master Key (there may be several of them) to the folder with ntuser.dat. Master Key resides in the following folder on your local computer: %SYSTEMDRIVE%:\Documents and Settings\%USERNAME%\Application Data\Microsoft\Protect\%UserSid%, where %SYSTEMDRIVE% stands for the system disk with the operating system, %USERNAME% – account name, %UserSid% – user’s SID. For example, path to the folder with a master key may look as follows: C:\Documents and Settings\John\Application Data\Microsoft\Protect\S-1-5-21-1587165142-6173081522-185545743-1003. Let’s make it clear that it is recommended to copy the entire folder S-1-5-21-1587165142-6173081522-185545743-1003, for it may contain several Master Keys. Then PIEPR will select the right key automatically.

Windows marks some folders as hidden or system, so they are invisible in Windows Explorer. To make them visible, enable showing hidden and system objects in the view settings or use an alternative file manager.

Once the folder with user’s Master Key was copied to the folder with ntuser.dat, PIEPR will automatically find the required data, so you will only have to enter user’s password for recovering FTP passwords.

Content Advisor. CA passwords, as it was said already, is not kept as plain text; instead, it is stored as hash. In the CA password management dialog, it is enough to just delete (you can restore the deleted password at any time later) or change this hash to unlock sites locked with CA. PIEPR will also display your password hint if there is one.

Asterisks passwords. PIEPR’s fourth operating mode, which allows recovering Internet Explorer passwords hidden behind asterisks. To recover such password, simply drag the magnifier to the window with a **** password. This tool allows recovering passwords for other programs that use IE Frames as well; e.g., Windows Explorer, some IE-based browsers, etc.

We have reviewed the basic Internet Explorer password recovery modes. There is also a number of additional features for viewing and editing cookies⁷, cache, visited pages history, etc. We are not going to cover them in detail; instead, we are going to look at a few password recovery examples done with PIEPR.

Three Real-Life Examples

Example 1: Recovering current user’s FTP password.

When opening an FTP site, Internet Explorer pops up the log on dialog (Figure 5).

Figure 5. FTP logon dialog.

If you have opened this site and set the “Save password” option in the authentication dialog, the password must be saved in Protected Storage, so recovering it is a pretty trivial job. Select the automatic operating mode in PIEPR and then click “Next”. Locate our resource in the dialog with decrypted passwords that appears (the site name must appear in the Resource Name column.)

As we see, the decryption of current user’s password should not cause any special difficulties. Oh, if the password is not found for some reason – don’t forget to check IE’s Auto-Complete Settings (Figure 2). Possibly, you have simply not set the program to save passwords.

Example 2: We will need to recover Web site passwords. The operating system is unbootable.

This is a typical, but not fatal situation. The necessity to recover Internet Explorer passwords after unsuccessful Windows reinstallation occurs just as often.

In either case, we will have user’s old profile with all files within it. This set is normally enough to get the job done. In the case with the reinstallation, Windows providently saves the old profile under a different name. For example, if your account name was John, after renaming it may look like John.WORK-72C39A18.

The first and the foremost what you must do is to gain access to files in the old profile. There are two ways to doing this:

1. Install a new operating system on a different hard drive; e.g., Windows XP, and hook the old hard drive to it.
2. Create a Windows NT boot disk. There are many different utilities for creating boot disks and USB flash disks available online. For instance, you can use WinPE or BartPE. Or a different one. If your old profile was stored on an NTFS part of your hard drive, the boot disk will have to support NTFS.

Let’s take the first route. Once we gain access to the old profile, we will need to let the system show hidden and system files. Otherwise, the files we need will be invisible. Open Control Panel, then click on Folder Options, and then select the View tab. On this tab, find the option ‘Show hidden files and folders‘ and select it. Clear the option ‘Hide protected operating system files‘. When the necessary passwords are recovered, it’s better to reset these options to the way they were set before.

Open the program’s wizard in the manual mode and enter path to the old profile’s registry file. In our case, that is C:\Documents And Settings\ John.WORK-72C39A18\ntuser.dat. Where John.WORK-72C39A18 is the old account name. Click ‘Next‘.

This data should normally be sufficient for recovering Internet Explorer passwords. However, if there is at least a single encrypted FTP password, the program will request additional data, without which it will not be able to recover such types of passwords (Figure 4):

• User’s password
• User’s Master Key
• User’s SID.

Normally, the program finds the last two items in user’s profile and fills that data automatically. However, if that didn’t happen, you can do that by hand: copy ntuser.dat and the folder with the Master Key to a separate folder. It is important to copy the entire folder, for it may contain several keys, and the program will select the right one automatically. Then enter path to file ntuser.dat that you have copied to another folder.

That’s it. Now we need to enter the old account password, and the recovery will be completed. If you don’t care for FTP password, you can skip the user’s password, Master Key, and SID entry dialog.

Example 3: Recovering uncommonly stored passwords.

When we sometimes open a website in the browser, the authentication dialog appears. However, PIEPR fails to recover it in either automatic or manual mode. The ‘Save password‘ option in Internet Explorer is enabled. We will need to recover this password.

Indeed, some websites don’t let browser to save passwords in the auto-complete passwords list. Often, such websites are written in JAVA or they use alternative password storage methods; e.g., they store passwords in cookies.

If the password field is filled with asterisks, the solution is clear: select the ASTERISKS PASSWORDS operating mode and then open the magic magnifier dialog. Then simply drag the magnifier to the Internet Explorer window (Figure 6).

Figure 6. The password is behind asterisks.

The password (passwords, if the Internet Explorer window has several fields with asterisks) is to appear in the PIEPR window (Figure 7).

Figure 7. Magnifying glass in use.

But it’s not always that simple. The password field may be empty or that field may indeed contain *****. In this case, as you have guessed by now, the ASTERISKS PASSWORDS tool will be useless.

We can suppose, the password is stored in cookies. Let’s try to locate it. Choose the IE Cookie Explorer tool (Figure 8).

Figure 8. IE Cookie Explorer.

The dialog that appears will list the websites that store cookies on your computer. Click on the URL column header to order the websites list alphabetically. This will help us find the right website easier. Go through the list of websites and select the one we need. The list below will display the decrypted cookies for this website (Figгку 9).

Figure 9. Decrypted cookies.

As the figure shows, in our case the login and password are not encrypted and are stored as plain text.

Cookies are often encrypted. In this case, you are not likely to succeed recovering the password. The only thing you can try doing in order to recover the old account is to create a new account. Then you will be able to copy the old cookies in a text editor and replace them with the new ones. However, this is only good when the worst comes to the worst; it is not recommended to use it normally.

Don’t forget also that just about all pages and forms with passwords have the ‘Forgot password‘ button.

Conclusion

As this article shows, recovering Internet Explorer passwords is a pretty simple job, which does not require any special knowledge or skills. However, despite of the seeming simplicity, password encryption schemes and algorithms are very well thought through and just as well implemented. Although the Protected Storage concept is over 10 years of age, don’t forget that it has proven the very best recommendations of the experts and has been implemented through three generations of this popular browser.

With the release of the next, 7th version of IE, Microsoft is preparing fundamentally new schemes for protecting our private data, where it uses improved encryption algorithms and eliminates shortages peculiar to Protected Storage.

In particular, the analysis of the preliminary beta versions of Internet Explorer 7 has revealed that autoform password encryption keys are no longer stored along with data. They are not stored, period! This is a little know-how, which is to be estimated at its true worth by both professionals and end users, who, finally, will benefits of it anyway.

But the main thing is, the release of the new concept will eliminate the major drawback peculiar to Protected Storage, which is the possibility to recover passwords without knowing the additional information. Better to say, was enough for a potential hacker to gain physical access to the contents of a hard drive, in order to steal or damage passwords and user’s other private data. With the release of Internet Explorer 7, the situation will somewhat change.

Meanwhile, we will only have to wait impatiently for the advent of Windows Vista and IE 7 to take a closer look at new encryption mechanisms used in the next generation of this popular browser.

This document may be freely distributed or reproduced provided that the
reference to the original article is placed on each copy of this document.
(c) 2006 Passcape Software. All rights reserved.
http://www.passcape.com

*2 USERNAME.PWL (where USERNAME is your logon name) is a PassWord List file. It records passwords to resources on the network and uses them to reconnect to those resources so you don’t have to type the password again.

*3 Protected Storage provides applications with an interface to store user data that must be kept secure or free from modification. Units of data stored are called Items. The structure and content of the stored data is opaque to the Protected Storage system. Access to Items is subject to confirmation according to a user-defined Security Style, which specifies what confirmation is required to access the data, such as whether a password is required. In addition, access to Items is subject to an Access rule set. There is an Access rule for each Access Mode: for example, read/write. Access rule sets are composed of Access Clauses. Two kinds of Access Clauses are currently supported: Authenticode and Binary Check of caller. Typically at application setup time, a mechanism is provided to allow a new application to request from the user access to Items that may have been created previously by another application.
Items are uniquely identified by the combination of a Key, Type, Subtype, and Name. The Key is a constant that specifies whether the Item is global to this computer or associated only with this user. The Name is a string, generally chosen by the user. Type and Subtype are GUIDs, generally specified by the application. Additional information about Types and Subtypes is kept in the system registry and include attributes such as Display Name and UI hints. For Subtypes, the parent Type is fixed and included in the system registry as an attribute. The Type group Items is used for a common purpose: for example, Payment or Identification. The Subtype group Items share a common data format.
We’ll try to cover the Protected Storage structure in one of the upcoming articles.

*4 Starting with Microsoft® Windows® 2000, the operating system began to provide a Data Protection Application-Programming Interface (DPAPI) (API). This is simply a pair of function calls that provide OS-level data protection services to user and system processes. By OS-level, we mean a service that is provided by the operating system itself and does not require any additional libraries. By data protection, we mean a service that provides confidentiality of data through encryption. Since the data protection is part of the OS, every application can now secure data without needing any specific cryptographic code other than the necessary function calls to DPAPI. These calls are two simple functions with various options to modify DPAPI behavior. Overall, DPAPI is a very easy-to-use service that will benefit developers that must provide protection for sensitive application data, such as passwords and private keys.
DPAPI is a password-based data protection service: it requires a password to provide protection. The drawback, of course, is that all protection provided by DPAPI rests on the password provided. This is offset by DPAPI using proven cryptographic routines, specifically the strong Triple-DES and AES algorithms, and strong keys, which we’ll cover in more detail later. Since DPAPI is focused on providing protection for users and requires a password to provide this protection, it logically uses the user’s logon password for protection.
DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs.
Please refer to microsoft.com for more information.

*5 A Master Key is key data material from which other encryption/decryption keys are derived.

*6 SID – Security IDentifier.

*7 A cookie is a small bit of text that accompanies requests and pages as they go between the Web server and browser. The cookie contains information the Web application can read whenever the user visits the site. Cookies provide a useful means in Web applications to store user-specific information. For example, when a user visits your site, you can use cookies to store user preferences or other information. When the user visits your Web site another time, the application can retrieve the information it stored earlier.
Cookies are used for all sorts of purposes, all relating to helping the Web site remember you. In essence, cookies help Web sites store information about visitors. A cookie also acts as a kind of calling card, presenting pertinent identification that helps an application know how to proceed.
But often cookies criticized for weak security and inaccurate user identification.
Please refer to this page to read more.

Written By: Bryan Rite

Shout out to: Jeff :: (www.lucidinteractive.ca) for using OSX’s Airport to try and generate traffic on our first crack

Also would like to thank Alkaloid Networks for support

To all the noobies: Don’t call us and asking about how to crack networks.

Like this guy actually did

Date: 11/23/2005

Overview

This is a good one, let me tell you! There can be so many issues setting up your box to actually get the tools working and i’m not even touching on that, but if you can get everything to work, you’ll be cracking wireless networks like a pro in no time.

Disclaimer: I’m not a pro.

Pre-Installation

Checklist

• Tools
  • I’ve been really, really successful with basically one tool set called AirCrack. Download that.
  • Kismet is an excellent tool for sniffing out wireless networks as well and could prove useful.
• An encrypted wireless network.
  • We’ll be working on WEP encrypted networks as well as static passkey WPA or WPA-PSK

Note: Make sure you can get your card into monitor mode (sometimes called raw monitor or rfmon). This is VERY important

WEP Crackin

Theory

A little theory first. WEP is a really crappy and old encryption techinque to secure a wireless connection. A 3-byte vector, called an Initalization Vector or IV, is prepended onto packets and its based on a pre-shared key that all the authenticated clients know… think of it as the network key you need to authenticate.

Well if its on (almost) every packet generated by the client or AP, then if we collect enough of them, like a few hundred thousand, we should be able to dramatically reduce the keyspace to check and brute force becomes a realistic proposition.

A couple of things will cause us some problems.

• If the key is not static, then you’ll mix up all your IVs and it’ll take forever to decrypt the key.
• Theres no traffic, therefore no packets – we can fix this.
• MAC Address Filtering – we can fix this too.

Setting up your tools

We’re gonna need 3 or 4 shells open, we have 5 tools:

• airodump – Grabbing IVs
• aircrack – Cracking the IVs
• airdecap – Decoding captured packets
• airreplay – (My Favourite) Packet injector to attack APs.
• kismet – Network Sniffer, can grab IVs as well.

For a standard WEP hack we’ll usally only need airodump, aircrack, and kismet (server and client). If we run into some problems we might have to use airreplay to fiddle about.

I’ll leave you to config all these tools up, for the most part they should just be defaults with the exception of kismet.

Finding the Network

First step is we need to find a netork to crack. Start up kismet and start sniffing for APs. Leave it on for a bit so that it can discover all the important information about the networks around. What we want from kismet is:

• Encryption type: Is it WEP 64-bit? 128-bit?
• What channel is it on? Can greatly speed up IV collection.
• AP’s IP Address
• BSSID
• ESSID

All this info isn’t required but the more you have, the more options you have later to crack and sniff. We can get a lot of this from airodump as well but I find the channel is important.

Capturing IVs

Alright, we know what we wanna crack, so lets start capturing packets. You can use kismet to capture files but I prefer airodump because it keeps a running count of all the IVs I’ve captured and I can crack and airodump will automatically update aircrack with new IVs as it finds them.

Note: kimset can interfere with airodump so make sure you close it down before starting airodump.

Airodump is pretty straight forward with its command line looking something like this:

 ./airodump <interface> <output prefix> [channel] [IVs flag]

• interface is your wireless interface to use – required.
• output prefix is just the filname it’ll prepend, – required.
• channel is the specific channel we’ll scan, leave blank or use 0 to channel hop.
• IVs flag is either 0 or 1, depending on whether you want all packets logged, or just IVs.

My wireless card is ath0, output prefix i’ll use “lucid”, the channel we sniffed from kismet is 6, and IVs flag is 1 because we just want IVs. So we run:

 ./airodump ath0 lucid 6 1

Airodump will come up with a graph showing us all the APs and their relevant info, as well as client stations connected to any of the APs.

 BSSID              PWR  Beacons   # Data  CH  MB  ENC   ESSID

 00:23:1F:55:04:BC   76    21995   213416   6  54. WEP   hackme 

 BSSID              STATION            PWR  Packets  Probes

 00:23:1F:55:04:BC  00:12:5B:4C:23:27  112     8202  hackme
 00:23:1F:55:04:BC  00:12:5B:DA:2F:6A   21     1721  hackme

The second line shows us some info about the AP as well as the number of beacons and data packets we’ve collected from the AP. The two last lines show us two authenticated clients. Where they are connected to and the packets they are sending. We won’t use this client info in a straight theory hack but in practice we’ll need this info to actively attack the AP.

This step may take a long time or could be very short. It depends how busy the AP is and how many IVs we are collecting. What we are doing is populating a file “lucid.ivs” with all the IV important packet info. Next, we’ll feed this to aircrack. To move onto the next step, we’ll want at least 100,000 packets (under # Data in airodump) but probably more.

Using IVs to Decrypt the Key

Ok, pretend you have enough IVs now to attempt a crack. Goto a new terminal (without stopping airodump – remember it’ll autoupdate as new IVs are found) and we’ll start aircrack. It looks something like this:

 ./aircrack [options] <input file>

There are a lot of options so you can look them up yourself, i’ll be using common ones here that should get you a crack. Our input file is “lucid.ivs”, the options we will use are:

• -a 1 : forces a WEP attack mode (2 forces WPA)
• either -b for the bssid or -e for the essid : whichever is easier to type but I like using a BSSID because its more unique.
• -n 64 or -n 128 : WEP key length, omit if not known by now.

So our command will look like:

 ./aircrack -a 1 -b 00:23:1F:55:04:BC -n 128 lucid.ivs

and off it goes, resembling the picture from the top. Keep an eye on the Unique IV count as it should increase if airodump is still running. For all intents and purposes you are done. That’ll pop open most old wireless routers with some traffic on them.

Anticipated Problems

There are lots of problems that can come up that will make the above fail, or work very slowly.

• No traffic
  • No traffic is being passed, therefore you can’t capture any IVs.
  • What we need to do is inject some special packets to trick the AP into broadcasting.
  • Covered below in WEP Attacks
• MAC Address filtering
  • AP is only responding to connected clients. Probably because MAC address filtering is on.
  • Using airodumps screen you can find the MAC address of authenticated users so just change your MAC to theirs and continue on.
  • Using the -m option you can specify aircrack to filter packets by MAC Address, ex. -m 00:12:5B:4C:23:27
• Can’t Crack even with tons of IVs
  • Some of the statistical attacks can create false positives and lead you in the wrong direction.
  • Try using -k N (where N=1..17) or -y to vary your attack method.
  • Increase the fudge factor. By default it is at 2, by specifying -f N (where N>=2) will increase your chances of a crack, but take much longer. I find that doubling the previous fudge factor is a nice progression if you are having trouble.
• Still Nothing
  • Find the AP by following the signal strength and ask the admin what the WEP key is.

WPA Crackin

Differences

WPA is an encryption algorithm that takes care of a lot of the vunerablities inherent in WEP. WEP is, by design, flawed. No matter how good or crappy, long or short, your WEP key is, it can be cracked. WPA is different. A WPA key can be made good enough to make cracking it unfeasible. WPA is also a little more cracker friendly. By capturing the right type of packets, you can do your cracking offline. This means you only have to be near the AP for a matter of seconds to get what you need. Advantages and disadvantages.

WPA Flavours

WPA basically comes in two flavours RADIUS or PSK. PSK is crackable, RADIUS is not so much.

PSK uses a user defined password to initialize the TKIP, temporal key integrity protocol. There is a password and the user is involved, for the most part that means it is flawed. The TKIP is not really crackable as it is a per-packet key but upon the initialization of the TKIP, like during an authentication, we get the password (well the PMK anyways). A robust dictionary attack will take care of a lot of consumer passwords.

Radius involves physical transferring of the key and encrypted channels blah blah blah, look it up to learn more about it but 90% of commerical APs do not support it, it is more of an enterprise solution then a consumer one.

The Handshake

The WPA handshake was designed to occur over insecure channels and in plaintext so the password is not actually sent across. There are some fancy dancy algorithms in the background that turn it into a primary master key, PMK, and the like but none of that really matters cause the PMK is enough to connect to the network.

The only step we need to do is capture a full authenication handshake from a real client and the AP. This can prove tricky without some packet injection, but if you are lucky to capture a full handshake, then you can leave and do the rest of the cracking at home.

We can force an authenication handshake by launching a Deauthentication Attack, but only if there is a real client already connected (you can tell in airodump). If there are no connected clients, you’re outta luck.

Like for WEP, we want to know the channel the WPA is sitting on, but the airodump command is slightly different. We don’t want just IVs so we don’t specify an IV flag. This will produce “lucid.cap” instead of “lucid.ivs”. Assume WPA is on channel 6 and wireless interface is ath0.

 ./airodump ath0 lucid 6

Dictionary Brute Force

The most important part of brute forcing a WPA password is a good dictionary. Check out http://www.openwall.com/wordlists/ for a ‘really’ good one. It costs money, but its the biggest and best I’ve ever seen (40 Million words, no duplicates, one .txt file). There is also a free reduced version from the same site but i’m sure resourceful people can figure out where to get a good dictionary from.

When you have a good dictionary the crack is a simple brute force attack:

 ./aircrack -a 2 -b 00:23:1F:55:04:BC -w /path/to/wordlist

Either you’ll get it or you won’t… depends on the strength of the password and if a dictionary attack can crack it.

Using Aireplay

Aireplay is the fun part. You get to manipulate packets to trick the network into giving you what you want.

WEP Attacks

Attacks used to create more traffic on WEP networks to get more IVs.

ARP Injection

ARP Replay is a classic way of getting more IV traffic from the AP. It is the turtle. Slow but steady and almost always works. We need the BSSID of the AP and the BSSID of an associated client. If there are no clients connected, it is possible to create one with another WEP attack explained below: Fake Authentication Attack.

With airodump listening, we attack:

 ./aireplay -3 -b <AP MAC Address> -h <Client MAC Address> ath0

Note: The -3 specifys the type of attack (3=ARP Replay).

This will continue to run, and airodump, listening fron another terminal, will pick up any reply IVs.

Interactive Packet Replay

Interactive Packet Reply is quite a bit more advanced and requires capturing packets and constructing your own. It can prove more effective then simple ARP requests but I won’t get into packet construction here.

A useful attack you might try is the re-send all data attack, basically you are asking the AP to re-send you everything. This only works if the AP re-encrypts the packets before sending them again (and therefore giving you a new IV). Some APs do, some don’t.

 aireplay -2 -b <AP MAC> -h <Client MAC> -n 100 -p 0841 -c FF:FF:FF:FF:FF:FF ath0

Fake Authentication Attack

This attack won’t generate any more traffic but it does create an associative client MAC Address useful for the above two attacks. Its definately not as good as having a real, connected client, but you gots to do what you gots to do.

This is done easiest with another machine because we need a new MAC address but if you can manually change your MAC then that’ll work too. We’ll call your new MAC address “Fake MAC”.

Now most APs need clients to reassociate every 30 seconds or so or they think they’re disconnected. This is pretty arbitrary but I use it and it has worked but if your Fake MAC gets disconnected, reassociate quicker. We need both the essid and bssid and our Fake MAC.

 ./aireplay -1 30 -e '<ESSID>' -a <BSSID> -h <Fake MAC> ath0

If successful, you should see something like this:

 23:47:29  Sending Authentication Request
 23:47:29  Authentication successful
 23:47:30  Sending Association Request
 23:47:30  Association successful :-)

Awesome! Now you can use the above two attacks even though there were no clients connected in the first place! If it fails, there may be MAC Address Filtering on so if you really want to use this, you’ll have to sniff around until a client provides you with a registered MAC to fake.

WPA Attacks

So far, the only way to really crack WPA is to force a re-authentication of a valid client. We need a real, actively connected client to break WPA. You might have to wait a while.

Deauthentication Attack

This is a simple and very effective attack. We just force the connected client to disconnect then we capture the re-connect and authentication, saves time so we don’t have to wait for the client to do it themselves (a tad less “waiting outside in the car” creepiness as well). With airodump running in another console, your attack will look something like this:

 aireplay -0 5 -a <AP MAC> -c <Client MAC> ath0

After a few seconds the re-authentication should be complete and we can attempt to Dictionary Brute Force the PMK.

Conclusion

Well thats that. APs crack fairly often but sometimes there is just nothing you can do. Obviously you are not allowed to illegally crack other people’s wireless connections, this is purely for penetration testing purposes and some fun.

Via: http://docs.lucidinteractive.ca

Within the users folder, the ini files will either be in a folder called “default” or a folder named after your username.

c:\program files\trillian\users\default\msn.ini

msn.ini contains:

[msn]
auto reconnect=1
save passwords=1
idle time=15
show buddy status=1
port=1863
server=messenger.hotmail.com
last msn=haxor@hotmail.com
connect num=10
connect sec=60
save status=1
ft port=6891
[profile 0]
name=haxor@hotmail.com
password=A347F2B74EE9A9F6

“password=A347F2B74EE9A9F6” is our encrypted password. The encryption used here is a simple xor encryption of the original password, which is then hexxed.

A3 47 F2 B7 4E E9 A9 F6

Ok, when beating an xor encryption…you need to know what each letter of the original password was xor’d with. Thankfully, there is an easy way to find this out – so long as you know the original pass. And, as you may guess – knowing the xor key that trillian uses to encrypt passwords, is also the key to being able to decrypt passwords that we don’t know!

First, we need to know what the hex value “A3″ (the first value of the encrypted password) represents in standard numbers. The value of “A3″ is 163. The first letter of my password is “P”, therefore – to find out what trillian xor’d with my original “P” in order to get 163 – we do the following calculation:

Numeric value of A3 = 163
Numeric (ascii) value of P = 80

Calculation: 80 XOR 163 = 243

243 is the number that the first value of your password is xor’d with. We can test this by doing the process in reverse:

First letter of password = P
Ascii value of P = 80
XOR key for 1st char = 243
Calculation = 80 xor 243 = 163
163 in Hex = A3
Encrypted password so far: A3
Go on to 2nd character…and so on…

The xor key numbers for each char are (in order):

243, 038, 129, 196, 057, 134, 219, 146, 113, 163, 185, 230, 083, 122, 149, 124, 000, 000, 000, 000, 000, 000, 255, 000, 000, 128, 000, 000, 000, 128, 128, 000, 255, 000, 000, 000, 128, 000, 128, 000, 128, 128, 000, 000, 000, 128, 255, 000, 128, 000, 255, 000, 128, 128, 128, 000, 085, 110, 097, 098, 108, 101, 032, 116, 111, 032, 114, 101, 115, 111, 108, 118, 101, 032, 072, 084, 084, 080, 032, 112, 114, 111, 120, 000

below is some VB code that demonstrates how to make a call to this dll from what i gather is that versions above either 7.0 or 7.5 use a new method to store the password im not sure of the encryption used but the pass is still in the registry under a new key called ‘ETS’ this reg entry along with the user ID under the “Yahoo! User ID” key can be exported from the registry copied from one computer to another and allow you to login as that user

declare “ycrwin32.dll” as YCRYPTO
text1.text is the username/yahoo id
text2.text will be the eoptions/encrypted password

[code]

Public Sub Grab(RegistryKey As String, RegistryInformation As String, Grab As Integer)
Dim WSHShell, RegTemp
Set WSHShell = CreateObject("WScript.Shell")
If Grab = 1 Then
RegTemp = WSHShell.RegRead(RegistryKey)
Text1.Text = RegTemp
End If
End Sub

Public Sub Grab1(RegistryKey As String, RegistryInformation As String, Grab1 As Integer)
Dim WSHShell, RegTemp
Set WSHShell = CreateObject("WScript.Shell")
If Grab1 = 1 Then
RegTemp = WSHShell.RegRead(RegistryKey)
Text2.Text = RegTemp
End If
End Sub

Private Sub Command2_Click()
Dim ycc As New YCrypto
Call ycc.Init(1, 1, Text1.Text)
Text3.Text = ycc.Decrypt(Text2.Text)
End Sub
Private Sub Command1_Click()
On Error GoTo error
Call Grab("HKEY_CURRENT_USER\Software\Yahoo\pager\Yahoo! User ID")
[/code]