Lots of password finding and crack topics were covered. Hashcat, OCLHashcat, Cain, SAMDump2, Nir’s Password Recovery Tools, Password Renew, Backtrack 4 R1, UBCD4Win and much more.

Part 1: Topics include: Why exploit local passwords?, Scenario:Imaged Systems, Grabbing local passwords, Hash Examples, Great Resources, Platforms Used: Ubuntu, Backtrack, UBCD4Win, Windows Profile, Windows System Trifecta, Anti-Virus Pains, Getting an account/changing an account password, hash insertion, Sala’s Password Renew, Keyloggers, Boot CD demos, SAMDump2, Browser Passwords, IE, Firefox Etc., PSPV, PasswordFox, IE Passview, ChromePass, RDP and VNC password grabbing, Instant Messaging, Stupid Web Apps rant, AOA: Any Old Asterisks (stuff hidden by Asterisks), Network Shares stored passwords, Outlook PST password cracking and hash collision example, Wireless profile passwords, WirelessKeyView, Sniffing them off the wire with Wireshard and Cain.
Download Class 1

Part 2: The best single video out there for showing Hashcat and OCLHashcat. Lots of info about using Hashcat/OCLHashcat, its advantages, and the power of a video card to boost cracking speed.
Download Class 2

Part 3: Windows LM and NTLM hash cracking, Time Memory Tradeoffs, SAM Cracking Prevention, Linux/Unix passwd and shadow files, Parts of a *nix hash, Windows Cached Domain Credentials, Problems with Windows 7, Cracking Creds Countered, Finding where Unknown Apps store passwords, System Process Monitoring, RegFromApp, ProcessActivityView, Procmon (Process Monitor), finding the hash type, Other Weird Vectors, Inverse Bruteforce, Look in the logs for passwords, upcoming events.
Download Class 3

1 LM vs. NTLM
2 Syskey
3 Cracking Windows Passwords
   3.1 Extracting the hashes from the Windows SAM
      3.1.1 Using BackTrack Tools
         3.1.1.1 Using bkhive and samdump v1.1.1 (BT2 and BT3)
         3.1.1.2 Using samdump2 v2.0.1 (BT4)
         3.1.1.3 Cached Credentials
      3.1.2 Using Windows Tools
         3.1.2.1 Using fgdump
         3.1.2.2 Using gsecdump
         3.1.2.3 Using pwdump7
         3.1.2.4 Cached Credentials
   3.2 Extracting the hashes from the Windows SAM remotely
      3.2.1 Using BackTrack Tools
         3.2.1.1 ettercap
      3.2.2 Using Windows Tools
         3.2.2.1 Using fgdump
   3.3 Cracking Windows Passwords
      3.3.1 Using BackTrack Tools
         3.3.1.1 John the Ripper BT3 and BT4
            3.3.1.1.1 Cracking the LM hash
            3.3.1.1.2 Cracking the NTLM hash
            3.3.1.1.3 Cracking the NTLM using the cracked LM hash
            3.3.1.1.4 Cracking cached credentials
         3.3.1.2 John the Ripper - current
            3.3.1.2.1 Get and Compile
            3.3.1.2.2 Cracking the LM hash
            3.3.1.2.3 Cracking the LM hash using known letter(s) in known location(s) (knownforce)
            3.3.1.2.4 Cracking the NTLM hash
            3.3.1.2.5 Cracking the NTLM hash using the cracked LM hash (dumbforce)
            3.3.1.2.6 Cracking cached credentials
         3.3.1.3 Using MDCrack
            3.3.1.3.1 Cracking the LM hash
            3.3.1.3.2 Cracking the NTLM hash
            3.3.1.3.3 Cracking the NTLM hash using the cracked LM hash
         3.3.1.4 Using Ophcrack
            3.3.1.4.1 Cracking the LM hash
            3.3.1.4.2 Cracking the NTLM hash
            3.3.1.4.3 Cracking the NTLM hash using the cracked LM hash
      3.3.2 Using Windows Tools
         3.3.2.1 John the Ripper
            3.3.2.1.1 Cracking the LM hash
            3.3.2.1.2 Cracking the NTLM hash
            3.3.2.1.3 Cracking the NTLM hash using the cracked LM hash
            3.3.2.1.4 Cracking cached credentials
         3.3.2.2 Using MDCrack
            3.3.2.2.1 Cracking the LM hash
            3.3.2.2.2 Cracking the NTLM hash
            3.3.2.2.3 Cracking the NTLM hash using the cracked LM hash
         3.3.2.3 Using Ophcrack
            3.3.2.3.1 Cracking the LM hash
            3.3.2.3.2 Cracking the NTLM hash
            3.3.2.3.3 Cracking the NTLM hash using the cracked LM hash
         3.3.2.4 Using Cain and Abel
      3.3.3 Using a Live CD
         3.3.3.1 Ophcrack
4. Changing Windows Passwords
   4.1 Changing Local User Passwords
      4.1.1 Using BackTrack Tools
         4.1.1.1 chntpw
      4.1.2 Using a Live CD
         4.1.2.1 chntpw
         4.1.2.2 System Rescue CD
   4.2 Changing Active Directory Passwords
5 plain-text.info
6 Cracking Novell NetWare Passwords
7 Cracking Linux/Unix Passwords
8 Cracking networking equipment passwords
   8.1 Using BackTrack tools
      8.1.1 Using Hydra
      8.1.2 Using Xhydra
      8.1.3 Using Medusa
      8.1.4 Using John the Ripper to crack a Cisco hash
   8.2 Using Windows tools
      8.2.1 Using Brutus
9 Cracking Applications
   9.1 Cracking Oracle 11g (sha1)
   9.2 Cracking Oracle passwords over the wire
   9.3 Cracking Office passwords
   9.4 Cracking tar passwords
   9.5 Cracking zip passwords
   9.6 Cracking pdf passwords
10 Wordlists aka Dictionary attack
   10.1 Using John the Ripper to generate a wordlist
   10.2 Configuring John the Ripper to use a wordlist
   10.3 Using crunch to generate a wordlist
   10.4 Generate a wordlist from a textfile or website
   10.5 Using premade wordlists
   10.6 Other wordlist generators
   10.7 Manipulating your wordlist
11 Rainbow Tables
   11.1 What are they?
   11.2 Generating your own
      11.2.1 rcrack - obsolete but works
      11.2.2 rcracki
      11.2.3 rcracki - boinc client
      11.2.4 Generating a rainbow table
   11.3 WEP cracking
   11.4 WPA-PSK
      11.4.1 airolib
      11.4.2 pyrit
12 Distributed Password cracking
   12.1 john
   12.2 medussa (not a typo this is not medusa)
13 using a GPU
   13.1 cuda - nvidia
   13.2 stream - ati

Cracking_Passwords_Guide.pdf

The main features of hashcat are:

* It is free.
* Native binaries for Linux and Windows.
* Multi-threaded.

* Supports the following hashes:

* MD5
* md5($pass.$salt)
* md5($salt.$pass)
* md5(md5($pass))
* md5(md5(md5($pass)))
* md5(md5($pass).$salt)
* md5(md5($salt).$pass)
* md5($salt.md5($pass))
* md5($salt.$pass.$salt)
* md5(md5($salt).md5($pass))
* md5(md5($pass).md5($salt))
* md5($salt.md5($salt.$pass))
* md5($salt.md5($pass.$salt))
* md5($username.0.$pass)
* md5(strtoupper(md5($pass)))
* SHA1
* sha1($pass.$salt)
* sha1($salt.$pass)
* sha1(sha1($pass))
* sha1(sha1(sha1($pass)))
* MySQL
* MySQL4.1/MySQL5
* MD5(WordPress)
* MD5(phpBB3)
* MD5(Unix)
* SHA-1(Base64)
* SSHA-1(Base64)

* Supports the following attacks:

* Straight-Words Attack
* Combination-Words Attack
* Toggle-Case Attack
* Brute-Force Attack

* All Attack-Modes except Brute-Force can be extended by Hybrid-Attack rules.
* Hybrid-Attack engine is mostly compatible with JTR / PasswordsPro.
* Possible to resume or limit session.

It also has some special features:

* Automatically recognizes already recovered hashes from outfile at startup.
* Automatically generate random rules for Hybrid-Attack.
* Load hashlist that include more than 3 million hashes of any supported type at once.
* Load saltlist from external file and then use them in a Brute-Force Attack variant.
* Able to work in an distributed environment.

There are some more things you should know:

* You can specify multiple wordlists and also multiple directories of wordlists.
* Number of threads can be configured.
* Threads run on lowest priority.

Get It Here: hashcat

src: arstechnica.com

These start-up modes include booting from an install DVD and resetting the password, using Target Disk Mode to use your Mac as an external hard disk, or booting into Unix-style Single User Mode.

There is a way to protect your computer by setting a firmware password. The password is written into the computer’s firmware chips on the motherboard and if anyone tries to use a special start-up mode, they will be prompted for that password.

Apple provides a utility for setting a firmware password called Firmware Password Utility.

For Mac OS X 10.5.x, start from the Leopard Install DVD and choose Firmware Password Utility from the Utilities menu.

1. Click to select the checkbox for “Require password to change Open Firmware settings”, as shown below.

2. Type your password in the Password and Verify fields.

3. Click OK

4. Click lock icon to prevent further changes

5. Choose Quit from the application menu

Now, if anyone attempts to use any of the special start-up modes, they will be prompted for the firmware password you set.

via: mac101.net

ElcomSoft has released a new version its Distributed Password Recovery program for recovering system and document passwords at speeds of up to 1 billion passwords per second. Among the passwords the software can recover are system passwords such as NTLM (Windows logon passwords) and startup passwords, MD5 hashes, password-protected documents created by Microsoft Office 97-2007, PDF files created by Adobe Acrobat, as well as PGP, UNIX, and Oracle.

What’s interesting about the ElcomSoft approach is that the company is using multiple GPU-based video cards such as NVIDIA’s GeForce GTX280 in parallel to process hundreds of billions fixed-point calculations per second. This means, says ElcomSoft, that this release of the Distributed Password Recovery program can try around 5,000 passwords per second for Office 2007 documents with a single GeForce GTX260, while regular Core2Duo processors can only try up to 200 passwords per second.

ElcomSoft claims that all users have to do is insert into a PC video cards (like the GeForce GTX280) to take advantage of the capabilities. Unlike NVIDIA SLI mode (Scan Line Interleaving) that enables transparent use of multiple GPUs, ElcomSoft uses the computational power of several NVIDIA cards no matter if they are of the same kind. Currently supporting all GeForce 8 and GeForce 9 boards, the acceleration technology offloads parts of computational-heavy processing onto the fast and highly scalable processors featured in the NVIDIA’s graphic accelerators.

The acceleration technology developed by ElcomSoft allows the execution of mathematically intensive password recovery code on the massively parallel computational elements found in NVIDIA graphic accelerators. The GPU acceleration is unique to Elcomsoft Distributed Password Recovery, making password recovery up to 50 times faster compared to password recovery methods that only use the computer’s main CPU.

The password checking routine of DriveCrypt fails to sanitize the BIOS keyboard buffer before AND after reading passwords.

Affected Software

Secu Star’s DriveCrypt Plus Pack v3.9 (possibly other versions also)

Technical Description

DriveCrypt’s pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0×40:0x1e. It is also possible for a root user to reboot the computer by instrumenting the BIOS keyboard buffer in spite of the full disk encryption.

Impact

1) Plain text password disclosure. Required privileges to perform this operation are OS dependant, from unprivileged users under Windows (any), to root under most Unix. 2) A privileged attacker able to write to the MBR and knowing the password (for instance thanks to 1), is able to reboot the computer in spite of the password prompted at boot time (and in spite of disk encryption) by initializing the BIOS keybaord buffer with the correct password (using an intermediary bootloader that will in turn run DriveCrypt).

Full Technical Whitepaper

http://www.ivizsecurity.com/security-advisory-iviz-sr-0807.html

Features:
» Runs on Windows, Linux/Unix, Mac OS X, …
» Cracks LM and NTLM hashes.
» Free tables available for Windows XP and Vista.
» Brute-force module for simple passwords.
» LiveCD available to simplify the cracking.
» Loads hashes from encrypted SAM recovered from a Windows partition, Vista included.

Starting with version 2.3, Ophcrack also cracks NT hashes. This is necessary if generation of the LM hash is disabled (this is default for Windows Vista), or if the password is longer than 14 characters (in which case the LM hash is not stored).

Download