Hacking Tools
Actually, these aren't really hacking tools. They are the "script" in "script kiddie" (newbie hacker people like me). To better aid your quest in becoming one, here's some good stuff you can pick up. These tools are specifically designed for Windows, and this page is for NT/2K/XP. Some of these tools may be able to do things with 9x also.
Note: This page would more correctly be titled "Password Cracking Tools," but for the sake of legacy, I am leaving it the way it is.
Abbreviations & Notes
LM = LanMan = old Win 9x hashing algorithm that is still supported by NT/2K/XP. Not case sensitive.
NTLM = NT LanMan = newer NT/2K/XP hashing algorithm (NTLM hashes are also referred to as NT hashes)
Alpha means the letters a-z, and on this page, they are all lowercase (when case matters).
Alphanumeric means the letters a-z and the numerals 0-9. On this page, only lowercase letters are considered
when case matters.
Keyspace refers to the set of possible values for a character. For example, the word "one" is contained entirely
within the alpha keyspace, or more specifically, the keyspace containing the letters e, n, and o.
The 6 character passwords used for the archives was "suckit"
The 2 character password used for the archives was "a1"
All tests involving 10 random alpha and alphanumeric passwords used the same sets of passwords.
The archives (Zip, RAR, ...) were cracked using a keyspace consisting of the alpha characters. Everything else was cracked using the easiest methods (to save time). For example, the Word document's password ("suckit") was cracked using several programs set to brute-force using lowercase letters. Alphanumeric passwords were cracked using the alphanumeric keyspace. No capital letters (in case-sensitive algorithms) were used in these tests.
WinZip here deals entirely with pre-WinZip9 encryption. The encryption scheme in version 9 is much stronger and I haven't played with it yet.
Performance figures are given on a Athlon XP (Barton) 2800+ (2.2GHz) with PC3000 (188MHz x2 DDR) RAM.
pwdump2
http://www.bindview.com/Services/razor/Utilities/Windows/pwdump2_readme.cfm
How useful can a little program be? This thing is only 68KB in size. What it does is dump all the user names, RIDs, LM hashes, NTLM hashes (if any), and maybe some other stuff into a colon (:) delimited text file. In fact, this program is so ubiquitous that this format of text file is referred to as a pwdump file. Cain, LC4, and tons of other programs can eat this input and barf up passwords. Very ownage. What you do with this program is copy it onto someone's computer, run it, upload the results somewhere safe, and then go home and start cracking.
I believe you need administrator privileges to be able to use this program. I think there are workarounds if you do not have this level of access, but I'm not sure.
Here's a sample:
C:\Hacking>pwdump2 > hashes.txt
Now, the file hashes.txt will contain something like this (username/SID/LM hash/NTLM hash):
USER0:501:165a1fabd5c06a68aad3b435b51404ee:acajtxaxdhgbw47gcyq245sz1rxas4ee:::
USER1:1001:cf1a193bf3053bc4aad3b435b51404ee:2d53xtwev5wv47vze4cze547bz2sc6zse::
USER2:1002:cf8465783349c275aad3b435b51404ee:95y689y596y95c98yto8zy8ty84v04ee:::
USER3:1003:fa2991e294ec4b1caad3b435b51404ee:hdcmkajhtkehcm3985csdrhc34h404ee:::
You can then open it with another program and have fun.
Performance
There isn't a performance issue here. It instantly outputs the output.
Cain & Abel v2.5 beta 41
This has gotta be the best all-around free thing I know how to use. A few of its functions follow. It can send Abel, which is basically a backdoor, onto a remote computer, allowing you system-level access (even higher than Administrator) to it via a console. It has a sniffer and an ARP poison router, which allows all the traffic on your network segment to be routed through you so that you can inspect all the packets. This allows Cain to extract all sorts of yummy passwords from it and to crack the encrypted ones. Among the passwords it can read/crack: FTP, HTTP, IMAP, POP3, SMB, Telnet, ICQ, MSN, RADIUS, LM, NTLM, NTLMv2, and MD2/4/5 and SHA-1 hashes.
One of the major flaws in this program is the cracking method. It can only do passwords individually, meaning that cracking two passwords will take twice as long as cracking one password. Although it may sound logical at first, it is a major drawback, as will be shown in the next section. Another flaw is that LM cracking is slower than NTLM cracking by almost 50% (LM is inherently much less secure and easier to crack than NTLM). This implies poor code efficiency in the LM hashing algorithm implemented by Cain. However, mad props for its speed on NTLM hashes, especially when compared to LC4 (below).
Performance
10 random NT hashes, 7 random letters each
-Brute Force: 84 minutes for the first password. All ten passwords would take about 500 minutes.
-Using 1 Rainbow Table: 79 seconds (1:19) to recover 8 (the other 2 failed)
-Using 2 Rainbow Tables: 99 seconds (1:39) to recover 10
10 random NT hashes, 7 random alphanumerics each
-Using 1 Rainbow Table: 51 seconds (0:51) to recover 8 (the other 2 failed)
-Using 2 Rainbow Tables: 78 seconds (1:18) to recover 10
LM passwords per second:1,600,000
NTLM paswords per second: 2,900,000
LM challenge/response passwords per second: 1,070,000
@stake L0phtcrack 4.00
Deadly. This program can take NT/2K/XP in a variety of formats, such as SAM (although syskey makes this not work on 2K/XP) files, pwdump, registry, the built-in sniffer... etc. It can crack using LM, NTLM, LM challenge/response, or NTLM challenge/response. This is about the only function of this program. It can't really do anything else.
It can crack a big list of passwords in a group, instead of doing them one by one. It takes a dictionary word or a brute-force string, hashes it, and compares it to all of the hashes of the unknown passwords, instead of just one. (Challenge/response pairs must be cracked individually.) This way, it can crack 1000 passwords only marginally slower than it can crack a single one, making large operations much easier.
For some reason, the challenge/response cracking is extremely slow! Compare the figure below with Cain's! The LM performance is incredible, however.
Performance
10 random NT hashes, 7 random letters each
-2 passwords were cracked within 3 minutes
-5 passwords were cracked within 14 minutes
-10 passwords were cracked within 31 minutes
LM passwords per second: 5,800,000
NTLM passwords per second: 1,000,000
LM challenge/response passwords per second: 23,000
rcrack
http://www.antsight.com/zsl/rainbowcrack/
I'm not really sure how to use this thing. There is a lot of theory behind it, and it's a lot of math. I'm going to read it some other day, but right now I'm too busy. It is probably something that will take me more than a week to understand, if I can at all.
It sounds very simple, though. What it does is generate a table of hashes. It's like a brute forcer. It generates all possible combinations of your keyspace (like alpha, alphanumeric, alphanumeric + symbols, etc.) and then the corresponding hash entries for them (in this case, the hash is LM). Then you sort by hash value, and cracking a hash value becomes too easy. However, it does require a little bit of disk space. For alphanumeric passwords (I think it only does up to 7 characters), the 5 (I don't know why there are 5 - I think that less will work at a lower success rate) tables are 3GB in size (610MB each). Although there is huge disk and time consumption for the table generation, cracking stuff later is very easy and fast. In fact, Cain can even use rainbow tables, but with somewhat slower speed.
Performance
Each alphanumeric table takes 1350 minutes (22:30) to compute, for a total of 6750 minutes (112:30).
The sorting takes about 5 minutes for each 610MB file.
10 random NT hashes, 7 random letters each
-Using 1 Rainbow Table: 47 seconds (0:47) to recover 8 (the other 2 failed)
-Using 2 Rainbow Tables: 75 seconds (1:15) to recover 10
10 random NT hashes, 7 random alphanumerics each
-Using 1 Rainbow Table: 47 seconds (0:47) to recover 8 (the other 2 failed)
-Using 2 Rainbow Tables: 75 seconds (1:15) to recover 10
AccessData Password Recovery Toolkit 5.0
The demo can crack zip (8.1 or less), old PGP key rings (not recommended... it may take longer than the span of the universe), and Windows 95 screensaver passwords. I tried to crack two zip files with it. It returned a false password for one of them, and it gave up on the other. However, it works on all test zip files that I generate. Inexplicable.
Performance
Zip passwords per second: 1,500,000
2 character zip password: <1 second
6 character zip password: 70 seconds.
Advanced Office 2000 Password Recovery 1.10
This is an outdated version of http://www.elcomsoft.com/aoxppr.html.
This has been pretty useful. It works on most Office XP documents as well. Microsoft Word, Excel, Access, Outlook, Money, Schedule+, Backup, Mail, Visio, Powerpoint, Project, and Pocket Excel are all supported. A coworker once lost his Outlook password and ordered me to recover it. This handy-dandy thing did it practically instantly (Outlook PST files used to be very insecure).
As a test, I "protected" (made read-only) a Word file and opened it with this program. It said it can't recover the password instantly, but can destroy the old password and replace it with a new (or blank) one, which it did. Very nice. Very user-friendly, as well.
Performance
Word passwords per second: 530,000
Excel passwords per second: 470,000
6 letter Word password: 7 minutes
Outlook PST files protected with "compressible encryption" and "best encryption" take 0 seconds to recover.
Advanced Office XP Password Recovery 2.40
This is the almost up-to-date version of the above (http://www.elcomsoft.com/aoxppr.html).
It's pretty much the same thing. It supports the same types of files, and it's a little slower. The two versions can coexist, though, so you can utilize a combination of both to the fullest benefit. This version is a little prettier.
Performance figures are based on Office 97/2000 compatible encryption. The newer XP schemes are more secure and will take longer to crack.
Performance
Word passwords per second: 500,000
Excel passwords per second: 435,000
Any Office XP file encrypted with CSP (passwords/second): 420,000
6 letter Word password: 8 minutes
Advanced Archive Password Recovery 2.20
http://www.elcomsoft.com/archpr.html
Wow, this program is a definite winner. It cracks Zip, RAR, ARJ, ACE files, and their self-extracting EXE counterparts. Deadly.
It failed opening my ACE file though. I put a few files into a WinACE 2.11 archive and put a password on it, but this program would not recognize it as a valid ACE file. I think it's because WinACE 2.5 is already out. I was also unable to produce ARJ test files.
Don't make fun of it for its RAR cracking crap speed. RAR passwords are pretty deadly, and other programs don't do much better.
Performance
Zip passwords per second: 11,800,000
6 character zip password: 100 seconds
2 character zip password: 0.02 seconds
RAR passwords per second: 19 (yes, that's a million times slower than zip)
6 character RAR password: several years
2 character RAR password: 3.2 seconds
RAR Password Cracker 4.12
http://www.rarpasswordcracker.com/
Umm, this program only does one thing, and although it does it well compared to other programs, overall its performance blows. Look at those numbers! It's not the programmer's fault, though. RAR passwords are just too secure.
This program performs somewhat better than the AAPR 2.20 (above). In fact, it does 74% better. But either way, this kind of speed is ludicrous. It is way slow. There's no way any kind of existant password will be cracked in under a century on current machines.
Performance
RAR passwords per second: 33
6 character RAR alpha password: 3.2 years
2 character RAR alpha password: 10 seconds
Last updated December 30, 2004.
8608 hits since March 27, 2006.
