If Request.Querystring("logout") <> "" Then Session("level") = ""
'// Ask for Hash If Session("level") <> "ok" Then Response.Write "<form method=""post"" action=""" & ThisPage & """><input type=""password"" name=""pass"" /><input type=""submit"" value=""LMHash""/></form>" Response.End Else '// Logged + Show logout button Response.Write "<a href=""" & ThisPage & "?logout=ok"">Return</a>" End If %>
It asks for the LM hash, then runs the command to decrypt it through rcrack.exe as defined in the sCommand variable. My problem is that the command does not quite work; rcrack.exe will run, but not with the entire string. The program will just run, and not process anything. I'm just trying to get this down for now, and then I will worry about getting the data out of the file, which probably isn't hard. If anyone could help me with this, it would be greatly appreciated.
linux_dude
Mar 21 2004, 07:12 PM
After you define sCommand, why not try echoing it to the page? Maybe you need to define it differently.
extreme
Mar 21 2004, 07:36 PM
If you can do it in PHP, I think you would get much more help
nulladd
Mar 22 2004, 10:42 AM
nice work, i currently take submissions for md5 hashes on my site but it doesnt link to rcrack, just adds to a list that i do later, simple but it works i have the code in php if anyone wants it, very basic but is a nice proof of concept
zero-maitimax
Mar 22 2004, 11:38 AM
do you think it's possible to do it in php?
Killaloop
Mar 22 2004, 11:47 AM
QUOTE (zero-maitimax @ Mar 22 2004, 11:38 AM)
do you think it's possible to do it in php?
as nulladd has said he has a proof of concept
for the main code of this topic: well I don't know what you are going to use this code for, but I wouldn't directly call the rtgen.exe after the html input. why not? imagine 1000 gso scriptkids sending hashes to your script and your script directly sends it to rtgen.exe. your machine will last 1 minute better would be to write a joplist with your script. or you echo every input into one bat file. which will be run after say every 5 minutes. this will be the easiest ways to do a stable trick I think.
what
Mar 22 2004, 07:17 PM
Instead of executing rcrack.exe directly, I've gone the route of executing a batch file first, and through it execute rcrack.exe to create the a file with the password in it, and I can append the data in the file to my ASP page. The only thing that I'm having trouble with right now is the actual code in the batch file. Right now I have:
CODE
C:\rcrack.exe *.rt -h %1 >> C:\file.txt
When I run that command from a command prompt, it runs perfectly (with %1 replaced with a hash). But when I execute it from a batch file from the ASP code with the hash appended to the end, it gives me the error "no tables found", when the previous code works fine. If anyone here is better with batch file programming, tell me what's wrong. I've also tried:
I should have lm rainbowtables next week. I was planning on making a php page for it. It can be done since php can execute cmd.exe if the right rights have been set. (witch is a slight problem in php , setting rights for system32 to exec :/ ) php dos have some problems. Like i could list a dir using cmd.exe but could not execute a program.
Anyways, i'm going to make it after my examenations next week, and share what i have.
I'm intrested in youre code nullad, would save me the job.
nulladd
Mar 22 2004, 11:01 PM
ok i will post source in a day or two (might add/fix some stuff, not sure tho)
setthesun
Mar 23 2004, 05:33 AM
Previously I wrote an online security scanner for DCOM and some other popular vulns.
'// Execute an application Function XX_Run(byVal ExecuteString) Dim WSHObj, Return Set WSHObj=CreateObject("WScript.Shell") Return = WSHObj.Run(Server.MapPath("executable.exe") & " /c " & ExecuteString) Set WSHObj=Nothing End Function
After execute this code, you need wait fo a while for execution after that you can read results by FSO from your results.txt
what
Mar 24 2004, 03:29 AM
QUOTE
no tables found hmm have you tried including the foldername?
You rock, it worked. I guess I should have read through the rcrack tutorial a little bit more, it actually tells you to do this in the directions . Anyways, I'm going to try to fine tune the code a little bit more before I put it up for the "general public". I have two more tables left to gernerate. . .
Another problem on a the same subject. At the school I work at, we use either passwords with a regular word with numbers appended to the end (such as bearssuck03) or irregular network card names (3c blah blah blah). My problem is that, from what I've heard, rainbow crack does not work correctly with passwords in lm that are over 7 digits. This is why;
QUOTE
> -> -----Original Message----- > -> From: Deus, Attonbitus [mailto:ThorHAMMEROFGOD.COM] > -> Sent: Tuesday, December 19, 2000 6:29 PM > -> To: FOCUS-MSSECURITYFOCUS.COM > -> Subject: Re: NT encryption > -> > -> > -> Let's get specific here... > -> > -> The 2 7-character chunks are not NT's hashing scheme, they are LAN > -> Manager's. For legacy authentication to LM clients, NTLM > -> will port the > -> passwords over to all uppercase characters in 2 chunks of 7 > -> alpha-numeric > -> character hashes. If you have allowed LM support, then your > -> passwords can > -> be much more easily cracked. > > Correct, but NT still utilizes them, regardless of where they were derived. > > -> NT's base NTLM authentication uses all 14 characters and is > -> case sensitive, > -> which is much harder to crack (unless you allow short passwords.) > -> Unfortunately, most people do not bother to require NTLM or > -> NTLMv2 on their > -> networks. With SP4, NT allowed the use of NTLMv2, which > -> provides full 128 > -> bit encryption if you wish to require it. And though I have > -> seen posts to > -> the contrary here, it is absolutely possible to configure > -> your Win9x clients > -> to use NTLMv2 if you want to (see Q239869). > > Yes, this is true, but that is from a client perspective. Isn't it true > that even if you force strong authentication, the IBM LanManager hash is > still stored in the SAM file? And if this is the case, then l0phtcrack can > hack the hash. > > -> As far as Win2k is concerned, you can use all of the above levels of > -> authentication, or you can go with Kerberos (but the MS flavor). > -> > -> The reason people bust on MS's authentication is that they > -> have not taken > -> the time to look into what all of the options are. Just > -> because the default > -> settings allow for weak password authentication does not > -> mean the OS in/of > -> itself has weak authentication- you just have to tell it > -> what you want. > -> Microsoft offers a plethora of information regarding the various > -> authentication schemes available on their different > -> platforms for those who > -> look for it. > > But, again, isn't this only from the client/server authentication view > point? Isn't it true that all user logins are stored in the SAM file with > both LM Hash, and NT Encrypted Hash?
213E6B40A1F26372D72AD0AACD983D38 is a password at my school that I pulled off of one of the machines. It is a lower alpha numeric, 9 digit password. I know it's LM, but I'm still having problems. I was just wondering if it was because it is more than 7 digits, and if so how I could correct it. Thanks for any help in advance.
Killaloop
Mar 24 2004, 11:27 AM
"doh finally can write again"
well just a little information why it didn't work without the foldername. actually you haven't done anything wrong it normally would work fine without foldername when rcrack.exe and the tables are in the same directory, but since you call rcrack.exe using a script which isn't in the same folder as rcrack and the tables are rcrack.exe will search for the tables within your scripts directory. just to inform you why it didn't work.
also rcrack.exe works fine with longer passes. It will crack hash after hash and stick the parts together. so lets see, this hash 9432716350DAE7E2D37A093C7DED7AA3 is in plaintext KiLLaL00P. it will split the hash to get the 7digit and the 2 digit part: rcrack would look for 9432716350DAE7E2 which would be 'KiLLal0' and it would look for D37A093C7DED7AA3 which would then be '0P'
and the final result if it finds those two hashes in your table would be KiLLal00P. This fact is the reason why you would only need 1-7 chars tables for LM to crack. it works 100% and is nice. Also if you create a new account using the windows gui manager (not via net user command) it will not create a LM hash only the NTLM one it will look like this:
however I haven't figured out whats needed to let windows calculate the LM hash, but later on the hash will be there (after reboot?, after loggin in? anyone knows maybe).
/edit Just tried it out. Windows won't create a Lanmanager hash if its longer than 14 chars. This fact I didn't know until now. So you wouldn't even need a hard to brake charset for you passwords. all you need is to use 15 chars (example: Youcannotcrackit) and all your LM hashes are worth nothing.
nulladd
Mar 29 2004, 02:19 PM
heres the current php source for my site its pretty basic cause im not into web dev that much but feel free to use any parts out of it
what
Mar 30 2004, 01:29 PM
Currently, I've made an ASP script that runs .bat, and through that runs the command in rcrack.exe . Instead of outputting the information to the screen, I've decided to output the information to a text file that would have the name of the hash on an ftp server that runs off of the same computer.
So, say you have this hash: 9432716350DAE7E2D37A093C7DED7AA3 ; and you enter it into the page. Then the output would be saved on my ftp server as 9432716350DAE7E2D37A093C7DED7AA3.txt with all of the information that rcrack.exe outputs. The main thing that I'm worried about now is the CPU usage that's going to take place. I have more than enough disk space free (250 gigs) but with even 100 people running the script at the same time, it would probably DDoS the server. I'm willing to test it out for a little while to see how it works, but I don't think that it will work out well.
Also, if you would like to help out, I will open up my ftp server soon so people can upload tables. I just want to setup a separate account so the tables will be exactly where they need to be when they are uploaded. Unfortunately, I'm at school and not in front of my server right now. I'll post the location at the end of the day today, and some more information. Thanks ahead of time for all of your help that I've already recieved.
nulladd
Mar 30 2004, 02:19 PM
i still think the joblist is a better solution
extreme
Mar 30 2004, 06:36 PM
I think it would be best to use power of Botnet for this stuff.. So I would concentrate on making some module for Bots..
FiNaLBeTa
Mar 30 2004, 07:09 PM
QUOTE (extreme @ Mar 30 2004, 06:36 PM)
I think it would be best to use power of Botnet for this stuff.. So I would concentrate on making some module for Bots..
1 , Botnets are illigal, this forum dos not enqourage them 2 , how can u use botnets? all you need is one PCU and 1 HD, this is not bruteforcing.
what
Mar 31 2004, 03:01 AM
Alright, it's all setup. Go here to check out the setup. Again, upload any tables that you can, but please run rtsort.exe and rtdump.exe on them, I've had several corrupted tables lately . Time-memory trade off kind of sucks. The script runs quickly, and "shouldn't" be a problem for right now.
daguilar01
Mar 31 2004, 03:09 AM
if youre worried about getting hammered by constant jobs, then you should consider what others are suggesting, the job list
i am also trying a rcrack type thign online what i have now is you input the a Pwdump2 line like
then they hit a button, that line gets added to a text file then i plan on making a batch script run every 30 minutes, this batch runs rcrack on the current hash txt file then outputs the rcrack resutls to atext file saves the text file as something like 03.30.04._8_00PM.txt to signafy that this text file is the cracked results for the 8:00 - 8:30 job then they can view the available text files and download which ever ones they want
most of this is still in my head, ive barely started the actual coding, so some of this might not even be possible, lol
extreme
Mar 31 2004, 07:37 AM
Botnet doesn't have to be illegal... In fact.. I have a legal one.. There are only 10 computers, but it is legal, and all computers are either mine or friends's... So, theoretically, if one computer can brute force pass in 1 hours, 10 computers will brute it in 6 minutes.. Just it would be problem how to sinchronyse database with all of them. But I made a suggestion, and maybe someone will decide to make somthing simillar..
tolf
Apr 1 2004, 05:35 AM
QUOTE (what @ Mar 31 2004, 03:01 AM)
Alright, it's all setup. Go here to check out the setup. Again, upload any tables that you can, but please run rtsort.exe and rtdump.exe on them, I've had several corrupted tables lately . Time-memory trade off kind of sucks. The script runs quickly, and "shouldn't" be a problem for right now.
can you post your asp code?
what
Apr 9 2004, 09:23 PM
CODE
<HTML> <HEAD>LM Hash Cracking Online: Your Password is >></HEAD>
<% Dim ThisPage Dim sPassword Dim sCommand Dim wsh Dim fso, f Dim urltext, MYPath
Set fso=Server.CreateObject("Scripting.FileSystemObject")
Set f=fso.OpenTextFile(Server.MapPath("file.txt"), 8, True)
Set f=Nothing
Set fso=Nothing
' READ
MYPath = Server.MapPath("file.txt")
Set Fconn = server.CreateObject("Scripting.FileSystemObject")
Set file = Fconn.OpenTextFile(MYPath,1,false)
output = file.readall
file.close
Set file = nothing
Set Fconn = nothing
Response.write output
ThisPage = Request.ServerVariables("SCRIPT_NAME")
set wsh = server.createobject("WScript.Shell")
If Request.Form("pass") <> "" Then Session("level") = "ok"
If Request.Form("pass") <> "" Then sPassword = Request.Form("pass")
sCommand = "C:\xeneo\input.bat " & sPassword
If Request.Form("pass") <> "" Then wsh.run sCommand
If Request.Querystring("logout") <> "" Then Session("level") = ""
'// Ask for Hash If Session("level") <> "ok" Then Response.Write "<form method=""post"" action=""" & ThisPage & """><input type=""password"" name=""pass"" /><input type=""submit"" value=""LMHash""/></form>" Response.End Else '// Logged + Show logout button Response.Write output & "<a href=ftp://24.98.243.112> Here</a>" End If %> </HTML>
there's the code, not all too spectacular. Here's the code for the input.bat file
all on one line. Have fun with it, I'll put the server back up for a little while.
daguilar01
Apr 10 2004, 02:40 AM
i also have some code i wrote for an rcrack online project, the only prob with mine is that i couldnt get the asp page to run the bat file, so i am going to have to go with a timer system if i wanted to run this heres a screenshot and heres my source code for the add hash to list button
CODE
Private Sub btnAddHashToList_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnAddHashToList.Click Dim datHashOutput As StreamWriter datHashOutput = New StreamWriter("C:\Inetpub\wwwroot\rCrackOnline\HashOutput.txt", True) datHashOutput.WriteLine(txtHashInput.Text) datHashOutput.Close() lblStatus.Text = "Added To Text File" btnShowHashList_Click(sender, e) End Sub
Private Sub btnShowHashList_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnShowHashList.Click Dim datHashReader As StreamReader Try datHashReader = New StreamReader("C:\Inetpub\wwwroot\rCrackOnline\HashOutput.txt") lblTextOutput.Text = datHashReader.ReadToEnd().Replace(vbCrLf, "<br>") lblStatus.Text = "Done Reading File" datHashReader.Close() Catch lblStatus.Text = "Error: Could Not Read Hash List" lblTextOutput.Text = "" End Try End Sub
Private Sub btnClearList_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnClearList.Click Dim datHashOutput As StreamWriter Try datHashOutput = New StreamWriter("C:\Inetpub\wwwroot\rCrackOnline\HashOutput.txt", False) datHashOutput.Close() lblStatus.Text = "Hash List Cleared" lblTextOutput.Text = "" Catch lblStatus.Text = "Could Not Clear Hash List" End Try End Sub
Private Sub btnShowrCrackResults_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnShowrCrackResults.Click Dim datrCrackReader As StreamReader Try datrCrackReader = New StreamReader("C:\Inetpub\wwwroot\rCrackOnline\Output.txt") lblTextOutput.Text = datrCrackReader.ReadToEnd().Replace(vbCrLf, "<br>") lblStatus.Text = "Done Reading rCrack Results" datrCrackReader.Close() Catch lblStatus.Text = "Error: Could Not Read rCrack Results" lblTextOutput.Text = "" End Try End Sub
sry there are no comments but i had no intent on showing my source, , and im a bit too lazy to go back and add comments, lol
what
Apr 13 2004, 12:18 PM
Alright, seems that I have a new problem in the code. . . . . . Below is the output from the asp page, which needs a little help;
QUOTE
lm_loweralpha-numeric#1-10_0_2400x40000000_all.rt: can't open charset configuration file
statistics ------------------------------------------------------- plaintext found: 0 of 1 (0.00%) total disk access time: 0.00 s total cryptanalysis time: 0.00 s total chain walk step: 0 total false alarm: 0 total chain walk step due to false alarm: 0
result ------------------------------------------------------- 213e6b40a1f26372 <notfound> hex:<notfound>
In the code of the batch file, I define the place that the rainbow crack tables are. Do I also need to define where the charset file is? I put the charset file in the same folder as the tables, but it really didn't help. I'll try to put it all together and see what happens.
Killaloop
Apr 13 2004, 12:46 PM
before your bat starts rainbowcrack let it switch into rainbowcrack dir. cd C:\RC rcrack.exe c:\RC\tables\*.rt -f hashes.txt
also note that your tables are ... well of no use for lanman hashes you would need alphanumeric#1-7 1-10 is completely useless and lowercase too
sebas1234
Apr 14 2004, 01:15 AM
Well im not sure if this would work, but im thinking if posible we could split up the job of making the tables. we split them into small chunks and then upload them to someone. In exchange those of us that work on this can have special axx to download the entire thing or (assuming a site is set up) to allow us to use it anytime we want. I would cut down the time of computing this by alot.
daguilar01
Apr 14 2004, 03:58 AM
QUOTE (what @ Apr 13 2004, 05:18 AM)
Alright, seems that I have a new problem in the code. . . . . . Below is the output from the asp page, which needs a little help;
In the code of the batch file, I define the place that the rainbow crack tables are. Do I also need to define where the charset file is? I put the charset file in the same folder as the tables, but it really didn't help. I'll try to put it all together and see what happens.
the charset file has to go in the same dir as rcrack.exe
Killaloop
Apr 14 2004, 08:24 AM
QUOTE (daguilar01 @ Apr 14 2004, 03:58 AM)
QUOTE (what @ Apr 13 2004, 05:18 AM)
Alright, seems that I have a new problem in the code. . . . . . Below is the output from the asp page, which needs a little help;
In the code of the batch file, I define the place that the rainbow crack tables are. Do I also need to define where the charset file is? I put the charset file in the same folder as the tables, but it really didn't help. I'll try to put it all together and see what happens.
the charset file has to go in the same dir as rcrack.exe
yep so when you work with batch files make sure you first switch into the folder where rcrack.exe is, cause it seems to have some problems if you start rainbowcrack without actually beeing in the folder. (as you have seen with the tables not found problem) if it still doesn't work look inside your charset file if your tables charset is present.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
. Anyways, I'm going to try to fine tune the code a little bit more before I put it up for the "general public". I have two more tables left to gernerate. . .
