– RAdmin v2.x
– Lineage II C4
– Domain Cached Credentials
Types of attacks and other features:
– Passwords recovery using the following methods:
• Preliminary attack
• Brute force attack (including distributed attack)
• Mask attack
• Simple dictionary attack
• Combined dictionary attack
• Hybrid dictionary attack
• Rainbow attack
– Recovery of passwords of up to 127-character length
– Recovery of passwords for incomplete hashes of any type
– User hash editor
– Searching data on the list of imported users
– Quick-add hash using a dialog box
– Quick-add hashes from Clipboard
– Quick-check current password for all imported users
– Support of character replacement tables for hybrid dictionary attack
– Unlimited number of dictionaries available for dictionary attack
– Unlimited number of tables available for Rainbow attack
– Unlimited number of servable users with hashes (in the licensed version)
Types of attacks explained:
This type of attack is the quick check of user hashes for a match to simple passwords like – „123“, „qwerty“, „99999“, etc. as well as to passwords found earlier and stored in the „PasswordsPro.dic“ file.
Brute Force Attack
This type of attack is the total check of all possible password values.
Brute force attack also includes the distributed attack. This type of attack allows using multiple computers for the recovery of passwords, distributing the recovery calculation load among them. This type of attack takes off automatically when user provides more than one computer for facilitating the attack. At the same time, the range selection feature becomes available for the current computer. So, to start a distributed attack, you’d have to:
1. Run this program on several computers.
2. Choose how many computers are to facilitate the attack.
3. Set the same attack options on all computers that are to facilitate the attack.
4. Choose an individual passwords attack range for each of the computers.
5. Launch brute force attack on all computers.
This type of password attack is used when user possesses partial information about the lost password. For example:
– Password begins with the „12345“ character combination.
– First 4 characters of the password are numbers, others are Latin letters;
– And so on.
For that purpose, define the mask for every character of the password to be recovered in the mask attack settings. Symbolic notations of standard or custom character sets – ?u, ?d, ?2, etc. – are used as mask characters (see the Character sets tab in program options).
Simple Dictionary Attack
This type of attack is the attempt to find the hash match in text files – dictionaries.
Combined Dictionary Attack
This type of attack includes the validation of passwords made of several words taken from different dictionaries. This attack allows to recover complex passwords like „superadmin“, „admin*admin“, etc.
Hybrid Dictionary Attack
This type of attack allows changing passwords from the dictionaries (for example, shift password to upper case, append ‚1‘ to the end of the password, etc.) and to validate them as users passwords. The actions performed over the source passwords are the so-called „rules“ – the full list of these rules can be found in the „Rules.txt“ file in the software installation archive.
This type of attack uses the Rainbow technology (http://www.antsight.com/zsl/rainbowcrack/) for creating pre-calculated tables.
Q1: I have hash „XXXYYYZZZ“. What is its type (i.e. hashing algorithm)?
A: Here are some types of hashes supported by PasswordsPro (or by other applications):
• if the hash begins with the „$1$“ signature, it’s usually an MD5(Unix) hash.
• if the hash begins with the „$apr1$“ signature, it’s usually an MD5(APR) hash.
• if the hash has 8-byte length, it may be a MySQL-hash or any other longer hash cut to 8-byte pieces, for instance, an MD5-hash.
• 16-byte long hashes usually are:
– MD4, MD5 and other hashes
– some salted hashes like md5(md5($pass).$salt)
– some composite hashes like md5(md5($pass)), etc.
• if the hash length is 20 bytes, it may be a SHA-1 or a MySQL5-hash.
If the hash type is unknown, you can try figuring the algorithm used by the program that created the hash; for example, by analyzing source code of the PHP script that uses this hash.
You can always check the look of any hash using the Hash Generator service that recognizes over 100 types of hashes.
Sometimes a hash may be Base64-formatted, and it will have to be converted to text for the precise analysis. The above mentioned service or an appropriate utility can help you with that as well.
Q2: If it’s so easy to calculate the hash for my password, why can’t I recover the password from the hash?
A: Any hashing algorithm is in fact the calculation of a checksum for the source text. That involves one-way math operations with a source message, like AND, etc. For example, even if we do know Y and Z in the „X AND Y = Z“ equation, we still won’t be able to find the exact X value (the most we can do is to calculate the range of probable X values satisfying this equation). That’s one of the reasons why the transverse „hash -> password“ is impossible (theoretically, you can just calculate the range of probable source passwords; however, it’s actually impossible). The second reason why the source password can’t be precisely found from a hash is the issue of collisions.
Q3: What are „collisions“?
A: As soon as output values (all possible hashes) for any hashing algorithm are limited by hash size (for example, the number of possible MD5 hashes is 2128 or 3.4*1038 values), and the number of input values (source messages) is unlimited, then it’s clear that there are source messages with the identical hash. Those source messages are called collisions.
Q4: What are „salt“ and „salted hashes“?
A: Salt is most widely used to ensure that users with same passwords have different hashes. Salt is usually a line composed of 4…8 random characters, which is additionally used for user passwords hashing and is saved along together with the final hash (for example, MD5(Unix) hashes use this) or stored separately.
Q5: Why are salted hashes recovered at such a low speed?
A: Here is the picture. Passwords forcing the regular (non-salted) hashes go as follows – current password hash is calculated once, then it’s compared to every forced hash. For the recovery of salted hashes, current password is to be hashed every time for each user, as they have different salts. Certainly, the speed of the attack will go down as the user number goes up.
Q6: Why are MD5(Unix) and MD5(APR) hashes recovered so slow?
A: That’s because both salts use a 1000-iteration hash generation cycle, where each iteration involves 2 to 4 regular MD5 conversions. So, the attack speed for such hashes is thousands of times lower compared to the speed of recovering regular MD5 hashes.
Q7: I’ve been recovering a password for several days already, but still can’t find it. Why?
A: As the inverse transformation hash -> password is impossible, the only way the password can be recovered is by comparing the given hash with hashes generated from every password being validated. So, combinations of different attack types and settings are to be tried. For example, you can spend much time to brute force a password with the „a…z“ alphabet while the sought password can be numerical. So, if you can’t find your password, that doesn’t mean it is very complex. It can be a short one but have a space at the end. Or it can be long but simple (like „administrator12345“) and recoverable in a few minutes with the hybrid attack, and so on. However, your hash can really be match to a complex password (like „tGEa+.]W\Z$C“). Unfortunately, such passwords are almost unrecoverable.
Q8: What’s the application area of hashes suffixed with [PHP] in external modules?
A: You can find that out by using the „About module“ function from the „Hashing modules“ tab in the program options. Note: the [PHP] suffix means that the syntax of these algorithms matches PHP-code, where they are mostly used.
Q9: What is „dictionary“ and where can it be obtained from?
A: Dictionary is a text file that contains possible user passwords (each line in the file contains one password). Such files may contain frequently used passwords („admin“, „master“, etc.) as well as passwords from a required character range („1111“ – „9999“), which can be generated by the „Dictionary Generator“ plugin. You can always find dozens of megabytes of such dictionaries here.
Q10: „Symbol replacement tables“ in the hybrid dictionary attack – what is it?
A: These tables (*.KBT-files) are text files where users can set which characters of passwords being checked are to be replaced with something else. This feature is useful for users of non-English-speaking countries with 2 keyboard layouts, English and national. In this case, native language passwords can be entered using English keyboard layout or, vice versa, English words can be typed using national characters. There’s the „Russian.kbt“ file in the installation archive; it contains tables for the Russian keyboard layout.
Q11: What’s the order you recommended to follow for recovering user passwords from hashes?
A: It’s recommended to recover passwords for hashes in the following order:
– Preliminary attack
– Simple dictionary attack (with a large number of dictionaries)
– Hybrid dictionary attack (with a small number of dictionaries)
– Brute force attack with the „0…9“ alphabet for 8-9 character depth
– Brute force attack with the „a…z“ alphabet for 7-8 character depth
– Brute force attack with all available alphabets for 4-6 character depth
– Brute force attack with „0…9“ and „a…z“ alphabets for 7-8 character depth
– Combined dictionary attack
Certainly, if you have Rainbow-tables, the Rainbow attack should also be used. Also, if you’ve got any information about the password, use the mask attack.
Q12: How to use custom character sets?
A: Custom character sets are commonly used in mask attacks. In other words, if you know, for instance, that the first 5 characters of the password are numbers or capital Latin letters, you can type „?d?u“ in the „?4:“ field (or just enter whole alphabet to use: „0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ“), then describe the first 5 characters in the mask: ?4?4?4?4?4.
Q13: I would like to translate the program interface to my native language. How can I do that?
A: You can translate the program interface to your native language, but you will also have to support and promptly update your LNG-file on your own in the forum on the software website. So, to do that:
– Visit the PasswordsPro forum – the program interface could be already translated to your language.
– Create the „English.lng“ file (or „Russian.lng“ file) using program options menu and translate it to your language.
– Host that file on your website, FTP-server or one of file hosting servers on the Internet.
– Create a new topic in the program forum and post the link to the translated LNG-file there.
As new versions are released (you can track new releases by signing up to the InsidePro project news mailing list) you will need to timely update your LNG-file and update the link on the forum. Certainly, your translation may be rewarded by a free license key to the program.
Q14: What Rainbow-tables are and how can they be used for password recovery?
A: Find the detailed information on Rainbow-tables here. You can use the rtgen or Winrtgen programs to generate such tables. To recover passwords this way, import the list of *.RT-files in the program and select table attack. Certainly, the type of hashes in the tables must match the type of hashes selected for the attack.
Q15: I am importing a list of salt hashes containing the ‚:‘ character, and the program fails to properly split the source lines into fields. How should I import such hashes to the program?
A: For such situations exactly, there’s a menu option to set character to be used as a field delimiter in the user hash lines (‚:‘ is the default character). You can also change the character used for splitting fields for the exporting of user hashes.
Q16: During a dictionary attack, the program reports attack completion while the dictionary hasn’t been processed completely. Why?
A: That happens when a service character is found in the dictionary. Some of such characters are interpreted by the program as the end of the file (EOF), so it quits from working with the dictionary (like the 0x1F character, which appears in the file after the concatenation of several files, can be interpreted as a DOS COPY command). So it’s recommended to weed such characters, as well as of tabulation symbols, empty lines, etc., out of dictionaries before they are used. Note: to sort dictionaries and clean out empty lines and double passwords you can use the „Dictionary Generator“ plugin.
Q17: During the Rainbow attack, the program messages „Can’t open charset configuration file!“ and halts the attack. What is this file, where can I take it and what for is it needed?
A: This is a file that contains character sets (like „alpha“ (A…Z), „numeric“ (0…9), etc.) used for generating Rainbow-tables as well as for recovering passwords using such tables. The installation archive contains the „Charset.txt“ file with 25 most frequently used character sets; though you can always add your own sets to this file.
Q18: I would like to write my own hashing module to recover passwords for my hashes using your program. How can I do that?
A: If the program doesn’t support the type of hashes you need, you can write your own hashing module using any programming language to create a DLL library with several exportable functions (see the ReadMe.chm file in the \Modules\API folder of the program installation archive), but you will have to work on your own to update and support it through the forum on the software website. You can build it on the base of a test out module with Microsoft Visual C++ .NET 2003 sources, which are put as an example in the program archive. Certainly, the creation of the new module for the program can be rewarded with a free license key to the program.
Q19: I am importing an old-version *.Hashes-file (or copying an old-version PasswordsPro.ini to a new-version folder). Why the program displays types of hashes incorrectly or why are the program options different than those set in the previous version?
A: The format of *.Hashes and *.ini files (as well as other work files created by the program) may differ from one version to another for many reasons; for example, after the optimization of parameters saved to an *.ini-file, or changing the list of supported hashes, etc. So it’s strongly recommended that you use the *.Hashes and *.ini files created in the version of PasswordsPro that you currently use. Hashes created with older versions of the software can be imported through text files.
Q20: Can the TAB character or any other character with the ASCII code below 32 be used as delimiter when importing hashes?
A: Yes, you can use any character, even with an ASCII code below 32 (tab character, line feed, etc.) and there are two ways to doing that:
1. Copy the TAB character (for example) to clipboard and insert it in the application settings. However, it will appear as a square, but that will do the job.
2. In the PasswordsPro.INI file, find the DlgOptionsMore section, and then in the EditBox1 parameter set the ASCII code of the field delimiter character. For example, for the TAB character those lines would be: