Security Tools and Tricks: Cracking Tools

WEB LINKS TO DICTIONARY WORD LIST FILES

http://www.cotse.com/tools/wordlists.htm
http://packetstormsecurity.org/Crackers/wordlists/

ORACLE DEFAULT PASSWORD AUDITING TOOL

http://www.petefinnigan.com/default/default_password_checker.htm

A SIMPLE COMMAND LINE TOOL THAT CAN BE USED TO CHECK IF ANY DEFAULT USERS ARE INSTALLED IN YOUR DATABASE AND MORE IMPORTANTLY WHETHER THOSE DEFAULT USERS STILL HAVE THEIR DEFAULT PASSWORDS SET TO KNOWN VALUES

ORACLE DEFAULT PASSWORD LIST

http://www.petefinnigan.com/default/default_password_list.htm

THE LIST CAN ALSO BE THOUGHT OF AS A LIST OF ORACLE DEFAULT PASSWORD HASHES.

UNIX RECONNAISSANCE SCRIPTS

http://www.petefinnigan.com/tools.htm

NUMEROUS SCRIPTS THAT DETAIL PRIVILEGE LEVEL, DEFAULT PASSWORD CONFIGURATION, AND SYSTEM ACCESS INFORMATION. ADDITIONAL SCRIPTS FOR FORENSIC DB ANALYSIS ARE ALSO LISTED

CAIN & ABEL

http://www.oxid.it/

CAIN & ABEL IS A PASSWORD RECOVERY TOOL FOR MICROSOFT OPERATING SYSTEMS. IT ALLOWS EASY RECOVERY OF VARIOUS KIND OF PASSWORDS BY SNIFFING THE NETWORK, CRACKING ENCRYPTED PASSWORDS USING DICTIONARY, BRUTE-FORCE AND CRYPTANALYSIS ATTACKS, RECORDING VOIP CONVERSATIONS, DECODING SCRAMBLED PASSWORDS, REVEALING PASSWORD BOXES, UNCOVERING CACHED PASSWORDS AND ANALYZING ROUTING PROTOCOLS. THE PROGRAM DOES NOT EXPLOIT ANY SOFTWARE VULNERABILITIES OR BUGS THAT COULD NOT BE FIXED WITH LITTLE EFFORT. IT COVERS SOME SECURITY ASPECTS/WEAKNESS PRESENT IN PROTOCOL'S STANDARDS, AUTHENTICATION METHODS AND CACHING MECHANISMS; ITS MAIN PURPOSE IS THE SIMPLIFIED RECOVERY OF PASSWORDS AND CREDENTIALS FROM VARIOUS SOURCES, HOWEVER IT ALSO SHIPS SOME "NON STANDARD" UTILITIES FOR MICROSOFT WINDOWS USERS.
CAIN & ABEL HAS BEEN DEVELOPED IN THE HOPE THAT IT WILL BE USEFUL FOR NETWORK ADMINISTRATORS, TEACHERS, SECURITY CONSULTANTS/PROFESSIONALS, FORENSIC STAFF, SECURITY SOFTWARE VENDORS, PROFESSIONAL PENETRATION TESTER AND EVERYONE ELSE THAT PLANS TO USE IT FOR ETHICAL REASONS. THE AUTHOR WILL NOT HELP OR SUPPORT ANY ILLEGAL ACTIVITY DONE WITH THIS PROGRAM. BE WARNED THAT THERE IS THE POSSIBILITY THAT YOU WILL CAUSE DAMAGES AND/OR LOSS OF DATA USING THIS SOFTWARE AND THAT IN NO EVENTS SHALL THE AUTHOR BE LIABLE FOR SUCH DAMAGES OR LOSS OF DATA. PLEASE CAREFULLY READ THE LICENSE AGREEMENT INCLUDED IN THE PROGRAM BEFORE USING IT.

THE LATEST VERSION IS FASTER AND CONTAINS A LOT OF NEW FEATURES LIKE APR (ARP POISON ROUTING) WHICH ENABLES SNIFFING ON SWITCHED LANS AND MAN-IN-THE-MIDDLE ATTACKS. THE SNIFFER IN THIS VERSION CAN ALSO ANALYZE ENCRYPTED PROTOCOLS SUCH AS SSH-1 AND HTTPS, AND CONTAINS FILTERS TO CAPTURE CREDENTIALS FROM A WIDE RANGE OF AUTHENTICATION MECHANISMS. THE NEW VERSION ALSO SHIPS ROUTING PROTOCOLS AUTHENTICATION MONITORS AND ROUTES EXTRACTORS, DICTIONARY AND BRUTE-FORCE CRACKERS FOR ALL COMMON HASHING ALGORITHMS AND FOR SEVERAL SPECIFIC AUTHENTICATIONS, PASSWORD/HASH CALCULATORS, CRYPTANALYSIS ATTACKS, PASSWORD DECODERS AND SOME NOT SO COMMON UTILITIES RELATED TO NETWORK AND SYSTEM SECURITY.

CROWBAR

http://www.sensepost.com/research/crowbar/

GENERIC WEB BRUTE FORCE TOOL

DIGDUG

http://www.edge-security.com/soft.php

THIS LITTLE PROGRAM IS FOR AUDITING A DNS, IT WILL BRUTE FORCE A DOMAIN ASKING FOR HOSTNAMES TAKEN FROM A PREDEFINED LIST. THE LIST HAS THE MOST COMMON NAMES USED FOR HOSTS. IT SUPPORTS HYBRID QUERYS TO FIND A BROADER RANGE OF HOSTS.

CREDDUMP

CREDENTIAL MANAGER PASSWORD DUMPER FOR WINDOWS XP/2003

http://www.oxid.it/creddump.html

CREDDUMP IS A UTILITY THAT DUMPS PASSWORDS FROM WINDOWS XP/2003 USER'S CREDENTIAL FILES AND SHOWS THEM IN THEY'RE CLEARTEXT FORM.

DNSMAP

http://unknown.pentester.googlepages.com

DNSMAP IS A SMALL C BASED TOOL THAT PERFORMS BRUTE-FORCING OF DOMAINS. THE TOOL CAN USE AN INTERNAL WORDLIST, OR WORK WITH AN EXTERNAL DICTIONARY FILE.

LCP

http://www.lcpsoft.com/english/index.htm#lcp

MAIN PURPOSE OF LCP PROGRAM IS USER ACCOUNT PASSWORDS AUDITING AND RECOVERY IN WINDOWS NT/2000/XP/2003.

GENERAL FEATURES OF THIS PRODUCT:

ACCOUNTS INFORMATION IMPORT:
IMPORT FROM LOCAL COMPUTER;
IMPORT FROM REMOTE COMPUTER;
IMPORT FROM SAM FILE;
IMPORT FROM .LC FILE;
IMPORT FROM .LCS FILE;
IMPORT FROM PWDUMP FILE;
IMPORT FROM SNIFF FILE;
PASSWORDS RECOVERY:
DICTIONARY ATTACK;
HYBRID OF DICTIONARY AND BRUTE FORCE ATTACKS;
BRUTE FORCE ATTACK;
BRUTE FORCE SESSION DISTRIBUTION:
SESSIONS DISTRIBUTION;
SESSIONS COMBINING;
HASHES COMPUTING:
LM AND NT HASHES COMPUTING BY PASSWORD;
LM AND NT RESPONSE COMPUTING BY PASSWORD AND SERVER CHALLENGE. SID&USER PROGRAM IS SID AND USER NAMES GETTING TOOL FOR WINDOWS NT/2000/XP/2003. GENERAL FEATURES OF THIS PRODUCT:
SID GETTING FOR A GIVEN ACCOUNT NAME;
GETTING OF AN ACCOUNT NAME FOR SINGLE SID OR ACCOUNT NAMES FOR SID RANGE.

IKECRACK

http://ikecrack.sourceforge.net/

IKECRACK IS AN OPEN SOURCE IKE/IPSEC AUTHENTICATION CRACK TOOL. THIS TOOL IS DESIGNED TO BRUTEFORCE OR DICTIONARY ATTACK THE KEY/PASSWORD USED WITH PRE-SHARED-KEY [PSK] IKE AUTHENTICATION. THE OPEN SOURCE VERSION OF THIS TOOL IS TO DEMONSTRATE PROOF-OF-CONCEPT, AND WILL WORK WITH RFC 2409 BASED AGGRESSIVE MODE PSK AUTHENTICATION.

OPHCRACK

http://ophcrack.sourceforge.net/

THE OPHCRACK LIVECD IS A BOOTABLE LINUX CD-ROM CONTAINING OPHCRACK 2.3 AND A SET OF TABLES (SSTIC04-10K). IT ALLOWS FOR TESTING THE STRENGTH OF PASSWORDS ON A WINDOWS MACHINE WITHOUT HAVING TO INSTALL ANYTHING ON IT. JUST PUT IT INTO THE CD-ROM DRIVE, REBOOT AND IT WILL TRY TO FIND A WINDOWS PARTITION, EXTRACT ITS SAM AND START AUDITING THE PASSWORDS.

SSH EXPECT BRUTE FORCE SCRIPT

http://www.securiteam.com/tools/5QP0L2K60E.html

THIS IS AN EXPECT SCRIPT THAT WILL ALLOW YOU TO SPECIFY A HOST FILE, USER FILE, AND A DICTIONARY. EXTREMELY USEFUL FOR AUDITING LARGE NETWORKS WHERE YOU CAN'T MANUALLY LOG INTO EVERY MACHINE OR DON'T FEEL LIKE RE-RUNNING SOMETHING ON EVERY HOST.

SIMPLE SSH BRUTE FORCE SCRIPT

http://ideacomplex.com/code/ssh-rbrute.rb

SSHATTER

http://www.nth-dimension.org.uk/downloads.php?id=34

SSHATTER IS A PASSWORD BRUTE FORCER FOR SSH, IT IS MULTI THREADED AND CAN AUDIT MORE THAN ONE SYSTEM AND ACCOUNT IN A GIVEN SESSION.

SNMP BRUTE FORCE SCRIPT

http://www.securiteam.com/tools/5EP0N154UC.html

THE FOLLOWING TOOL TRIES TO BRUTE FORCE THE COMMUNITY NAME USED BY THE REMOTE SNMP DEVICE. THIS BRUTE FORCE PROGRAM IS QUITE FAST, AND IS ABLE TO FIND THE COMMUNITY NAME IN A MATTER OF MINUTES.

MEZCAL

http://www.0x90.org/releases/mezcal/index.php

MEZCAL IS AN HTTP/HTTPS BRUTEFORCING TOOL ALLOWING THE CRAFTING OF REQUESTS AND INSERTION OF DYNAMIC VARIABLES ON-THE-FLY.

MEDUSA

http://www.foofus.net/jmk/medusa/medusa.html

MEDUSA IS INTENDED TO BE A SPEEDY, MASSIVELY PARALLEL, MODULAR, LOGIN BRUTE-FORCER. THE GOAL IS TO SUPPORT AS MANY SERVICES WHICH ALLOW REMOTE AUTHENTICATION AS POSSIBLE. THE AUTHOR CONSIDERS FOLLOWING ITEMS AS SOME OF THE KEY FEATURES OF THIS APPLICATION:

THREAD-BASED PARALLEL TESTING. BRUTE-FORCE TESTING CAN BE PERFORMED AGAINST MULTIPLE HOSTS, USERS OR PASSWORDS CONCURRENTLY.
FLEXIBLE USER INPUT. TARGET INFORMATION (HOST/USER/PASSWORD) CAN BE SPECIFIED IN A VARIETY OF WAYS. FOR EXAMPLE, EACH ITEM CAN BE EITHER A SINGLE ENTRY OR A FILE CONTAINING MULTIPLE ENTRIES. ADDITIONALLY, A COMBINATION FILE FORMAT ALLOWS THE USER TO REFINE THEIR TARGET LISTING.
MODULAR DESIGN. EACH SERVICE MODULE EXISTS AS AN INDEPENDENT .MOD FILE. THIS MEANS THAT NO MODIFICATIONS ARE NECESSARY TO THE CORE APPLICATION IN ORDER TO EXTEND THE SUPPORTED LIST OF SERVICES FOR BRUTE-FORCING.

THC-ORACLE SNIFFER/CRACKER

http://www.thc.org/thc-orakel/

THC PRESENTS A CRYPTO PAPER ANALYZING THE DATABASE AUTHENTICATION MECHANSIM USED BY ORACLE. THC FURTHER RELEASES PRACTICAL TOOLS TO SNIFF AND CRACK THE PASSWORD OF AN ORACLE DATABASE WITHIN SECONDS.
ONE OF THE NETWORK AUTHENTICATION MODES USED BY ORACLE DATABASES USES A WEAK KEY EXCHANGE MECHANISM. THIS MECHANISM IS STILL USED ON THE NEWEST DATABASE VERSIONS USING ORACLE'S JAVA DRIVERS. ALSO, FOR NATIVE ORACLE DRIVERS AN ATTACK IS KNOWN TO DOWNGRADE THE AUTHENTICATION MODE TO THE VULNERABLE VERSION. THE ORAKELSNIFFERT ARTICLE DOCUMENTS THE MECHANISM USED BY THE WEAK AUTHENTICATION MODE, THE COMPLEXITY AND IMPACT OF THE ATTACK AND AN EXAMPLE OF AN ATTACK IN THE FIELD. A WINDOWS BASED CRACKER AND A SIMPLE JAVA BASED CLIENT APPLICATION ARE INCLUDED TO VERIFY THE RESULTS. ALSO, A SUPPORTING CRYPTO UTILITY IS RELEASED.

HYDRA

http://www.thc.org/thc-hydra/

THC-HYDRA IS A VERY FAST NETWORK LOGON CRACKER WHICH SUPPORT MANY DIFFERENT SERVICES. CURRENTLY THIS TOOL SUPPORTS: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC,
RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP2, LDAP3, POSTGRES, TEAMSPEAK, CISCO AUTH, CISCO ENABLE, LDAP2, CISCO AAA (INCORPORATED IN TELNET MODULE).

ENABLER.C

http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchtype=archives&counts=76&searchvalue=brute+force+
ENABLER.C ATTEMPTS TO FIND THE ENABLE PASSWORD ON A CISCO SYSTEM VIA BRUTE FORCE. TESTED ON CISCO 2600'S AND 12008'S AND HAS SUPPORT FOR LOGIN-PASS AS WELL AS LOGIN-ONLY DEVICES.

JOHN THE RIPPER

http://www.openwall.com/john/

AN EXTRAORDINARILY POWERFUL, FLEXIBLE, AND FAST MULTI-PLATFORM PASSWORD HASH CRACKER JOHN THE RIPPER IS A FAST PASSWORD CRACKER, CURRENTLY AVAILABLE FOR MANY FLAVORS OF UNIX (11 ARE OFFICIALLY SUPPORTED, NOT COUNTING DIFFERENT ARCHITECTURES), DOS, WIN32, BEOS, AND OPENVMS. ITS PRIMARY PURPOSE IS TO DETECT WEAK UNIX PASSWORDS. IT SUPPORTS SEVERAL CRYPT PASSWORD HASH TYPES WHICH ARE MOST COMMONLY FOUND ON VARIOUS UNIX FLAVORS, AS WELL AS KERBEROS AFS AND WINDOWS NT/2000/XP LM HASHES. SEVERAL OTHER HASH TYPES ARE ADDED WITH CONTRIBUTED PATCHES.

RAINBOW CRACK

http://www.antsight.com/zsl/rainbowcrack/

RAINBOWCRACK IS A GENERAL PROPOSE IMPLEMENTATION OF PHILIPPE OECHSLIN'S FASTER TIME-MEMORY TRADE-OFF TECHNIQUE. IN SHORT, THE RAINBOWCRACK TOOL IS A HASH CRACKER. IT IS TRADITIONAL BRUTE FORCE CRACKER THAT TRYS ALL POSSIBLE PLAINTEXTS ONE BY ONE IN CRACKING TIME. IT IS TIME CONSUMING TO BREAK COMPLEX PASSWORD IN THIS WAY. THE IDEA OF TIME-MEMORY TRADE-OFF IS TO DO ALL CRACKING TIME COMPUTATION IN ADVANCE AND STORE THE RESULT IN FILES SO CALLED "RAINBOW TABLE". IT DOES TAKE A LONG TIME TO PRECOMPUTE THE TABLES. BUT ONCE THE ONE TIME PRECOMPUTATION IS FINISHED, A TIME-MEMORY TRADE-OFF CRACKER CAN BE HUNDREDS OF TIMES FASTER THAN A BRUTE FORCE CRACKER, WITH THE HELP OF PRECOMPUTED TABLES.

FREE RAINBOW TABLES

WEB LINKS TO FREE RAINBOW TABLES:

http://www.freerainbowtables.com/index-rainbowtables-tables.html http://rainbowtables.shmoo.com/
http://wired.s6n.com/files/jathias/
http://hak5.org/wiki/Community_Rainbow_Tables

TFTP-BRUTEFORCER

http://www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1

TFTP-BRUTEFORCER IS A FAST MULTITHREADED TFTP CONFIG FILENAME BRUTEFORCER.

K0LD KNOKING 0N LDAP'S DOOR

http://www.phenoelit.de/kold/

K0LD IS A DICTIONARY ATTACK AGAINST LDAP SERVER. IT QUERIES ALL USER OUT OF THE SERVER FROM A GIVEN DN AND TRIES TO FIND THE PASSWORD.

OBIWAN

http://www.phenoelit.de/obiwan/

THE GOAL OF OBIWAN IS A BRUTE FORCE AUTHENTICATION ATTACK AGAINST WEBSERVER WITH AUTHENTICATION REQUESTS - AND IN FACT TO BREAK IN INSECURE ACCOUNTS.

WINRTGEN

http://www.oxid.it/downloads/winrtgen.zip

WINRTGEN IS A GRAPHICAL RAINBOW TABLES GENERATOR THAT SUPPORTS LM, FASTLM, NTLM, MD2, MD4, MD5, SHA1, RIPEMD160, MYSQL323, MYSQLSHA1, CISCOPIX, SHA-2 (256), SHA-2 (384) AND SHA-2 (512) HASHES.

FTS-WS-DICTOOL

http://ws.hackaholic.org/tools.html

FTS-WS-DICTOOL IS A PROGRAM TO GENERATE OR MANIPULATE SEVERAL KINDS OF WORDLISTS, TO TEST HOW STRONG ARE PASSWORDS, COOKIES, ETC.

FEATURES:

INCREMENTAL BRUTE FORCE (CHARACTERS).
THE CHARACTERS CAN BE DEFINED AS NUMERICAL, ALPHA, ALPHA-NUMERIC, ALPHA-NUMERIC + SYMBOLS.
START AND END NUMBER OF CHARACTERS THAT SHOULD BE USED TO GENERATE THE WORDLIST.
OPEN A WORDLIST AND CONVERT EACH WORD UTILIZING THE "ELITE CONVERSION".
OPEN A WORDLIST AND CONVERT EACH WORD TO: CAPS ON, CAPS OFF, ONLY FIRST CAPS ON, INVERTED WORD.
GENERATE A WORDLIST BASED IN DATE OF BIRTH.
GENERATE A WORDLIST FROM 2 TO 4 INCREMENTAL CHARACTERS FOLLOWED BY BIRTH.
GENERATE A WORDLIST OF DEFAULT PASSWORDS USED BY TERRA PROVIDER (BRAZIL).
OPEN A WORDLIST AND INCREMENT (BEFORE OR AFTER) CHARACTERS ON EACH WORD.
GENERATE A WORDLIST BASED IN PERSONAL DATA.
OPEN A FILE (EX.: E-MAIL, ARTICLE, INFORMATION FROM MSN, ICQ, ETC) AND GENERATE A WORDLIST.

MDCRACK

http://c3rb3r.openwall.net/mdcrack/

MDCRACK IS A FREE, FEATURE FILLED PASSWORD CRACKER DESIGNED TO BRUTEFORCE SEVERAL COMMONLY USED HASH ALGORITHMS AT A VERY AGGRESSIVE SPEED RATE. IT CAN RETRIEVE ANY PASSWORD MADE OF UP TO 8 CHARACTERS (16 FOR PIX ALGORITHMS) AND 55 CHARACTERS WHEN SALTED. IN ORDER TO ACHIEVE THE HIGHEST POSSIBLE SPEED RATE, THIS PROGRAM USES SEVERAL CORES FOR EACH ALGORITHM IT SUPPORTS. EACH ONE OF THESE CORES PROVIDES A DIFFERENT LEVEL OF OPTIMIZATION DESIGNED TO BEST FIT WITH A SPECIFIC SET OF COMMAND LINE OPTIONS. WHATEVER COMMAND LINE CONFIGURATION IS USED, MDCRACK WILL ALWAYS ARRANGE TO USE THE BEST AVAILABLE CORE. TO DATE, THIS PROGRAM SUPPORTS BRUTEFORCE ATTACKS ON MD2, MD4, MD5, NTLMV1 AND PIX (ENABLE AND USERS) HASHES, THE LIST OF ALGORITHMS IS GROWING UP. MULTITHREADING ALLOWS FOR PARALLEL CRACKING AND LOAD SHARING BETWEEN SEVERAL CPUS AND MULTIPLIES OVERALL SPEED BY THE NUMBER OF AVAILABLE PROCESSOR(S).

MD5 AND MD4 COLLISION GENERATORS

http://www.stachliu.com/research_collisions.html

UNHASH

http://www.geocities.com/dxp2532/

UNHASH IS A PROGRAM THAT PERFORMS A BRUTE FORCE ATTACK AGAINST A GIVEN HASH. THE HASH CAN BE MD5 OR SHA1, AND THE PROGRAM WILL AUTO-DETECT WHICH ONE IS GIVEN

IKECRACK

http://ikecrack.sourceforge.net/

TXDNS

http://www.txdns.net/

TXDNS IS A WIN32 AGGRESSIVE MULTITHREADED DNS DIGGER THAT IS CAPABLE OF PLACING ON THE WIRE THOUSANDS OF DNS QUERIES PER MINUTE. TXDNS MAIN GOAL IS TO EXPOSE A DOMAIN NAMESPACE TROUGH A NUMBER OF TECHNIQUES:

TYPOS
TLD ROTATION
DICTIONARY ATTACK
BRUTE FORCE

TXDNS MAY BE USED TO:

FILL THE RECONNAISSANCE GAP LEFT DUE TO DNS SERVERS HARDENING, AS DNS-ZONE TRANSFERS ARE MUCH LIKE TO FAIL.
DIG A GIVEN DOMAIN NAME FOR POSSIBLE PHISHING VARIATIONS BASED ON COMMON WELL-KNOW TYPO ALGORITHMS AND RETURN DNS QUERIES ON BOTH USED AND NOT USED NAMES.
STRESS-TEST DNS SERVERS DUE IS CONFIGURABLE AGGRESSIVE BEHAVIOR. TXDNS PROVIDES SOME COOL OPTIONS, SUCH AS:
PERFORM QUERIES ONLY FOR A GIVEN RESOURCE RECORD TYPE: A, CNAME, HINFO, NS, TXT & SOA
PERFORM NON-RECURSIVE QUERIES
PERFORM QUERIES AGAINST A GIVEN DNS SERVER

YAHOO PASSWORD SHOW

http://www.ourgodfather.com/yahpass/index.htm

THIS PROGRAM REVEALS YAHOO PASSWORDS AND STORES THE PASSWORDS INTO A DIRECTORY THAT YOU CHOOSE AND NAMES THE FILE YAHOO PAS.TXT, HAS A LOT OF COOL FEATURES

WINDOWS MSN LIVE PASSWORD SHOW V7

http://www.ourgodfather.com/ccount/click.php?id=50

THIS PROGRAM REVEALS MSN PASSWORDS, AND STORES THE PASSWORD.

FIREMASTER

http://securityxploded.com/firemaster.php

FIREFOX USES A MASTER PASSWORD TO PROTECT THE STORED SIGN-ON INFORMATION FOR VARIOUS WEBSITES. IF THE MASTER PASSWORD IS FORGOTTEN, THEN THERE IS NO WAY TO RECOVER THE MASTER PASSWORD AND USER HAS TO LOSE ALL THE SIGN-ON INFORMATION STORED IN IT. TO PREVENT THIS PROBLEM, I HAVE DEVELOPED FIREMASTER WHICH USES COMBINATION OF TECHNIQUES SUCH AS DICTIONARY, HYBRID AND BRUTE FORCE TO RECOVER THE MASTER PASSWORD FROM THE FIREFOX KEY DATABASE FILE.

FIREPASSWORD

http://securityxploded.com/firepassword.php

FIREPASSWORD IS THE TOOL DESIGNED TO DECRYPT THE USERNAME AND PASSWORD LIST FROM FIREFOX SIGN-ON DATABASE. FIREFOX STORES THE USERNAME AND PASSWORD INFORMATION FOR VARIOUS WEBSITES IN ITS DATABASE FILES. FIREPASSWORD WORKS ON SIMILAR LINE AS FIREFOX'S BUILT-IN PASSWORD MANAGER BUT IT CAN BE USED AS OFFLINE TOOL TO GET THE USERNAME/PASSWORD INFORMATION WITHOUT RUNNING THE FIREFOX.

VENOM

http://www.cqure.net/wp/?page_id=21

VENOM IS A TOOL TO RUN DICTIONARY PASSWORD ATTACKS AGAINST WINDOWS ACCOUNTS BY USING THE WINDOWS MANAGEMENT INSTRUMENTATION (WMI) SERVICE. THIS CAN BE USEFUL IN THOSE CASES WHERE THE SERVER SERVICE HAS BEEN DISABLED. THE TOOL IS WRITTEN IN VB6 AND MIGHT REQUIRE SOME ADDITIONAL RUNTIME LIBRARIES TO RUN. GUESSING SPEEDS VARY, BUT TEND TO BE AROUND 45-50 GUESSES/SEC. THE PASSWORD FILE SUPPORTS THE FORMATS %USERNAME% AND LC %USERNAME% WITH THE RESULT OF THE USERNAME BEING USED AS THE PASSWORD. THE PREFIX LC CONVERTS THE USERNAME TO LOWERCASE.

SSL KEY/CERT FINDER

http://www.trapkit.de/research/sslkeyfinder/index.html

(POC) EXTRACTING RSA PRIVATE KEYS AND CERTIFICATES OUT OF THE PROCESS MEMORY

VNCPWDUMP

http://www.cqure.net/wp/?page_id=7

VNCPWDUMP CAN BE USED TO DUMP AND DECRYPT THE REGISTRY KEY CONTAINING THE ENCRYPTED VNC PASSWORD IN A FEW DIFFERENT WAYS.

IT SUPPORTS DUMPING AND DECRYPTING THE PASSWORD BY:
- DUMPING THE CURRENT USERS REGISTRY KEY
- RETRIEVING IT FROM A NTUSER.DAT FILE
- DECRYPTING A COMMAND LINE SUPPLIED ENCRYPTED PASSWORD
- INJECTING THE VNC PROCESS AND DUMPING THE OWNERS PASSWORD

IPR (ID PASSWORD RECOVERY)

http://www.cqure.net/wp/?page_id=12

IPR IS A TOOL FOR RECOVERING PASSWORDS ON LOTUS NOTES ID FILES. IT DOES THIS BY GUESSING PASSWORDS YOU SUPPLY IN A DICTIONARY FILE. IT GUESSES APPROXIMATELY 400-500 PASSWORDS A SECOND ON A PIII 1GHZ. THE TOOL SHOULD BE USED BY ADMINISTRATORS FOR FINDING WEAK PASSWORDS IN USER ID FILES.

REQUIREMENTS:

LOTUS NOTES R5 CLIENT (NEEDS TO BE IN THE PATH)

USAGE:

IPR –H

PASSLOC PASSWORD LOCATOR

http://www.imperva.com/downloads/PassLoc.zip

BASED ON ADI SHAMIR'S "PLAYING HIDE AND SEEK WITH ENCRYPTION KEYS" ARTICLE, WHICH SUGGESTS A WAY FOR LOCATING KEYS WITHIN A BUFFER (MEMORY, LARGE FILE, ETC.). THE PASSLOC TOOL ACCEPTS A FILE AS INPUT AND RETURNS A GRAPHICAL PLOT OF ITS CONTENT WHERE THE MOST RANDOM PART OF THE FILE IS COLORED. THE ARTICLE SUGGESTS THAT DUE TO THE RANDOM NATURE OF LONG KEYS PUT IN NON-RANDOM FILES, THE HUMAN EYE CAN EASILY DISTINGUISH THE KEY GIVEN A SUFFICIENTLY LONG FILE.