Apakah anda pernah menggunakan komputer di Lab atau pinjam komputer teman atau bahkan menggunakan komputer di tempat umum? Nah, biasanya klo di Lab (berdasarkan pengalaman pribadi) komputer pasti di-password dan jika ingin masuk harus tanya dulu ke sang empunya. Nah, sekarang kita dapat melihat password dari komputer yang kita gunakan tanpa merestart komputer atau pun tanpa menginstall program apapun seperti Cain, L0pthCrack, dsb. Hanya dibutuhkan sedikit ‘kepercayaan’ untuk meminjam komputer (istilah kerennya social engineering) dan 2 buah program, yaitu pwdump6 dan john the ripper. Tapi klo kebetulan ada login umum dengan tipe administrator, itu namanya Hoki! ga perlu cape2 pinjam login teman lagi.
Sebelumnya mungkin anda pernah mendapatkan tutorial mengenai cara menge-hack password user yang ada Windows XP atau NT menggunakan pwdump. Yup, mungkin tutorial ini akan mirip dengan bagaimana cara menge-hack Windows XP, terutama Windows XP SP2. Lalu apa bedanya dengan tutorial yang lain? Saat ini Windows XP SP2 (atau mungkin juga SP1, CMIIW), menggunakan Syskey untuk memproteksi agar HASH (tempat menyimpan password yang dienkripsi) tidak dapat dibaca dan didump menggunakan pwdump atau samdump. Untuk lebih jelasnya berikut penjelasan mengenai Syskey [1] :
Syskey is a Windows feature that adds an additional encryption layer to the password hashes stored in the SAM database. The main purpose of this feature is to deter ‘offline’ attack. In fact one of the most common ways to gather passwords is to copy the system SAM database and then use one of the many good password crackers to “recover” the passwords; of course physical access is almost always required. So with syskey the attacker needs to remove the additional encryption layer to get the password hashes.
Jika dulu mungkin di Windows NT atau XP (sebelum SP2), kita masih bisa menggunakan pwdump atau bahkan langsung dengan KaHT, maka untuk Windows XP SP2 cara tersebut tidak dapat digunakan lagi (mungkin lebih tepatnya, pwdump tersebut tidak dapat digunakan lagi). Nah disinilah letak perbedaan dengan tutorial sebelumnya. Jika sebelumnya kita menggunakan pwdump versi lama, maka sekarang digunakan pwdump6 yang dikembangkan oleh fizzgig and the foofus.net Team. Kalau baca README dari pwdump6 ini, maka pwdump6 adalah :
pwdump6 is a password hash dumper for Windows 2000 and later systems. It is capable of dumping LanMan and NTLM hashes as well as password hash histories. It is based on pwdump3e, and should be stable on XP SP2 and 2K3. If you have had LSASS crash on you using older tools, this should fix that.
A significantly modified version of pwdump3e, this program is able to extract NTLM and LanMan hashes from a Windows target, regardless of whether Syskey is turned on. It is also capable of displaying password histories if they are available. It outputs the data in L0phtcrack-compatible form, and can write to an output file
Oh iya, agar pwdumpd6 dapat dijalankan dan mendapatkan HASH file dibutuhkan account yang mempunyai akses setara dengan Administrator. Nah, oleh karena itu kita harus menjalankan sedikit social engineering. Bilang aja ketemen kita, klo mengakses workgroup, tapi ga bisa klo pake login biasa. Tapi tenang aja, biasanya secara default orang-orang kebanyakan mebuat user dengan tipe account Administrator. Atau gunakan berbagai macam cara, daya, upaya maupun rayuan agar kita bisa dapat login terlebih dulu.
Jika udah punya akses dengan login tipe adiministrator, cara selanjutnya adalah tinggal menjalankan pwdump6. Jika anda punya flashdisk, simpan dan bawa terus pwdump6 ini kemanapun ada pergi, siapa tahu berguna suatu saat... Ok, langsung aja kita jalankan pwdump6 ini. Sebaiknya copy dulu pwdump6 ke Hardisk (jangan dijalankan dari flashdik). Sebelumnya downlod dulu pwdump6 ini dari sini atau download dari mirror situs saya disini.
1. Jalankan CMD (Run->cmd)
2. Jalankan pwdump6 seperti berikut (misalnya PwDump6 berada di folder D:\PwDump6)
D:\PwDump6>PwDump.exe -o pass.txt 127.0.0.1
pwdump6 Version 1.3.0 by fizzgig and the mighty group at foofus.net
Copyright 2006 foofus.net
This program is free software under the GNU
General Public License Version 2 (GNU GPL), you can redistribute it and/or
modify it under the terms of the GNU GPL, as published by the Free Software
Foundation. NO WARRANTY, EXPRESSED OR IMPLIED, IS GRANTED WITH THIS
PROGRAM. Please see the COPYING file included with this program
and the GNU GPL for further details.
Using pipe {C411BDE9-594E-47F4-99B5-E94ADF194A45}
Key length is 16
Completed.
3. Setelah itu akan didapatkan file pass.txt yang berisi daftar user dan password yang masih dienkripsi. Contohnya akan tampak seperti berikut :
ach:1003:2BFA42D08601B951ABD697149E2F5967:73098347042E9109FA584CE843018F4F:::
Administrator:500:934A4750EC9859B3EA397B0F6EC18E34:732BD09D6834DA4A5A30300A6A045BF8:::
coba:1004:FBE4F28EE205F0BA79999C25263AA9AA:A69C199A4DF77CD41FCA6EA916A93868:::
Guest:501:NO PASSWORD********************* :NO PASSWORD*********************:::
HelpAssistant:1000:B3D2AE56C93F27B43C4F8419B1A21E9B: DC3DBB258A10B0C7EA9D92133267B905:::
SUPPORT_388945a0:1002:NO PASSWORD*********************: DF1DB672DA1B5C045ECA2490CA753D3B:::
4. Yosh!! password sudah ditangan. Proses selanjutnya adalah menge-crack file pass.txt dengan bantuan John The Ripper. Sebaiknya simpan dulu file pass.txt ke USB atau upload ke tempat yang aman, karena proses cracking ini bisa dilakukan kapan saja dan dimana saja. Berdasarkan pengalaman, kalau passwordnya tidak terlalu sulit ditebak seperti “adminkeren”, “qwerty123″, biasanya dibutuhkan waktu yang tidak terlalu lama untuk mengecracknya lewat John The Ripper. Tapi kalau password menggunakan kombinasi yang aneh-aneh seperti “P4ssW0rD”, “S03S4h”, dsb, biasanya membutuhkan waktu lama, bisa ditinggal tidur atau maen aja dulu. Ok, sekarang gini nih cara ngecraknya.
Download John The Ripper untuk Windows disini. Untuk komputer yang menggunakan Prosesor AMD, sebaiknya menggunakan “john-mmx.exe”. Atau bagi yang menggunakan intel atau AMD, dapat menggunakan “John-386.exe”. Sebelumnya copy file pass.txt ke dalam folder tempat “John-mmx.exe” atau “John-386.exe” berada (John171w\john1701\run). Setelah itu tinggal jalankan perintah berikut dan tunggu dengan sabar :
D:\john171w\john1701\run>john-mmx.exe pass.txt
Loaded 8 password hashes with no different salts (NT LM DES [64/64 BS MMX])
REN123 (Administrator:2)
TEBAK (coba:2)
ADMINKE (Administrator:1)
MUDAHDI (coba:1)
Yosh!! sekarang passwordnya sudah terlihat secara kasat mata. Jadi password untuk user “Administrator” adalah “adminkeren123″, diperoleh dari menggabungkan Administrator:2 dan Administrator:2.
Administrator:1+Administrator:2 = adminkeren123
Sedangkan untuk user “coba” adalah “mudahditebak”!!
Mudah bukan? Intinya sih tinggal ambil HASH file (password yang dienkripsi) menggunakan pwdump6 lalu crack hasilnya dengan John The Ripper.
Nah, sekarang kalau kita mau pakai komputer teman di Lab, ga usah cari2 orangnnya lagi. Tinggal pake aja langsung user Admin lagi, tapi jangan sampai ketahuan ama dia….. Atau klo anda lupa password Administrator, tidak perlu mereboot komputer, lalu mereset password anda. Tinggal ikut langkah2 diatas aja!
Referensi :
[1]. http://studenti.unina.it/~ncuomo/syskey
Thanks to fizzgig for you great tools, pwdump6 (http://www.foofus.net/fizzgig/pwdump)! I’ve been looking for this tools for a log time ago! Thanks dude!! and Thanks to pen-test@securityfocus.com!
Update : Cara yang lebih mudah dapat ditemukan di Hack Windows XP Password dengan Ophcrack
Hacking Windows Registry
Written by incrementedbryan
Sunday, 02 January 2005
Here are some of our favorite Windows Registry Hacks.. Do you have a favorite that isn't listed? Send it in and I will update this list!
#1
//----------------------------------------------------------------------------
// Change max IE connections to 50, if you have high-speed Internet it
// speeds things up a little more
// Works Cited: http://weblogs.asp.net/dwanta/archive/2004/03/31/105050.aspx
//----------------------------------------------------------------------------
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"MaxConnectionsPerServer"=dword:00000032
"MaxConnectionsPer1_0Server"=dword:00000032
//--------------------------------------------------------------------------------//
#2
//----------------------------------------------------------------------------
// Change the Start Button Text
// find pictures in folder /startButtonPics/
// Works Cited:http://www.winguides.com/registry/display.php/791/
//----------------------------------------------------------------------------
Manually changing the Start button requires the use of a binary file editor (or hex editor) to alter a critical Windows system file, it is therefore not recommended for inexperienced users. This method has been successfully tested on Windows 95, 98, ME, 2000 and XP and therefore should be quite safe, although we do not accept any responsibility for system problems or data loss.
As mentioned before you will need to have a hex editor installed, there are many different products available and if you don't have one already a quick search of a shareware site should provide many choices, for this tweak we only require basic features.
1. The file that needs to be changed is Windows Explorer, and it is essential to make a backup before you modify anything. "Explorer.exe" can be found in the Windows directory, usually C:WINDOWS for Windows 95, 98, Me & XP and C:WINNT for Windows NT/2000. Make a copy of "Explorer.exe" and place it into another directory, C:BACKUP might be a good choice.
2. Make another copy of the original "Explorer.exe" and name it "Explorer1.exe", then open "Explorer1.exe" in your hex editor.
3. You now need to find the word "Start", although there are many entries for "Start" in the file only one is used for to label the Start button. Use the search function in the hex editor to find all the strings equal to "S t a r t" which is represented as "53 00 74 00 61 00 72 00 74" in hex values. As there are many different "Start" strings keep searching until you find one located just before this text "There was an internal error and one of the windows you were using has been closed.". Below is a list of offsets to help you locate the correct text.
* Windows 98
Offset: 0x00028D6E - 0x00028D76
* Windows NT4
Offset: 0x00028BEE - 0x00028BF6
* Windows ME
Offset: 0x00033DDE - 0x00033DE6
* Windows 2000
Offset: 0x0003860E - 0x00038616
* Windows XP (Enhanced Start Menu)
Offset: 0x000412B6 - 0x000412BE
* Windows XP (Classic Start Menu)
Offset: 0x0004158A - 0x00041592
* Windows XP SP1 (Enhanced Start Menu)
Offset: 0x0004208E - 0x00042096
* Windows XP SP1 (Classic Start Menu)
Offset: 0x0004259A - 0x000425A2
The result should look similar to the image below, depending on the display from your hex editor.
4. Once you have located the string, you can then replace the letters in "Start" with five other characters. You must use exactly five characters, if the word you want to use is less, replace the remaining characters with the space key. In this example we have replaced "Start" with "Guide", alternatively a three-letter word would look like "A B C" (note the spaces). Once you have changed the letters the result should look similar to the image below.
5. Now save the modified "Explorer1.exe" in the Windows directory, and confirm that you now have the two Explorer files in the Windows directory, they both should be the same file size but have different modified dates.
6. The next step is different depending on your operating system. Only do the step required for your version.
* Windows 95, 98 & ME
Exit to DOS (or use a boot disk for Windows ME) and at the command prompt change to the Windows directory and rename "explorer.exe" to "explorer.old". Then copy the newly modified Explorer "explorer1.exe" to "explorer.exe". Do a directory listing and confirm that "explorer.exe" has the most recent modified date and time. Restart the computer and Windows should reload along with the new Start button text.
* Windows NT
First close any open applications and open a new Command Prompt window, then switch back to the GUI and open the Task Manager. Find the "explorer.exe" process and end it, you should now be left with only the command prompt and task manager. Switch back to the command prompt and change to the Windows directory, rename "explorer.exe" to "explorer.old", and copy the newly modified Explorer "explorer1.exe" to "explorer.exe". Do a directory listing and confirm that "explorer.exe" has the most recent modified date and time. Switch back to Task Manager and launch a "New Task" called "explorer.exe" this should reload the shell along with your modified "Start" button.
* Windows 2000 and XP
Open your registry editor and find the key [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]. Find the value named "Shell" and change it to equal the filename of the new explorer "explorer1.exe". Exit your registry editor and restart Windows for the change to take effect. To reverse the change, modify the value of "Shell" and set it back to "explorer.exe".
| Name Type Data |
| (Default) REG_SZ (value not set) |
| Shell REG_SZ explorer1.exe |
-
| HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon |
-
7. If everything has gone successfully you will now have a new Start button, and also hopefully learnt something about the Explorer file structure. If you do have problems replace the faulty Explorer with the backup made during the first step.
//----------------------------------------------------------------------------------//
#3
//---------------------------------------------------------------
// Display a banner each time Windows boots
//---------------------------------------------------------------
1. Start -> Run
2. Type regedit
3. Go to the key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWinLogon
4. Create a new string value in the right pane named LegalNoticeCaption and enter the value that you want to see in the menubar
5. Create a new string value and name it LegalNoticeText. Modify it and insert the message you want to display each time Windows boots
//---------------------------------------------------------------------------------//
#4
//---------------------------------------------------------------
// Shutting down Windows the fastest way
//---------------------------------------------------------------
1. Start -> Run
2. Type rundll.exe user.exe,exitwindows
//----------------------------------------------------------------------------------//
#5
//-----------------------------------------------------------------
// registry hack which will allow you to see your opponents' cards
//-----------------------------------------------------------------
Launch REGEDIT.EXE and navigate to HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Applets Hearts.
NOTE: You may have to create the Hearts key under Applets
In the right-hand pane, create a new String Value. Immediately rename it to "ZB" (without the quotes); give it a value of "42" (again, sans quotes).
The next time you're in a game of Hearts, press CTRL + SHIFT + ALT + F12.
Last Updated ( Sunday, 02 January 2005 )
Jumat, 20 November 2009
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar