Program`s interface
Contents
1. 188 Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Introduction Introduction 1 Introduction 1 1 About the program Welcome to Windows Password Recovery a network security analyzer and Windows password recovery utility Windows Password Recovery is the only solution that implements the most advanced patented password recovery technologies developed by Passcape Software programmers such as Artificial Intelligence or Pass phrase attack Compared to similar products Windows Password Recovery features a number of competitive advantages For home users easy set up and use Easily recovers or resets forgotten passwords to any Windows account For system administrators password audit reveals security breaches helping the administrators to ensure the reliability and security of the corporate network Checks the security level of Windows operating systems For forensics industry and government security experts analyzes and audits system security policies issues recommendations on improving the stability of the operating systems password protection 2010 2015 Passcape Software All rights reserved 1 2 Features and benefits E Contemporary easily customizable graphical user interface e Load hashes from 9 different programs Imports directly from SAM or ntds dit even if the files are locked by the system the program still reads them Impo2. Input wordlist E Program Files Passcape WPR dic common ped 5 Make perfect rainbow table Table statistics Key space 168 013 091 236 Success rate 99 04 Benchmarks Hash speed 8 41 Mp s Step speed 4 46 Mp s Table precomputation time 1d 21h 59m 13s Total precomputation time 3d 19h 58m 27s Max cryptanalysis time 0m 27s Fingerprints 409 894 Output folder G PRT test Threads to run 4 Before you start generating tables you should set a wordlist that will be used for creating a database of word prints and specify the table parameters e Chain Length affects the probability of finding passwords e g success rate table generation time and time needed to search for a single password during the attack e Chain Count affects the success rate table generation time and its size At the moment the table generation tool does not support tables of over 2 GB in size However you can create several tables if you are working with very large arrays of data see the Table count parameter Success in recovering a password using the tables depends on several factors and it s important that you find their best values depending on the size of the tables you work with their generation time and cryptanalysis time that is the time needed for recovering a password during the attack Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface
3. Max user accounts at a time 600 5000 unlimited 14 days money back guarantee eee uses some restrictions Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Technical support Technical support Technical support 5 1 Reporting problems AAA AAA If you have a problem please contact us at support passcape com Please inform us about the following e Full name and version of the program e Windows version including service pack OEM and language information etc e Registration information if any e Detailed description of the problem whether it is a constant or spontaneous error e f you re reporting a critical error please attach Crash log file that was saved during an unhandled exception session 5 2 Suggesting features EEE A AAN If you have any questions comments or suggestions about the program or would like more information email us at info passcape com Please don t forget to mention the program name and version Also make sure you have the latest program version installed Your feedback helps us to improve our products and work more effective 5 3 Contacts A A AAA Please don t hesitate to send your questions regarding our products to e mail support passcape com You will get reply during one or two days Note that registered users have priority in technical support If you experience any problems during registration process please send a letter to sa
4. Combined dictionary attack options Here you can create all possible combinations of phrases generated By default the program will create passwords by simply concatenating words from the source dictionaries WITHOUT separating them with spaces However you can set your rules as well For example have it create phrases with spaces begin words with caps append numbers etc Read more about combined dictionary attack Y Use these rules to generate different combinations of the phrase string 1 firstupper stringN lower string 1 firstupper stringN firstupper string 1 lower stringN lower delimiter t20 string 1 firstupper stringN lower delimiter t20 string 1 firstupper stringN firstupper delimiter t20 Y Insert words from second dictionary into every position of the every word from dictionary 1 For example 12345Admin A12345dmin Ad12345min etc Note This rule is active if only 2 dictionaries were set it doesnt work for 3 or 4 dictionaries Statistics Output passwords 1 200 585 165 Rules combinations 6 Size strings Prim1 14145 sec2 14145 Passwords created by the combined attack are generated according to special rules that are to be set on the second tab By default when password generation rules are disabled the program generates passwords by simply gluing up the words from the dictionaries without separating them with a space For example of the two words are
5. Y When error occurs Windows Media chord wav When a message box pops up TC The software allows setting up sound notifications for certain events For example when the attack is over or when a password is found 2 8 2 Attack Settings 2 8 2 1 Preliminary attack Preliminary attack developed in Passcape is quite effective against short simple dictionary repetitive keyboard etc passwords and consists of several mini attacks Each mini attack can be enabled disabled individually Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Preliminary attack options Preliminary attack is quite effective against simple and well known passwords Preliminary attack is a timeJimited simple set of several mini sub attacks It is often run when there s no need to launch a full attack Preliminary attack is used also when importing hashes into the program You can activate deactivate it in General Options dialog Read more about preliminary attack Use the following preliminary sub attacks Common brute force attack for short and simple passwords Dictionary attack against wellknown passwords Extended dictionary attack simple mutation is on Attack repeatable sequence of a characters eg 11111 aaaaaa Attack simple pattems eg 123456 qwerty Attack complex pattems Keyboard combinations attack Based on all possible keybo
6. Finally in the last dialog you can set the options for indexing words from all files recently opened by current user Available options include e Set the maximum length of words that can be added to the wordlist All words with length greater than the specified limit will be skipped e Skip files with size greater than specified The size is specified in MB e Use custom word delimiters By default word delimiters are all non alphabetic characters e Do not index files with specified extensions Use this option to skip files that you consider unnecessary Clicking the Next button starts the indexing process Keep in mind that it can take considerable time 2 6 7 9 Extract HTML links This tool is designed for extracting HTML hyperlinks from HTML files Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface E Wordlist Tools 00 G gi HTML link extractor Using the link extractor you can easily extract all links out of html files located on your local drive Just specify the initial directory where to start scanning from Consider sorting output list to remove duplicates r Select a folder the files to be indexed are located at Y Parse files in the given folder only in all subfolders otherwise E Sites domains hts cache Index all files Index files with the following extension s only htm html Index all files except the following extension s js
7. Save Changes Permanently Keep in mind that certain secrets contain critical data and modifying them may cause system instability or even impossibility of booting The plugin also allows adding and deleting secrets secrets of current operating system only Deleting a secret whether old or new automatically deletes both its copies You can share your secrets with developers Share Names button This e mails only the secret names without the actual data Analyzing the secret names will help us make the program more efficient 2 7 4 2 Domain Cached Credentials Explorer Beginning with version 2 0 the program allows reading cached domain records Windows uses cached domain records to be able to connect to the server even if the logon server is unavailable for whatsoever reason The plugin for handling cached domain records includes three steps In the beginning decide which records are to be decrypted cached records of current operating system or of some other computer Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Domain Cached Credintials Explorer sa ooo c LU Pa Select domain cached credentials location Step 1 3 Domain Cached Credentials Explorer allows you to decrypt view and edit domain cached entries as well as export domain cached passwords to text file Select what kind of credentials you want to display credentials of yo
8. each source word The rule definition syntax is compatible with John the Ripper and PassworsPro software The author of the latter has kindly provided an extended set of rules slightly edited which comes with the distribution kit for Windows Password Recovery Hybrid dictionary attack settings are grouped in 7 tabs Dictionaries for setting up source dictionaries Rules files with set of rules Super rules ones to be applied over the top of regular rules Dictionary generator where you can create files of words obtained from the hybrid attack Online dictionaries for downloading new dictionaries to the application Hybrid syntax complete description of all rules with examples Rule tester where you can test your rules NOOR WOD Wordlists to be used in the attack are set on the first tab Traditionally the application supports wordlists in ASCII UTF8 UNICODE PCD RAR and ZIP format The position of the files on the list can be altered For example you may want to move smaller dictionaries up the list or the other way During the attack they will be used one after another according to their position on the list Hybrid dictionary attack options ES a Dictionaries Rules Super tules Dictionary generator Online dictionaries Hybrid attack dictionaries Hybrid attack is similar to mutation dictionary attack except that user should set his own word mutation rules Setup at leas
9. Based on the given recommendations it is easy to create your own rules for batch attack 3 4 Windows passwords FAQ AAA LLL Q What is password protection A Perhaps no one would argue that Windows NT based operating systems today are the most popular all over the world That makes them very vulnerable targets for various kinds of hackers intruders and dishonest users The spread of the global network only exacerbates the situation To ensure the personalization of stored user or system data and to protect it from unauthorized access by third parties it was proposed to use the password protection technology Currently the primary protection in Windows operating systems is password protection Access to private data in this case is possible only when user knows the original password which is normally a word or phrase Here is what it looks like in the real life the program or system on an attempt to access private data prompts user for the text passwords That password is checked against the original password and if the values match the system allows access to the private data otherwise it denies access The primary disadvantage of password protection is that the program or system must store the original password somewhere in order to have something to compare the entered value with Q How do operating systems store passwords A But everything is not so bad Windows NT was developed in a way that it wouldn t store the original text
10. English phrases and expressions Usually Upto Currently one of the bestRequires tables several 100 attacks for recovering Precalculation tables minutes ifthe the majority of may take much room oreven passw passwords bythe time on a hard drive It is seconds ord fits efficiency ratio impossible to recover foreach into the long passwords password charact using this attack er set and passw ord length of the table s Based on From No Finds complex Big input dictionary fingerprints that several passwords that were may generate too were generated hours up impossible to recover much fingerprints out of the given to several in other attacks The success wordlist days depends on the depends input dictionary on the initial dictionary It is much Depend No Good for all sorts of Cannot recover similar to simple on the variations ofcommon complex passwords dictionary source passwords attack except wordlist that the and rules password counter mutation rules Usually are fully up to customizable several and should be minutes set by user for a small wordlist Searches Depends No Pretty nice alternative Very slow passwords va on tool for finding out processes hashes Internet options simple and frequently subsequently feeds Cannot recover all passwords simultaneousl y generating a new table takes longer than running a brute force attack Limited recovery capabilities for long and non English passwords
11. Rules combinations Size strings The way the combined attack works is really simple For example if you have set two dictionaries the program will generate the passwords as follows it will take the first word from the first dictionary and glue it with the first word from the second dictionary then with the second word and so on until the end Dictionaries list to combine the words from Read more about combined dictionary attack This type of attack is very similar to the simple dictionary attack except that instead of using a single word for password verification here we use a combination of words or a phrase created by combining words from specified dictionaries You should specify at least 2 dictionaries to start C Program Files Passcape WPR combdic pcd C Program Files Passcape WPR combdic pcd 19 233 401 014 6 Prim1 6237 sec2 6237 PITT Cancel Then it checks the second word from the first dictionary and goes the same route and so on To understand how the combined attack works let s take a look at a couple of password generation examples that involve in the first case the same dictionary and in the second case two different ones Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 1 Suppose we ve got a single dictionary with three words action bad and computer We will set this dic
12. 172 O Alias objects 863 User objects 9025 Computer accounts 27 7 Computer accounts 5377 O Domain trusts 5 Domain trusts 0 0 Group objects 20 5 User objects 46 5 Groups which are not used for authorization 0 9 Vans objects 4 Tools menu FEA SES The Tools consists of two parts tools for controlling access to the application and tools for working with passwords Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 6 1 Program access 3 Restrict access to the program Password pepe Confirm password EEEk Hide characters as type E Sa d Cancel If anyone besides you can access your computer or account you can password protect the application In this case when starting the program user will be prompted for the password and the application will fail to continue unless the valid password is supplied GS Type in the program access password please Password V Hide characters as type Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 6 2 Pass o meter r Pass o meter Check the quality of your password The password quality depends on its length and complexity The most of LM passwords ones with non empty LM hash can b
13. The attack take too much time to complete when setting a big input wordlist Fails to find strong non dictionary passwords Fails to find most strong passwords Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program set and used passwords a lot of Internet Works only internet traffic when internet connectio is available n speed Usually less than 1 minute fora single hash Passcape Uses specially Several No Actuallyitis verygood Agood table Cannot rainbow formed minutes and advanced attack for precalculation may recover all tables precalculated Or even recovering strong and take much disk spacepasswords tables to guess seconds complicated passwords and time Password simultaneousl strong and for each which cannot be recovery success rate y generating a complicated password cracked in other attacks greatly depends on new table passwords dependin input wordlist takes longer g on table than running a parameter brute force S attack Not all initial wordlists suit well for creating Passcape tables 3 3 Recovering passwords from hashes SS o SS Use this simple instruction for the recovery of any passwords in Passcape programs This instruction is offered in the format of recommendation and is meant primarily for the recovery of passwords encrypted with OWF e g from Windows hashes When recovering certain types of passwords the major que
14. Windows Password Recovery comes in three editions Light Standard and Advanced The detailed list of features and compatibility chart is shown below FEATURE Light eoan d Windows 2000 XP Vista 7 8 10 workstation support le feo Windows 2000 2003 2008 2012 server support leo e b Windows G4bitsupprt e e Je o Non US Windows supprt O O oo e e e International passwords support e e e Multithreaded recovery o Multithreaded recover i Interface themes support Load hashes from local computer Load hashes from remote computer Ice Dump regular hashes eee Dump password history hashes dede e o Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved i i License and registration FEATURE Light i red d Search for plaintext passwords dede Load hashes from SAM ooo dede Load Active Directory hashes Import hashes from other programs Load hashes from system restore folders e k bo y Export hashes to PWDUMP file Common attacks Smatatacks eee GPU based attacks eee Support formultipleGPUdevces p p b y Batchattack IO View Al password cache Smart password mutation o gt 5 2 o o o 2 go o 2 o ll i itl l iil i Smart password mutation l i i Online diction
15. 4 4Didionares Rules Super rules Dictionary generator Online dictionaries ine dictionari Hybrid attack rules You should set at least one file with word mutation rules Rule file is a simple ASCII text file with Rules section in it Everything below the string is considered as rules See the syntax of the rules at the Syntax tab You can save all rules into a single file rules will be sorted duplicates and errors will be skipped Full path C Program Files x86 Passcape WPR hybrid_rules yure Super rules is a rule or several rules to be applied over the top of all other regular ones before or after them For example you can set a8 tail super rule to create all possible case combinations after a common mutation has been done So asa4 rule from 133t ini file will become asa4a8 csc will become csc a8 etc Yet another one example setting the gt 6 lt G head rule allows you to skip all words of less than 6 or greater than 16 characters before starting a common mutation This is a helpful feature once you decide to add the same rule to all text lines of the selected ini files There s no need to modify them all Be careful though the aN super rule may increase the total number of generated passwords drastically Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 1 Dictionaries Rules Super rules Dictionary
16. Even though it is not recommended you can overwrite your input wordlist by setting the same output wordlist name as the input one Input wordlist E E SYS PWCO7 Real Passwords part 4 yp4 utf I1 Action C Convert all words to lower case C Convert all words to upper case O Capitalize words eg bad gt Bad C Remove word duplicates Remove non English words C Remove non alpha words 1234 08 19 20 Remove English words O Cut leading and trailing spaces Cut leading and trailing spaces and numbers O Cut spaces numbers and special symbols Split wordlist to chunks by setting max size O Split to chunks by setting max number of strings 100 Mb y 1000000 Set minimal word length Set maximal word length 3 z 64 C Change line delimiter 3 Wipe out HTML tags and entities CR LF X Set custom filter based on Hybrid Dictionary attack rules ii I Output wordlist format UTF8 text file The tools include the following operations Convert all words in wordlist to lower case For example BAD gt bad Convert all words to upper case For example Bad gt BAD Capitalize words upper case first letter lower case all others For example bad Bad Remove word duplicates Remove non English words Remove words that entirely consist of numbers and or special characters For example 12345 08 19 10 etc Remove English words Cut remove leading and trailing spaces Cut remo
17. Examples test d will generate password range testO test9 10 passwords total test d 1980 2007 test1980 test2007 28 passwords test r 0x0600 0x06ff 256 passwords with Arabic character at the end H testVoH test test 1089 passwords admin 1 1 5 admina adminzzzzz where 1 is user defined charset 1 a z 961961961pin962962962 aaapin000 zzzpin999 1 is user character set a z and 962 is second user defined charset which contains characters 0 9 By switching to Dictionary generator tab you can generate your own dictionary by a given mask and save it to disk This feature available in Advanced edition of the program only Third tab of the mask options contains a short description of the mask syntax and a couple of simple examples 2 8 2 7 Base word attack Base word attack developed by Passcape is in many ways similar to mask attack However here you don t need to set up the syntax simply enter the keyword which supposedly was the base word for the password It is an irreplaceable recovery tool when you know a portion of the password or its basic component Normally such cases dispose to using mask attack however it does not always allow coping with the task set forth Suppose our password was S10wDr1v3r Trying to recover such a complicated password using brute force attack would be an ungrateful job even if you are quite sure that it is based upon the slowdriver word These are the cases when the
18. LM otherwise Sound events Advanced e Save project every time setting this option will force the program automatically save project every time new attack is starting or stopping including sub attacks of a Batch attack Automatically run preliminary attack when importing hashes automatically launch preliminary attack upon import This attack recovers extremely weak passwords within seconds Finalize mutation on found passwords when attack is stopped or finished activate password analysis and mutation module for found passwords after attack This option can be extremely useful for example for recovering similar passwords Run simplified fingerprint analysis upon attack completion activate second analysis module It launches on attack completion creates new fingerprint dictionary out of found passwords trying to retrieve more passwords Useful on big list of hashes history hashes etc Automatically select all loaded hashes upon import automatically select entries to be searched after importing Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 8 1 3 CPU settings r p cc p m Mu General options Intel R Core TM 2 Quad CPU 8400 2 66GHz 2671 4 family 6 model 7 stepping 10 BFEBFBFF Yes Yes Since the majority of the attacks supports multithreading you can set the number of search th
19. Saves current project and creates a new one Open Loads opens a new project The application s projects have the wpr extension and contain program settings and hashes However for speeding up the search speed the program stores the current state of the attack in a separate file progress ini Save Saves current project It is recommended to save critical projects from time to time Save as Saves current project under a different name renames it Close Closes current project Recovery menu MN a This menu item allows selecting and launching an attack The Attack pane allows selecting the type of the attack and toggle between attacking LM or NT hashes Take a note that before actually launching the attack you must have selected marked the necessary hashes You can do that through the Edit Select menu Launching the attack assumes that you have also made all the required settings on the Options Attack Options menu Run Launches selected attack When the attack is running all other items on the menu are disabled Please note that when the attack is over the program runs a special mutation and password analysis routine over the found passwords This option is enabled by default but it can be disabled in the general settings Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 3 2 Continue Resumes attack from the last stored point Please remember that the
20. We have got 5 4 3 2 14 fingerprints not counting the source word Repeat this for each word of the source dictionary After this all the fingerprints are dumped into a single database naturally discarding duplicates We have got a database of fingerprints that would be used for checking passwords by gluing all the fingerprints with each other and finding the match The real fingerprint generation algorithm is much more sophisticated Moreover there is an option in the attack settings Maximize effeciency when generating fingerprints which uses a more sophisticated algorithm which maximizes the efficiency at the expense of speed by generating additional fingerprints Let s take a look at the remaining options Use PPP engine to generate additional passwords use passwords found in other attacks when generating fingerprints Use keyboard and frequently use sequences add keyboard combinations and common sequences to fingerprint bank Use dates add dates to fingerprints Use numbers and common sequences use digits and simple combinations of letters The most careful attention should be paid to the option Loop until no more passwords are found That is where fingerprint attack can really show itself off Here is how it works if at least one password is found during an attack when the attack is over the password participates in generating new fingerprints and the attack runs again This option works great on large lists of hashes a
21. and NT based upon the MD4 hashing function LM as the weaker and vulnerable one is not supported by default by the latest Windows Vista and Windows 7 however you can still enable it Moreover there is a tendency to completely eliminate or replace it It is important to know that when the LM hashing option is on it is enabled by default in Windows XP all user passwords are considered quite winerable Cracking the majority of such passwords normally takes just a few minutes The NT hash is free from the disadvantages common to the LM hash Consequently it is much harder to pick the right password to a known NT hash than to an LM hash But the current trend of increasing the computing power of modern computers especially when using GPU possibly will make this standard too vulnerable to potential attackers Q Where are password hashes stored A So we have found out that user passwords in Windows systems are converted to special values hashes LM and NT hashes both have a fixed size 16 bytes and can be stored in two repositories SAM for the regular accounts and Active Directory for domain accounts SAM The regular accounts that contain user name password and other auxiliary information are stored in the Windows NT registry precisely in the SAM Security Account Manager file That file is located on the hard disk in the folder windows system32 config The windows stands for the path to your Windows folder For example
22. generated hashes Password generator options Initial charset 4 2 v Passwords to generate 1000 Minimal password length 1 Maximal password length 7 1 Cancel If you want to create a PWDUMP file with a specific number of randomly generated passwords use the multiple hash generator In the new hash dialog select the minimum and maximum length character range and the total number of the hashes to be generated r Dictionary to hash generator Create a PWDUMP like hash file out of a given word list Source word ist Dictionary name c english dic se Destination PWDUMP file options 4 Generate LM hash Y Generate NTLM hash Maximal number of lines in the output PWDUMP file With the dictionary to hash generator you can easily create PWDUMP file out of a given word list This tool has a number of additional options here For example you can limit the number of output hash items or create PWDUMP file for NTLM hashes only 2 6 5 Rainbow Tables Generator Rainbow tables are special search tables used for reversing cryptographic One Way Functions and cracking plaintext passwords derived from the hash functions An example of such hashes would be a user password LM or NTLM hashes in the Windows OS Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Windows Password Recovery h
23. 100 2 8 2 3 Fingerprint attack eate attend seen tee nd elite b e ai 101 2 8 2 4 Brute force attack exhaustive Search seuroina i 105 2 8 2 5 Dictionary atta cria dao 107 Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Table contents 2 8 2 6 Mask attack iii hate da E a dab ea AE e Wad OD CORE EE ot t ca 111 2 8 2 7 Bas 2WoOrd al tta ia a Ub vera and Ges ee A o XY Da Eden 112 2 8 2 8 Combined dictionary attack edere ie eee er epe dieere ex e eee dee itn n 113 2 8 2 9 P ss phrase attack saec e eee pret Cre e RENI E saben e Rae eee e Pee e EE EP eR BEER n 118 2 8 2 10 Raimbow tablessattack ici ida reste statin dee per RR Aet ev eL Oo ias 121 2 8 2 11 Hybrid dictioriary atta ck draco ere teet eerie eate eae A vere Le TREE n 122 2 8 2 12 ONT TIME TECOVERY co tee e cot RR o RR RR RU cba EE RU REC ERE e ER ERN ERR HER 131 2 8 2 13 Passcape table atta Ck un seeded i ee pando e eva e idea 133 2 8 2 14 BateMattaCk arisen es ce t er Ud o LL RES RR 135 2 8 2 15 GPU Brute force Attack ed ec e e d WEE E iat E E D RE P e E E D eae 136 2 8 2 16 GPU Fingerprintattaclk creed ete rte e een re de Ee Pe rear ee Po EE VER 139 2 8 2 17 GRU Mask attack x enar vae a t n A cre a e dh d edel e De RR 143 2 8 2 18 GPU Dictionary force Attack recie enean da E Eee ree core Veg a 148 2 8 2 19 GPU Hybrid dictionary attack iniciara erred Ee ier es coton eee an 152 2 9 Mew menle Ss os ra greco c ve eve ka oer ao ea v
24. Drag the magnifying glass over the passwords If the program is able to reveal the passwords they will be shown here Please note some Q programs are not supported by WPR eg Opera Firefox some Q applications written in Java etc Check to set this window topmost Status Mouse position Password available Window title Revealed password This tool allows to recover passwords hidden behind asterisks It is often helpful when you need to quickly recall a password and don t have the necessary recovery tools handy In order to get the password visible you should have to drag the magic magnifier from the WPR window to the field with asterisks kkk This method works both for Windows controls and Internet Explorer windows lt has a number of restrictions though e Some applications have their own GUI and therefore Asterisks Revealer may be unable to interact with such applications Those include Opera Mozilla Firefox etc e Some websites have a built in protection which hides either the garbage or the actual asterisks behind the asterisk characters asterisks hidden behind asterisks e In some Windows system dialogs asterisks also hide the character and not the real password To ensure the proper operation of this tool you are to have the administrator privileges 2 7 3 Offline Password Remover A helpful plug in for removing and modifying passwords directly in the SAM registry file or in
25. Key CO Password Startup Requires a password tobe entered dura system start Password Eann gt t System Generated Password Store Startup Key on Floppy Disk Requires a floppy disk to be inserted during system start Stores a key as part of the operating system and no interaction is required during system start Cancel In some cases it can be configured otherwise to be either stored on a boot disk or to be derived from user password when the OS starts One way or the other the plugin supports all types of SYSKEY encryption Data stored in secrets is crucial for the operation of the entire system Therefore LSA secrets are stored in two copies current active and previous former Modifying a secret places its current copy to the former one and replaces it with the new modified secret The plugin has an option for showing both active and former secrets Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface LSA Secrets Dumper v F Select secrets of an external PC Step 2 3 LSA secrets reside in Windows registry Please provide SECURITY and SYSTEM binary registry files here in order to continue Select secrets source SECURITY C 0 Security SYSTEM C 0 SYSTEM Y Show expired and out of date secrets 3 The last step of the Wizard decrypts secrets and shows them as a list To sh
26. NTDS DIT For example to regain access to a locked system you do not necessarily have to recover the Windows logon password Instead you can just copy the SAM and SYSTEM registry files from the unbootable system use this plug in to remove the password for the account or clear the lockup flag and copy the files back The password remover plug in is made out as a wizard and consists of 4 steps Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 1 On the first step select the password source That could be either a SAM file for the regular accounts or NTDS DIT for removing passwords in a domain Offline Password Remover im 7 3 iw e Select the type of password you want to reset Step 1 4 This powerful utility allows you to reset or change a password for any Windows account of any extemal even non bootable operating system Select what kind of password do you want to reset SAM regular user account or Active Directory one for domain users Select password source 2 SAM regular user account C Active Directory domain user account 2 On the second step of the wizard specify the path to the SAM NTDS DIT file and to the SYSTEM registry file By default NTDS DIT is located in c windows ntds Registry files reside in c windows system32 config Windows Password Recovery Copyright c 2010 2015 Passcape Software All right
27. Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program and set his own password mutation rules The rule definition syntax is compatible with some other password recovery software Online recovery developed by Passcape Software searches passwords in Internet databases It deals fairly well with simple and frequently used passwords lts drawback is pretty low operating speed and poor suitability for handling large hash lists Passcape rainbow table attack developed by Passcape Software It s the next generation of regular pre calculated tables Passcape table attack is most suitable for the recovery of complex passwords of literally unlimited length Batch attack developed in Passcape Software creates a list batch of attacks to be run one by one so that you could launch all those attacks with a single mouse click instead of configuring each of them individually GPU brute force attack is fully identical to simple brute force except that to guess passwords it uses video card instead of CPU The GPU device to be run the attack on should be set in General Options GPU fingerprint attack works exactly the same way the simple fingerprint attack does but uses GPU power GPU mask attack This password recovery method is fully identical to the regular mask attack except that the password guessing is processed by a graphical card of your PC thus the recovery speed is much higher
28. Vault Explorer l Select Master Key location Step 2 6 Master Key is used in Vault to decrypt its pimary encryption key While the primary encryption key is used to decrypt Vault s credentials User Master Key file is located at APPDATA Microsoft Protect SID folder Where APPDATA is the user application data directory and SID is the textual SID of the user SYSTEM Master Key should be located in the following folder WINDIR System32 Microsoft Protect Select Master Key file Master Key file E Windows System32 Microsoft Protectl5 1 5 18l User59ccd485 35a 1 4828 bc2 CREDHIST file i Once a certain Vault folder is selected you need to specify path to the Master Key used in the protection of the Vault encryption keys The user s Master Key always resides in the folder APPDATA Microsoft Protect SID and the system account s Master Keys are stored in SYSTEMDIR Wicrosoft Protect It must be noted that there could be a number of Master Keys while a specific object could be decrypted using only one key the name of which is stored in the Policy vpol file When searching for the Master Key the program can filter out unnecessary names Decrypting Master Ke Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Windows Vault Explorer Ta wl Decoded structure of the Master Key Step 3 6 You should specify SID logon password and SA
29. a mask just provide a basic word The program will take care of the rest The phrase attack is based upon the experience of the social engineering to generate a great number of possible combinations of the given password Combined dictionary attack developed by Passcape uses to find compound passwords For example nothingtodo or I give up It is very similar to the dictionary attack except that instead of using a single word for password verification it uses a combination of words created by combining words from several dictionaries You can create your own password generation rules Phrase attack developed by Passcape is very efficient against complex passwords The idea of it is to guess the right password by searching through frequently used phrases and combinations You can download pass phrase wordlists and dictionaries from our site only Rainbow attack developed by Philippe Oechslin It is a time memory tradeoff used in recovering the plaintext password from hashes This attack is quite fast and effective tool for auditing Windows hashes Fingerprint Attack Developed by Passcape original idea by Atom The attack parses input wordlist to generate so called fingerprints used to recover the password The attack is quite effective in finding difficult passwords for big list of hashes or for password history hashes Hybrid dictionary attack is like a simple dictionary attack but allows user to customize word mutation Windows
30. analyzing and editing LSA secrets The plugin s wizard driven user interface is quite simple and contains of just three steps 1 First select the type of secrets you are going to deal with These can be secrets of the local system where the application is running or secrets of an external PC Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface r LSA Secrets Dumper Pw T Ww Select Windows LSA secrets location Step 1 3 LSA Secrets Dumper is a small tool to display and edit LSA secrets stored in the registry of the current or extemal PC LSA secrets may store Windows logon passwords in plaintext Select what kind of secrets you want to view LSA secrets of your local computer or extemal PC Select secrets type LSA secrets of your local computer 2 LSA secrets of an extemal PC 2 When selecting secrets of an external PC you need to specify path to two registry files SYSTEM and SECURITY The SECURITY file contains encrypted secrets and SYSTEM is necessary for decrypting those You can find out more on encrypting secrets in our article Please note that encrypting secrets involves SYSKEY By default SYSKEY is configured the way that it can be extracted from the registry that is what SYSTEM is for Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Account Database
31. and currently is not supported by the software lt GUID gt vsch Vault schema that contains data description flags and other system information lt GUID gt verd Vault credential that stores the original encrypted data associated with a certain schema The data may consist of and normally consists of several fields Description of the fields is stored in lt GUID gt vsch Windows Vault Explorer Windows Vault Explorer is a utility for offline analyzing and decrypting Vault credentials The decryption Wizard splits the entire process into the following steps 1 Looking for Vault folder Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 Looking for user s or system s Master Key 3 Setting registry files and other information necessary for decrypting the Master Key 4 Selecting Vault Schema 5 Looking for Vault records belonging to selected schema 6 Decrypting selected Vault credential Lookin for Vault folder Windows Vault Explorer o tal A a Step 1 6 Vault explorer is a tool to view decrypt and analyse private data stored in Windows Vault There are 2 types of Windows Vault user and system Typical location for the User Vault is C Users lt USER gt App Data Local Microsoft Vault lt GUID gt The System vault stores its data in C Windows System32 Config systemprofile App Data Local Microsoft Vault lt GUID gt Read more information abou
32. bank respectively creating tables may require significant time and resources e Using dictionaries with long words or phrases is discouraged due to the above mentioned reason e Rainbow table attack consumes a great deal of resources the footprint bank must fully fit the computer s RAM Passcape rainbow table attack settings Passcape rainbow table attack settings are rather trivial Specify one or several prt tables which should reside in the same directory as the footprint bank prti file Since this attack consumes more RAM than the attack that uses simple rainbow tables it is recommended to limit the amount of RAM that can be consumed by adjusting the respective option Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface race ranton wae acces UU 4 oePasscape LM rainbow tables list Passcape NT rainbow tables list b PA Passcape rainbow attack is a smart implementation of the Time Memory Trade Off password auditing method But unlike simple rainbow tables Passcape rainbow attack can recover long up to 64 characters and complicated passwords You should aware that due to the nature of the attack not all passwords can be recovered depending on the initial wordlist used to create the tables and table generation options You should set NTLM specific tables here Read more about Passcape rainbow table attack Table name Table size Cha
33. base word attack will rescue you With this tool the program will attempt to recover the original password trying all possible combinations founded upon 15 groups of rules total over 150 rules If you enter slowariver in the field you will see that the program has generated several thousands of different combinations upon this phrase and one of those combinations could match our password Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface r Base word attack options secre Base word attack is effective if you know a part of the original password Type a word or a phrase the password may consist of For example you know that your password was formed on the phrase slowdriver Type this phrase and start the attack The program will try all possible combinations to scan for the real password base upon this word In our example the program will generate thousands mutated words and will be able to find freaked passwords like SlowDriver Slowdriver123 SLoWDRiVer S10wDr1v3r etc Read more about Base Word attack Base word of the password secretlife Input wordlist Mutation level Strong very slow Dictionary generator Dictionary size If the length of the input phrase exceeds 8 10 characters the mutation may take significant time If you remember the original password precisely and simply have forgotten the sequence of the upper case and lower case
34. characters in it you can select the option Mutate character case only With this option selected the program will generate passwords with all possible combinations of upper case and lower case characters total 2 n passwords where n is password length For example for the password slowdriver the program will generate 210 1024 different combinations for each keyboard layout installed on your computer You can also generate a dictionary on those mutations and save it on a disk available not in all editions Note if your password length exceeds 15 16 characters it may take quite some time to prepare mutate the password for the attack In Windows Password Recovery version 9 5 the Base word recovery was split into 2 modes single input word and many input words The multiple input words mode acts like the Dictionary attack with maximal mutations set on but generates much much more passwords even if the mutation level of the Base word attack is set to Weak which maybe useful in a certain situation 2 8 2 8 Combined dictionary attack Combined dictionary attack developed by Passcape Software is great at recovering passwords that consist of 2 3 and even 4 words This type of attack on difficult and compound passwords is very similar to the simple dictionary attack except that instead of using a single word for password verification here we use a combination of words or a phrase created by combining words from specified dictionaries To
35. checked passwords for one call to GPU kernel will be 256 ThreadBlocks PasswordsPerThread In our case 256 256 1000 65 536 000 passwords per one call to GPU 2 The number of passwords to be search in a single GPU thread The greater the value the lower the overhead associated with launching threads and the higher the search speed However setting too great a value may hang the computer make your GPU unresponsive or cause significant fluctuations in the current search speed displayed on the attack status tab This is caused by the fact that task completion time on the GPU exceeds the time required for refreshing the current state of the attack Be careful setting heaw rules like aN iN oN etc These rules may increase the number of generated passwords by hundred times and hang up your system or make your GPU device unresponsive Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 9 View menu The View menu enables disables the auxiliary elements of the interface change the interface language minimize the application to the tray or run it in the invisible mode 2 10 Themes menu You can select here one of the themes you ve liked or create your own theme 2 11 Help menu In this section of the menu you can access the help articles on using the software visit the program s home on the Web check availability of updates submit a bug report register your copy of Win
36. combinations of 1 to 5 Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface characters in the end of words e Frequent combinations the 20 most frequently used combinations of 4 to 8 characters Password popularity all passwords 3500 E 123456 1 6 3057 Password list lemons txt E password 1 0 1955 G 12345678 0 6 1119 Passwords processed 188 280 E lifehack 0 4 661 G qwerty 0 2 418 Al abc123 0 2 333 A 111111 0 2 311 G monkey 0 2 300 Al consumer 0 1 273 m 12345 0 1 253 Al letmein 0 1 247 E trustno1 0 1 241 Al dragon 0 1 233 Al baseball 0 1 213 Al superman 0 1 208 500 m 1234567 0 1 202 Ol iloveyou 0 1 202 i il il i H E I i El ii B gizmodo 0 1 199 2500 Password count S 0 T y E sunshine 0 1 196 gt S S amp E 1234 0 1 194 S S S S Y amp xs e ME T ge ay F gt y y v Password 2 5 6 Group information This section is aimed mainly to analyze various information about Active Directory groups and aliases Some reports however can be used to display statistics of a local PC by reading information from SAM registry file The following reports are available here Last 10 created groups 10 recently created group accounts Last 10 changed groups 10 recently changed group accounts Group types This report shows different t
37. css r Additional options Look in HTML header V Look in HTML body Type of link HREFs Output wordlist format ASCII text file The configuration options for this tool consist of two groups In the first group you should set a path to the initial folder where the HTML files are located and select a file parsing method namely e Parse files in the specified folder only If this option is not set the program recursively analyzes all the sub folders and files inside them e Index all files e Index files with certain extensions only e Index all files except certain extensions By default the tool checks htm and html files only The additional options group allows to set the type of links as well as where to look for them e Look in HTML header e Look in HTML body e Look links in HREF tag SRC tag or in both tags Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Clicking the Next gt button launches the search which may take considerable time Once the operation is completed and the found links are saved to disk consider sort them out to get ride of duplicates 2 7 Utils menu Utilities menu consists of additional addons aimed mainly for advanced users 2 7 1 Backup system files Registry backup tool allows easily create a backup copy of your Windows registry Even if the registry file is locked by operation system You can s
38. generator Online dictionaries i ine dictionari b Super rules to be automatically append or prepend to every line of common rules Super ule is a rule or several rules to be applied over the top of all other regular ones before or after them If you set a HEAD super ule it is prepended to every line from the given ini file f you set a TAIL super ule it will be automatically appended to the every line of common rules attack Read more about Hybrid dictionary HEAD super rule This super4ule is applied BEFORE every line of common rules TAIL super rule This super ule is applied AFTER every line of common rules gt 6 lt G The Dictionary generator tab is designed for generating dictionaries obtained from an attack Further on those dictionaries could be used for example in other applications To generate a dictionary specify a source dictionary and a set of mutation rules for it The size of a target file may exceed 2 GB Be careful the dictionary generation process may take considerable time Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 4 Dictionaries Rules Super rules Dictionary generator Online dictionaries gt t Passwords which were generated by this attack can easily be saved to file Therefore you can create your own dictionary and use it in another program Be caref
39. graphics card in the General Options menu Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Please select a dictionary to download Download Program s interface GPU fingerprint attack options You can edit GPU specific settings here Thread blocks option sets the number of GPU blocks to be run simultaneously in most cases each block incorporates 256 GPU threads While passwords per thread sets the number of passwords to verify from within a single GPU thread Read more about GPU fingerprint attack Thread blocks Passwords per thread GPU configuration is pretty simple and consists of only two parts 1 Setting the number of parallel graphics card s blocks where passwords would be searched Typically each block consists of 256 threads Thus if you set the number of blocks to 256 the GPU will run 256 256 65536 threads The total number of checked passwords for one call to GPU kernel will be 256 ThreadBlocks PasswordsPerThread In our case 256 256 1000 65 536 000 passwords Setting the ThreadBlocks parameter smaller than 256 on modern graphics cards in the majority of cases leads to performance degradation 2 Setting the number of passwords to be search from a single thread The greater the value the lower the overhead associated with launching threads and the higher the search speed However setting too great a value may hang the computer or cause significan
40. have a marker that specifies the version therefore if the LST file is unreadable you may have to manually replace all the field delimiters with the TAB winpsw files created by WinPassword from good old LastBit Supports all versions of WINPSW beginning with v6 Samlnside project files hashes This format is similar to text PWDUMP but it is more flexible and uses the 0x7f character instead of colon which is more reasonable PasswordPro project files hashes This format is similar to text PWDUMP except several changes It is used by PasswordsPro product Passcape Universal Configuration Files puc This container is used in Reset Windows Password software and can contain several different dumps Plain hashes Raw hashes in plain text format 32 or 16 characters on a line After importing hashes the program automatically marks all the LM or NT hashes and launches the preliminary attack This action is optional and can be disabled in the general settings This option is enabled by default Importing hashes from system restore folders X CHE HMM c r Import Wizard call 7 i iie oM e EX J Import from system restore folders DEE eee Binary files Select a hard disk from the drop down list The program will scan the disk for Jl available system restore folders You should then select one to import data from Note this feature applicable for SAM hashes only Textual or proje
41. increase order time up to several hours Important when completing the order form please double check that your e mail address is correct If it will not we ll be unable to send you the registration code To complete the registration Passcape Online Product Home Page Check for Updates Send a Feedback Recommend to Your Friend y 9 9 MX Reporta Bug E D Purchase Online Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved License and registration Open the registration message and copy the registration code to the Windows clipboard Run the program select Help Enter Registration Code Type in your registration name and paste the code here Click Register button to confirm Please enter your registration code Registration information Your name Ivan Registration code Enter your registration code exactly as given to you in the registration e mail If you experience any problems during the registration process please refer to the program s manual Register 4 3 Limitation of unregistered version An unregistered version of Windows Password Recovery shows only first 3 characters of recovered passwords and has some functional limitations Registered version of the program eliminates all restrictions Please refer to this page to view restrictions of a certain edition of the program 4 4 Editions of the program
42. last stored point is automatically erased when changes are made to the attack s options 2 3 3 Stop Pauses current attack 2 4 Edit menu The Edit menu is available only when the Hashes tab is active it includes four items Edit Copy Select and Search 2 4 1 Edit a Changing properties for HelpAssistant User name HelpAssistant RID 1000 LM hash D215EB30AC4BAA6160CO47ECO0C45019 NT hash 39DAD68E79838B9593DF712737851EB03 Description Account For Providing Remote Assistance na Selecting this item opens the dialog where you can manually edit the following fields for the selected account user name user RID LM and NT hashes plus the comment to the account Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 4 2 2 4 3 2 4 4 2 4 5 2 4 6 2 4 7 Add a It is obligatory to set a name RID and LM NT hash User name RID LM hash NT hash Description Or type in a string in PWDUMP Format here test_THAMA 1 5EB9543E0122DD1144D3B435B51404EE 55814587E144C8C29D7t Add Cancel This item allows adding items manually It allows entering PWDUMP like strings Delete Deletes entries from list highlighted i e the one being under the cursor marked or all at once Reset passwords Drops all found passwords for list Copy Copies current hig
43. length of the passwords to be searched Please note that for attacking LM hashes the maximum password length should not exceed 7 characters You can also set a starting password which would start the search Below is a table that shows password strength depending on the password length and complexity Assuming that the recovery speed is 100M passwords per second Character set Password length Password example Time to crack exhaustive brute force search AN og ZA 5 CRUEL Instantly ANZ 6 SECRET 3s Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface AZ 7 MONSTER 1m 23s A Z 8 COOLGIRL 36m 11s A Z0 9 5 COOL3 Instantly A Z 0 9 6 BANG13 22s A Z 0 9 7 POKEROO 13m 26s A Z 0 9 8 LETMEBE4 8h 3m 37s NATA E A ERE A SAN TAO NEN AA AN NE 7o gt O AO NE 2 8 2 5 Dictionary attack In contrast wth a brute force attack where all possibilities are searched through exhaustively a dictionary attack only tries possibilities which are most likely to succeed typically derived from a wordlist or a dictionary Generally dictionary attacks succeed because many people have a tendency to choose passwords which are short single words in a dictionary or are simple variations that are easy to predict Dictionary attack options 4 Dictionaries Filters Mutations Dictionary generator Online dictionaries t Dictionaries st First you need to set
44. logon 0x00800000 The user password has expired 0x01000000 The account is enabled for delegation Enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network 0x04000000 The object is a read only domain controller RODC 2 7 4 4 SAM Explorer SAM Explorer allows you to view analyze and edit the properties and statistics of Windows user accounts SAM which is short for Security Account Manager is an RPC server which manages Windows accounts database and stores passwords and private user data groups logical structure of accounts configures security policy e g password or account lockout policy gathers statistics last logon time logon count failed logon attempt count etc and controls access to the database The SAM database is stored in the registry in the key HKEY LOCAL MACHINESAMSAM which is inaccessible to anyone except the system even to administrators On the physical level the SAM database is a binary registry file with the respective name located in WINDIR System32 Config where WINDIR is the Windows installation folder In the beginning the Wizard prompts you to select the type of the SAM database local or external Please note if you select a local database for safety reasons the editor will not be available and the database will open in the read only mode Windows Password Recovery Copyright c 2010 2015 Passcape Software
45. national keyboard layout Complex keyboard attack is the same as previous 2 attacks for compound keyboard patterns Passcape Password Prediction attack is the most complicated and state of art password prediction tool Attack on name based passwords Attack on hex passwords eg 7A49F3 Attack passwords based on numbers as words Search for non standard symbols and short passwords that were created using non standard UNICODE symbols Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 8 2 2 Artificial intelligence attack Artificial Intelligence Attack is a new type of attack developed in our company It is based upon a social engineering method and has never been implemented in password recovery applications yet This one is mostly used when the hashes are imported from the local computer Intellectual attack scans the local computer indexes and creates the list of found words and passwords analyzes them upon the results of the analysis produces user s preferences performs the mutation of the found words and based on all that attempts to recover the passwords This attack allows without resort to time consuming and costly computations to almost instantly recover certain passwords encrypted with hash functions The basic idea behind the Artificial Intelligence attack is that an average user very often chooses similar words and word combinations or follows the same
46. or more of the following values 0x00000001 Logon script is executed for the account 0x00000002 The account is disabled 0x00000008 Home directory is required 0x00000010 The account is currently locked out 0x00000020 No password is required 0x00000040 The user cannot change the password 0x00000080 The cleartext password is to be persisted 0x00000100 This is an account for users whose primary account is in another domain 0x00000200 This is a default account type that represents a typical user 0x00000800 Trust account for a system domain that trusts other domains 0x00001000 This is a computer account for a computer that is a member of this domain Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 0x00002000 This is a computer account for a system backup domain controller that is a member of this domain 0x00010000 The password for this account will never expire 0x00020000 This is an MNS logon account 0x00040000 The user must log on using a smart card 0x00080000 The account under which a service runs is trusted for Kerberos delegation 0x00100000 The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation 0x00200000 Restrict this principal to use only Data Encryption Standard DES encryption types for keys 0x00400000 This account does not require Kerberos pre authentication for
47. password If this field is disabled it means that the password for that account is already empty The same applies to the advanced option for unlocking locked or disabled user accounts Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Offline Password Remover e TH Reset user password and properties Step 4 4 Enter a new password for the selected account or set the input field empty to reset the password Pay special attention to the additional option Windows will decline your password if the account is locked or disabled User account SAM AD path C 2 SAM User name Nikita User ID 1003 Account description Reset user password and properties Don t forget to save your SAM or NTDS DIT files before making the final changes to them 2 7 4 Forensic tools 2 7 4 1 LSA Secrets Dumper LSA secrets is a special protected storage for important data used by the Local Security Authority LSA in Windows LSA is designed for managing a system s local security policy auditing authenticating logging users on to the system storing private data Users and system s sensitive data is stored in secrets Access to all secret data is available to system only However as shown below some programs in particular Windows Password Recovery allow to override this restriction Windows Password Recovery plugin for handling LSA secrets is a small tool for viewing
48. password generation rule when creating one s passwords With that in mind we could attempt to figure that rule out and pick the original password r Artificial Intelligence attack options Use the power of Artificial Intelligence to guess passwords quickly The Artificial Intelligence attack has proven itself to be most effective when searching for Windows passwords provided that the search is performed on the original system The best by the speed quality ratio attack settings are Password mutation normal Indexation level normal It is highly recommended to close all other applications before launching the attack Read more about Artificial Intelligence attack Index files Search passwords by indexing files mailboxes browser configurations mru items etc Password mutation level Light fast Word indexation level Normal slow Index sectors on a drive _ Search passwords by scanning physical ors on a drive Drive Disk 0 1862 9 Word indexation level Although this sounds somewhat abstractive in the reality the attack clearly splits into four successive steps 1 Initiating the collection of private data Here comes into action the password retrieval and indexation module which looks for all available and hidden in the system passwords entered by user at any moment of time Those include network access passwords ICQ email FTP Windows account passwords server passwords LSA Secrets etc 2 Lau
49. patient c o Remote host Stress test pc Remote machine Share resource C e User name John Password 9999999999999 9999 9 Binary files E V Dump password history hashes Jl Y Scan system for plaintext passwords Load credentials Save credentials Textual or project files y Import hashes from a remote host The program has means for dumping hashes from a remote host without employing third party utilities This does not compromise the remote system as it still requires supplying the credentials for the remote host user Dumping from a remote host works as follows First you should enter the remote host name in the Remote Host field You can use the button to browse the network Once you have selected the remote host set up a shared resource allowed for both reading and writing through which the data will be transmitted Usually that is either C or ADMIN Here too you can take advantage of the browse button to the right of the edit box Next in the two fields at the bottom type in the remote host account name and the password The Save Credentials button saves current settings Respectfully the Load Credentials button allows loading existing settings so that you don t have to enter them manually every time you need them The password is stored in the encrypted form This import option also requires administrative privileges on the target PC You may however exper
50. project text files wig r MH Local computer La Remote machine Select a proper format and a file you want to import hashes from File Format PWDUMP files Ext x File name CAL ExE ae C impot Cancel Finally you can load the hashes to your project by importing them from other applications The software supports the following formats e PWDUMP despite many disadvantages this is a de facto standard format for storing password hashes Important note This format does not fully support national characters Therefore some user Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 2 1 5 names or comments may not display correctly Windows Password Recovery also supports textual PWDUMP files in UNICODE LophtCrack Ics this file format is used by the LophtCrack software The program supports all versions of LCS files beginning with v4 Project files hdt which are used by Proactive Password Auditor used to be PWSEX from ElcomSoft Also supports all versions of the format beginning with v3 hsh files which are exported by Proactive System Password Recovery from the same notorious company Hash lists Ist created by Cain amp Abel Windows Password Recovery supports Ist files beginning with v 4 9 12 The earlier versions of LST files used the delimiter instead of TAB Unfortunately the LST file does not
51. reports Top ED Attack statistics Rotation Angle Explosion Print Quick Print Save Report Copy Report Misc statistics Y Leakproof seals will Recent Projects s 1 bacdefg secret test Project a a Open a project H Save the project kal Save the project as l E Create new project Hashes E Load from local comp EG Load from remote co 3 Import from binary files l Load from another pr gj Load from system rest rt Options tR t Yo Print Setup to Image File to Clipboard Password Risk Status Empty passwords 9 Hi risk 20 Medium risk 15 Low risk 11 Empty passwords 16 4 Low risk 20 0 Help E Purchase Online e Help About m 5 O 08 25 18 January 21 2011 gt 24 January 21 2011 gt Y 08 25 24 January 21 2011 Application started Opening CM wpr 55 hash items read En Windows Password Recovery m D Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 5 1 Password reports The following reports are available here Password risk status displays empty found and not recovered passwords Password complexity reports the number of passwords and various character sets being audited Password length distribution shows overall length of the broken passwords Password uniqueness this report shows uniqu
52. s Master Keys Check users password without dumping hashes from SAM or NTDS DIT e Decrypt history hashes of all passwords entered earlier without using SAM or NTDS DIT 2 7 4 5 1 Decrypt DPAPI blob The decryption of DPAPI blobs consists of four steps of the wizard Select DPAPI encrypted blob file DPAPI offline decoder E Ww in Select DPAPI blob location Step 1 4 DPAPI blob is an opaque data structure that holds encrypted data Many system components such as Encrypting File System Wireless connection wizard Windows Credentials Manager CardSpace etc and popular applications such as Intemet Explorer Windows Mail Outlook Skype Google Talk uses DPAPI to securely store their secrets passwords and sensitive data in DPAPI blobs You can extract DPAPI blobs using blob search utility Read more information about DPAPI offline d Select DPAPI blob file DPAPI blob file C Passcape 1 Win 10 system32 config systemprofile appdata Vocal microsoft Creden gt Windows dir C Passcape 1 Win 10 fat On the first step specify the path to the DPAPI blob and Windows directory It must be said that actual DPAPI objects may be stored in different locations of the operating system for example in individual xml files in the registry in Active Directory and in different formats binary ASCII UNICODE There is a special tool for locating extracting and saving DPAPI blobs to files With that utility for exam
53. set itself Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Additional Windows Password Recovery distribution kit comes with extended sets of password mutation rules hybrid rules english words ini file contains basic rules for English passwords hybrid_rules nonenglish_words ini holds common rules for non Eglish passwords hybrid_rules simple_dates ini a lot of rules with dates months seasons etc hybrid_rules I33t ini rules to freak words based on leet dictionary For example password gt p wOrd Looking for a convenient way to handle as much passwords as possible Downloading the full set of more than 180000 sorted and duplicate free rules 2 8 2 12 Online recovery Online recovery developed by Passcape Software finds passwords using Internet search engine servers It deals fairly well with short and frequently used passwords Among its drawbacks are low operating speed and poor suitability for handling large hash lists Online recovery has been developed by Passcape Software and is an improved online password finder To find passwords the program consecutively submits a special search request for each hash to a search engine and then downloads the password files found and analyzes their contents Online recovery is relatively slow therefore it is appropriate for small hash lists In addition the passwords found are usually limited to simple vocabulary and sh
54. target PC and open the following key HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Policies system Then create DWORD value LocalAccountTok enFilterPolicy and set it to one 1 So you will be able to connect to the admin share 2 2 1 3 Import hashes from binary files Import Wizard dg E Import from registry or Active Directory files It is highly recommended that you supply the program with SECURITY and SOFTWARE registry files as well This will allow to recover plaintext passwords to certain accounts Import regular accounts from SAM registry file J SAM E Windows system32 config SAM Remote machine SYSTEM E Windows system32 config SYSTEM 25 Local computer O Import domain accounts from Active Directory ntds dit file NTDS DIT C 1 Win2008 ntds dit Binary files SYSTEM C 1 Win2008 SYSTEM Load history hashes Load hashes of machine accounts Look for plaintext passwords if any minem Caneel Import hashes from binary files Windows Password Recovery can extract password hashes directly from binary files Even those of them that are currently used by the system i e locked Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Normally password hashes are stored in the registry file SAM which resides in the WINDOWS System32 Config folder The same folder contains the SYSTEM registry which i
55. text passwords for the system accounts searching for start up passwords and an extra step when the program analyzes some of the uncovered accounts passwords to which can also be recovered from the system for example for the HomeGroupUser account in Windows 7 If disabling the last 2 options is not desired as it allows to relatively painlessly and quickly recover the complete passwords to some of the system s accounts the password history dump is completely opposite disabling it is often very useful For example when the number of passwords to be imported exceeds hundreds of thousands or even millions On the other hand the program has a power of artificial intelligence so if during an attack it finds one of the history passwords it will take every effort to recover the remaining passwords by analyzing the user s preferences for the recovered password One of the latest version of the program can also dump user history hashes from DPAPI CREDHIST file So setting the option is recommended now The local import functionality requires administrative privileges Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 2 1 2 Import hashes from remote computer Import Wizard dg Fa Import hashes from remote computer Local computer Note Dumping remote hashes may take quite some time to complete up to Ra several hours for servers with many user accounts Please be
56. the entropy data and show the program path to the file Additional parameters required for successful data decryption User SID S 1 5 21 2897855234 3950207361 1653205341 1001 User logon password HotDogWasBad123 SYSKEY SECURITY Entropy file optional At least two parameters must be set in order to decrypt user s Master Key user s logon password and his security identifier SID which is normally specified in the path to the Master Key or flashed in CREDHIST One way or the other Windows Password Recovery calculates user s SID automatically To decrypt a system s Master Key as it has been said already setting a password doesn t make sense as the program retrieves all data necessary for the recovery from two registry files SYSTEM and SECURITY If additional entropy was used when creating the DPAPI blob you must manually create the binary entropy file and specify the path to it For example when encrypting Internet Explorer passwords the UNICODE formatted website name is used as entropy It is curious that Windows 2000 has a critical vulnerability which allows decrypting any DPAPI blob on a standalone PC without necessarily specifying user s logon password l e all the data protected with DPAPI are actually vulnerable This is a major fault in the implementation of DPAPI which is known to Microsoft however other operating systems do not have this drawback If the CRYPTPROTECT LOCAL MACHINE flag was set in the CryptProtec
57. up at least one good dictionary for successful recovery In contrast with a bruteforce attack where all possibilities are searched through exhaustively a dictionary attack only tries possibilities which are most likely to succeed typically derived from a wordlist or a dictionary The program comes with a short English wordlist For complete list of dictionaries check out our Wordlist Collection please Read about Passcape Wordlist Collection Dictionary name Dictionary size Strings Full path Y WPR pcd 758 858 416 797 e Program Files Microsoft Visual Stu Add Addfolder Remove On the Dictionaries tab set up the list of dictionaries to be used in the attack Supported are plain text dictionaries in the formats ASCII UNICODE and UTF8 as well as encrypted compressed dictionaries in Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface the native PCD format developed in Passcape Software ZIP and RAR packed wordlist are supported as well with some restrictions To deactivate a dictionary simply clear the checkbox by its name In this case the dictionary although it remains on the list will be skipped during an attack The software comes with a 360000 word dictionary For complete list of dictionaries check out our wordlist collection please Or you can use our_online dictionaries as an alternative The Filters tab filters the words fr
58. value of the password How is that You may ask Very easy There are special cryptographic password wrapper algorithms that work one way only That s why sometimes they are referred to OWF one way functions Roughly you can get the hash from a password but there s no way to get the password from a hash How does it work in Windows When creating an account user enters Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program the original password which however is not stored as plain text instead it is hashed with an OWF function The password hash returned by the function will be stored in the system Further on when attempting to log on the system will prompt user for the password it hashes the password again and then compares the generated hash with the original one that is stored in the system If the two values match the passwords naturally match too Thus the original text password is not stored in the system Moreover there are new algorithms out there that do not even store hash and the number of such algorithms keeps growing An algorithm of such kind for example is used for encrypting passwords in Internet Explorer 7 8 You can learn more about it in our article Q How do passwords become encrypted A For hashing user passwords Windows NT uses two algorithms LM which we have inherited from Lan Manager networks which is based on a simple DES conversion
59. with wordlists create sort convert etc Addon modules for forensics and researchers LSA secrets editor domain cached credentials viewer Active Directory and SAM explorers DPAPI offline decoder Advanced password reports Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Program s interface Program s interface 2 1 Overview cee ee The program s interface is made in the form of the SDI architecture i e it allows working with only one project at a time The program s operation can be conventionally divided into 4 stages 1 Creating a project 2 Importing loading password hashes to the project Editing the hashes deleting adding selecting etc 3 Recovering the hashes Includes selecting configuring and launching the selected one or several attacks 4 Analyzing the results The entire interface can be conventionally divided into several components e Menu Bar e Information Bar for displaying brief information texts like tips warnings etc e Task Bar duplicates and compliments the menu bar providing quick access to the most common operations Consists of three parts Project includes the main operations over project like opening closing creating a new project and importing hashes Hash Editor Duplicates the most common editing operations Tools includes a clock calendar and calculator Main Window bears the main burden
60. your brute force attack you ll have to look through 217 180 147 158 variants for 1 8 symbol password It must be used only if other attacks have failed to recover your password Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface _ Brutesforce character set password lengih and positions 4 B 7 AC Brute force character set Bruteforce attack assumes trying all possible variations from the specified character range set You can select predefined character sets e g Latin characters numbers or special characters or define your own ones Custom character sets can be saved to disk Read more about Bruteforce attack Custom character set Use custom charset Character set Statistics Total passwords 8 353 082 582 Charset string ABCDEFGHUKLMNOPQRSTUVWXYZ The brute force attack options consist of two tabs The first tab is for setting the range of characters to be searched You can use the predefined sets or create your own ones To define your own character set select the option Custom charset This will enable two fields for defining a custom character set the first one for entering ASCII characters second one for entering non printable characters You can save your custom character set on disk The program comes with several examples of user defined character sets On the second tab set the minimum and maximum
61. 2 6 7 2 6 7 1 Two additional options are used to manipulate table generation efficiency e Maximize password lookup efficiency allows you to generate more wordprints from the source wordlist by adding numbers keyboard and frequently used combinations This option works well with small wordlists Make a perfect rainbow table as you may know password chains in rainbow tables can merge It means that there is a waste of information time and disk space This option allows you to create the so called perfect tables with no merged chains Perfect tables occupy considerably less disk space and make password recovery a bit faster However the payoff for these advantages is a lower success rate in password recovery To compensate for this lower success rate you should at least double the number of password chains and increase the number of generated tables The table generation tool supports multi threading so make sure to set the necessary number of concurrent threads to be run by the program prior to starting the process Wordlist tools Rather a scant number of acceptable tools for working with specialized password dictionaries has inspired the developers of this software to create their own toolkit With this toolkit you can easily create new and edit existing wordlists as well as use them with any password recovery applications Create new wordlist by indexing files This tool is designed for creating a new wordlist by selecting ind
62. 2 encryption key generation function HMACAIgld hashing algorithm identifier CryptAlgld encryption algorithm used pKey encrypted Domain Backup Key Its decryption requires the domain controller RSA private key stored in Active Directory database To decrypt user s Master Key you must know that user logon password From the context menu you can check the password for that Master Key and even try to guess one using a dictionary However don t flatter yourself too much While in Windows 2000 the search speed is ranged in tens and even hundreds of thousand passwords per second in Windows 7 the count goes by single items See the table below the speed is measured for a single core of CPU Intel Q8400 2 66GHz Windows 2000 RC4 SHAY 95000 Windows XP___ 3DES SHAT 4000 Windows Vista 3DES SHAT 24000 o Windows 7 AES256 SHAS12 5600 gt Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 7 4 5 5 Dump user credentials history hashes Due to peculiarities of DPAPI implementation in order to guarantee the successful decryption of all DPAPI blobs Windows must store all user s previous passwords in the system User s password history is located in the following file APPDATA Microsoft Protect credhist All user s older passwords along with certain service data are stored as pairs of hashes SHA1 and NTLM Moreover in order to decrypt the last pair you must kn
63. 2010 2015 Passcape Software All rights reserved Program s interface Fingerprint attack options 1_ General options geDictionan generator Online dictionaries y 4 e Fingerprint general options Fingerprint attack uses input dictionary to generate all possible variations for complicated passwords Once a password is found it then uses in further identification of more complicated passwords The attack is very effective if all additional mutation options are set on Read more about Fingerprint attack Initial dictionary E Program Files Passcape WPR dic common pcd Additional mutation options Use Passcape Password Prediction engine to generate additional source passwords Y Use keyboard and frequently used sequences Y Use dates V Use numbers and common sequences Use extra word mutations time expensive Maximize efficiency when generating fingerprints Loop until no more passwords are found Here is the way to generate fingerprints first break each word from the source dictionary into one character passwords then into 2 character etc For instance break the source word crazy into one character fingerprints We get low two character cr ra az zy Next three character cra raz azy And finally four character craz razy Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface
64. 7 AX 13 21 passwor123passwo Insert character X at the beginning of the word 1 d rd OXOs passworpaword Remove all characters X from the word d IX Reject skip the word if it contains at least one character X IX Reject skip the word if it does not contain character X X Reject skip the word if the first character is not X Xx Reject skip the word if the last character is not X eX eo mike ymike Extract a substring starting at position 0 and ending up before first ahoo co occurrence of X character do nothing if X is not found m EX E Qe mike Qy yahoo Extract a substring starting right after first found X character and till the ahoo co end of the string do nothing if Xis not found m 96 Reject skip the word if it does not contain at least M instances of the MX character X XY 15 passworpossward Swap characters at positions X and Y d zN Reject skip the word if the character at position N is not equal to the X Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Rul Exa Input Output Description e mple X iNX i4aibbpassworpassabcwo Insert the character X in position N i amp c d rd ON 04 05 passworpass rd Overwrite a character in position N with the character X X d sXYss sopassworpa wOrd Replace all characters X with Y 0 d XN x4Z passworword Extract a substring of up to M characters length starting from position M d N INX r10 r google google com Insert the charac
65. Additional operations oer e caatdaveadstuseetedectaneseicealdavseosieieerbeeanttveteiedstons 2 6 7 8 Index HDD sensitive areas 2 6 7 9 Extract UN c AQ 2 7 B Xunta c eau 48 2 7 1 Backup System files cor pide iut id 48 2 7 2 Asterisk Password Revealer c 50 2 7 3 Offline PasswoardBemOoVel A a Roo pl tie dote e lobes ped 50 2 7 4 Forensic TOONS TU D T UD T M 54 2 7 4 1 ESA Secrets Dumper A een as ote deere eek exea e M ete ER eO Deu aig 54 2 7 4 2 Domain Cached Credentials Explorer nordon a i EE Aa aa o Aa Ea 58 2 7 4 3 Active Directory Explorer 2 7 4 4 SAMEEXplOE GE a eth ERE RE EUR Ry dote xe ee e ec be deoa i ed 2 7 4 5 DPAPItools 3 chiede ER D HU de ce b e br bate i bons 2 7 4 5 1 Decrypt DPAPI blob 2 7 4 5 2 Analyse DPAPI blob 2 7 4 5 3 Search DPAPI blobs 2 74 54 Master Key analysis 2 7 4 5 5 Dump user credentials history hashes sssseee ete tette tentent tertie tieniti ns 83 2 7 4 5 6 Analys amp credential ita 84 2 7 4 6 Windows Vault Explorer 2 ned ese dee code d adeo d dede edt e reu 87 2 8 A secsdecveccesuesteseveveees 93 2 8 1 Genetral amp ettligS ood a bande sees a 2 8 1 1 General Options ze cta teo eri ake dida 2 8 1 2 Atta Ck Opti Ons circa iseasi iieii di RA dae ada 2 8 1 3 io JU Ku rcr 2 8 1 4 GPU settings 2 8 1 5 Sound notifications 2 8 2 Attack Set Tig ii cl 2 8 2 1 Preliminary attack 2 8 2 2 Artificiallintelligence Attack ed Ei ever aede perder ue
66. All rights reserved Program s interface SAM Explorer gt Wu Selecting SAM registry source Step 1 4 SAM Explorer can help you investigating both public and private properties of any regular user account as well as some attributes and intemal structure of your Security Account Manager database Read more information about SAM Active Directory location 9 SAM database of the local computer SAM database of an extemal PC If you select the SAM database on an external computer on the second step of the Wizard specify the path to the SAM and SYSTEM registries By default both the files are located in C Windows System32 Config Keep in mind that Windows can providently store copies of the registry files in the backup folders such as CAWindows Repair or CAWindows Config RegBack Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface SAM Explorer G d Show path to SAM and SYSTEM registry files qm Show the path to your SAM and SYSTEM registry files here Normally the files reside in C Windows System32 Config directory M M CWindows Repair or C Windows System 32 Config RegBack folders Registry files location SAM C 1 Windows7 Sam SYSTEM C 1 Windows7 System On the third step move on to selecting the account you need to get the attributes for Select the user and then click Next Windo
67. Analyse credential history CREDHIST is a password history file made out as a chain where each link represents user s older password hashes Each time user changes the password the old password hash is appended to the file and encrypted with a new password Therefore to decrypt all the hashes in a chain you must know user s Current password Along with hashes the chains store other service data which is also analyzed by this utility Select CREDHIST file Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface DPAPI credentials history analysis QJ Select credentials history CREDHIST file location Step 1 2 CREDHIST is a key ing file that keeps all previous user password hashes Every time a user changes his or her password the old password hash is added at the end of this file and then encrypted by the new password Thus to decrypt the hashes youll have to know the current password of the user CREDHIST file is located at the ZAPPDATA Microsoft Protect folder For example Windows XP C Documents and Settings VAdminstrator Application Data Microsoft Protect Windows 7 C Users John App Data MRoaming Microsoft Protect Read more information about credentials histo Select CREDHIST file CREDHIST file C Passcape M Win 10 users test appdata roaming microsoft Protect CREDHIST Windows dir C Passcape M Win 10 And proceed to analyzing its cont
68. D RAR and ZIP format The position of the files on the list can be altered For example you may want to move smaller dictionaries up the list or the other way During the attack they will be used one after another according to their position on the list Hybrid dictionary attack options Exa A d Dictionaries Rules Supersules Dictionary generator Online dictionaries a Hybrid attack dictionaries Hybrid attack is similar to mutation dictionary attack except that user should set his own word mutation rules Setup at least one wordlist here in order to continue vhnd dictionary attack YOMG GIC Dictionary size Strings Full path 6 290 880 2 150 822 C Program Files x86 Passcape W 7 653 774 564 295 C SYS PWCO01 01 Languages Dani 3 120 165 245 688 C SYS PWCO01 01 Languages putc 38 302 216 3 540 673 C ISYSIPWCO1101 Languages Engl 3822 281 320 033 C SYS PWCO1 01 Languages Fren 21 367 379 1786 211 C SYS PWCO01 01 Languages Ger 1050 978 115 650 C SYS PWCO01 01 Languages Jap 12 658 942 809 552 C SYS PWCO01 01 Languages Wor Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface On the Rules tab define at least one file with password mutation rules The format of the rules file is quite trivial it is a plain text ASCII file with the Rules string Anything above this string is considered as comments and ig
69. DE4185CA59 5600 32782 26128 ADA40F37099640B 12D4E 72 144 2 A67DA74D 1BD768E 4EA2F08203D50FF 15 Master Key file is a binary structure which consists of a service header and four slots namely the actual user s Master Key local encryption key for unprotecting local backup key local backup key in Windows 2000 or CREDHIST GUID in Windows XP and higher and domain backup key The Master Key structure list consists of attribute names i e binary fields and values that corresponds with them Each section is uniquely colored field with header attributes slot with user s Master Key attributes slot with Local Encryption Key attributes slot with Local Backup Key or CREDHIST file s GUID attribute slot with Domain Backup Key attributes Now a little more detail Header attributes e dwVersion Master Key file version e szGuid Master Key textual GUID It normally matches the file name e dwPolicy various flags For example if bit 3 is set the program uses the SHA1 password hash when decrypting user s password otherwise it uses MD4 Thus in Windows 2000 this bit is always cleared A set bit 2 tells us that backup is require for the Master Key User s Master Key attributes e dwUserKeySize current slot length e dwVersion data structure version Version 1 implements only attribute with salt Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Progra
70. EFS certificates WiFi MSN Outlook Intemet Explorer Skype credentials etc User Master Key file is located at the sAPPDATA Microsoft Protect SID folder Where APPDATA is the user application data directory and S D is the textual SID of the user However SYSTEM Master Key may be located at the following folder WINDIR System32 Microsoft Protect Read more information about DPAP Master Select Master Key file Master Key file C Passcape 1 Win 10 users test appdata yoaming microsoft Protect S 1 5 21 User SID 5 1 5 21 3827922096 3704335162 3420645426 1005 Windows dir E WINDOWS All of that user s Master Keys are located in APPDATA Microsoft Protect SID For example C Users John AppData Roaming Microsoft Protect S 1 5 21 2897849034 3956381 361 16091305341 1001 23ab9bc1 9397 4cb1 ab74 7166ed6a8713 The system s Master Keys are stored in SYSTEMDIR Microsoft Protect folder Analyzing Master Key Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface ws DPAPI user Master Key analysis Decoded structure of the Master Key The list below contains decoded entries of the MasterKey file Right click the list to display the context menu You can use a simple wordlist to bruteforce the initial logon password the Master Key is protected by Data 2 23fa9ba2 95e7 4c7 1 ab70 7188ed6a5533 5 176 2 SADDBC11B755D5CB 1965E3
71. GPU dictionary force Often when creating passwords users add certain symbols in the beginning end or even middle of the word To recover passwords of this specific kind we have come up with a GPU based dictionary attack GPU Hybrid dictionary attack The same as a simple Hybrid dictionary attack but much faster because uses GPU 3 2 Attack comparison table AAA A AAA A A A Which attack is the best How do you choose the attack The answers to these questions should be found in the attack comparison table Attack Description Time Guara Pros Contras Limitations required nteed Preliminary Asetoflightand A couple No Great quick find tool for Practically useless forFinds mainly speedy mini of minutes quick recovery of serious analysis simple attacks for finding common simple short when recovering the passwords simple short or passwords keyboard majority of complex common combinations repetitive passwords combinations sequences etc Good for finding weak passwords quickly doesn t require additional settings Artificial The most Min 2 3 No The best tool for finding During the most Efficient only Intelligence Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program advanced way of minutes complex passwords efficient analysis recovering which other methods when all the options passwords Max over cannot cope with Works are setto the based on the an hou
72. Just type in a sample input word and the rule to be tested Rule tester Input word Hybrid rule Output word Rules description for the hybrid dictionary attack Several rules at a line are allowed to be set Rules if any are processed from the left to the right Maximal line length is limited to 256 characters Maximal output word length is limited to 256 characters White space is ignored as long as it is not used as a parameter A line started with character considered as a comment All text before the Rules line is considered as comment N and M always start at 0 For values greater than 9 use A Z A 10 B 11 etc The following rules should be at the last position of a line aN iN C i C oN C o C iZ C oZ C Don t change the names of the standard rule files Some ones are used by the program iN C i C oN C o C iZ C oZ C rules use the following predefined charsets you can use custom character sets though digits 0123456789 loweralpha abcdefghijkl mnoparstuwxyz upperalpha ABCDEFGHIJKLMNOPQRSTUVW XYZ alpha abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUVW XYZ special Ku595 amp 2 0 Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface loweralphanumeric abcdefghijkImnopqrstuwxyz0123456789 upperalphanumeric ABCDEFGHIJKLMNOPQRSTUVW XY Z0123456789 alphanumeric abcdefghijkl mnoparstuwxy
73. M registry file here in order to proceed the user Vault decryption However system encrypted Vaults require machine credentials In this case youll have to provide a path to the SYSTEM and SECURITY registry files Additional parameters required for successful data decryption User SID S 1 5 18 User logon password SAM C M Windows 8 Windows System32 config sam SYSTEM E Windows System32 config SYSTEM SECURITY E Windows System32Yconfig SECURITY Entropy file optional To decrypt a user s Master Key you need to provide at least two parameters the user s logon password and his security identifier SID which is normally included in the path to the Master Key The program finds user s SID automatically If that hasn t been done for whatsoever reason set it up manually To decrypt the system s Master Key we don t need to specify the password the program will extract all the necessary information from the two registry files SYSTEM and SECURITY In some cases the decryption of the Master Key requires specifying path to the SAM registry file That s the case only when the account of the data owner in Windows 8 has the LivelD type Windows Password Recovery starting with version 9 7 utilizes some vulnerabilities in DPAPI Master Key encryption Thus to decrypt ANY Vault entry of a domain user the owner logon password is not needed any longer Selecting Vault Schema Windows Password Recovery Copyright c 2010 2015 Passcape Softwar
74. NEN Windows Password Recovery User manual Copyright c 2010 2015 Passcape Software All rights reserved Passcape Software Table contents 1 Introduction 5 1 1 About the program ini ios 6 1 2 Features and benefits rra is 6 2 Program s interface 8 2 1 ATT AA M MP 9 2 2 drei ze muri RE 10 2 2 1 Import 5 ibas 10 2 214 Import local hashes sica id eite eir Aaa Ere enn eR 11 2 2 1 2 Import hashes from remote computer ccccscsessesecssssesecsesesseceesesaecsseseesesaessesessescssessesssaesseecsseaeeecaeeeseess 12 2 2 1 3 Import hashes from binary filas inse ete a d e ORE E ERE CUT eves 13 2 2 1 4 Import From project textil iii eds 14 2 2 1 5 Importing hashes from system restore folders essen eene nor nnnno noo nn sintesi inane sri 15 2 2 2 EXDOFE dolore tette i eem hie eve vo ede ee vus A eee tue 16 2 2 3 NGW essi hie ere O T ipm v 16 2 2 4 ON e12 16 2 2 5 Savers E A REI Ae M LE S MN E 16 2 2 6 SENECA REGERE a in dadas 16 2 2 7 CIOS ERES 16 2 3 Recovery MON vcccccsacssecescccccdasaccvevassscccdssacseesucccscccssacsvesassesccdssasseedasccscccusuccvevasascsccscassvedasues 16 2 3 1 O 16 2 3 2 COMUN ER 17 2 3 3 O re 17 2 4 TN 17 2 4 1 NAO 17 2 4 2 Add eot eee rette Ies poeti de fete tre ee ee teet O 18 2 4 3 Delete eese edited vae aet Rd ens 18 2 4 4 Reset pass Word Sis tia A ada 18 2 4 5 CO dd
75. Passcape Software All rights reserved Program s interface Credentials history dumper Dump DPAPI credentials history hashes To decrypt all user s previous hashes stored in CREDHIST you should know the current password of the user i e the last password he she set However partitial dump for example if you know one of the previous passwords is also allowed Decrypted hashes can be saved either in SHA1 or NTLM PWDUMP compatible format Statistics CREDHIST key chains 2 CREDHIST GUID 93c85eSc 130e 4ede 9063 576492e41a 1d Dump options O Dump SHA1 hashes Dump NTLM hashes PWDUMP compatible output Decryption password 4 Use password of the currently logged on user It is important to know that in order to decrypt CREDHIST hashes you must know user s current password If you are decrypting CREDHIST of a currently logged on user make sure to set the respective option In this case you will not have to enter the decryption password it will be retrieved from the system cache The program supports partial dump of history hashes That means that if user s current password is unknown but at least one of the older passwords is available the program can decrypt the passwords the user used earlier i e before that old password was entered Be aware in Windows 8 and higher OSes the dumped hashes for LivelD accounts are not correspond to those ones derived from LivelD logon passwords 2 7 4 5 6
76. SOFTWARE or have permission from the legitimate owner to perform these acts Any illegal use of our SOFTWARE will be solely your responsibility Accordingly you affirm that you have the legal right to access all data information and files that have been hidden You further attest that the recovered data passwords and or files will not be used for any illegal purpose Be aware password recovery and the subsequencial data decryption of unauthorized or otherwise illegally obtained files may constitute theft or another wrongful action and may result in your civil and or criminal prosecution All rights not expressly granted here are reserved by Passcape Software 4 2 Registration AAA The software is available in three editions Light Standard and Advanced The detailed list of features is shown here You can order fully registered version of Windows Password Recovery at a cost of 65 for Light Edition personal usage 345 for Standard Edition personal usage or 895 for Advanced Edition business license Detailed instructions for all kinds of orders are available online at WPR order page Online orders are fulfilled in just a few minutes 24 hours a day 7 days a week If you purchase our products online you will receive an automatically generated e mail message with registration details within several minutes if the order passes the fraud check system However some orders can be marked for manual checkout or as suspicious This may
77. SSS SSS ey 2 2 1 Import Windows Password Recovery offers a broad range of options for loading hashes depending on your capabilities There are 5 major ways to import hashes to the program Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 2 1 1 Import local hashes Bn Import Wizard Note You can also dump password hashes from SAM and SYSTEM registry files of the current computer Just switch to the Binary files section and select Scan system fast for plaintext passwords Retrieve plaintext password of the currently logged on users o Wmot Cancel Import hashes from the local computer the most preferable method as it implies the deepest overall analysis of the system and the passwords Besides that the hashes that are imported from the local computer can undergo the sophisticated ntelligent attack which allows to relatively quickly recover the passwords to some accounts Importing local hashes runs well regardless to where the hashes are localized in SAM or in Active Directory This item has two additional options dumping password history hashes and searching for plain text passwords that are stored in the system The very process of searching for plain text passwords is divided into 4 steps and consists of the actual searching for the passwords that are stored in the system using the reverse encryption searching for the
78. Software All rights reserved Program s interface DPAPI blob analysis row G RY Decoded structure of the DPAPI blob The list below contains decoded data of the DPAPI blob file Right click the list to display the context menu Data 1 dfad amp cd0 1501 11d1 8c7a 00c04fc297eb 23fa9ba2 95e7 4c7 1 ab70 7188ed6a5533 536870912 Local Credential Data 26128 256 B723B 127284D43CA638D333EB4702A 2EF ASFC6C799D 36 13EC9384F0 164073 32782 512 9A5998AAC7F 283884842338 1D048 1835405A 1FF SFE 1ASAD9C90B6E9A 26120 18F 16F93EF276C950F38013EEF3871ED971D8CC27FB4466CE5E8C87E74D311 gt Finish DPAPI blob is a binary data structure which consists of the following consecutive attributes dwVersion data structure version Current data version 1 guidDefaultProvider data encryption provider used in encryption function calls ensures compatibility of versions and organizes simple cryptological primitives For example you can set Blowfish or RC5 as a block cipher Currently Windows has the following default crypto provider df9d8cd0 1501 11d1 8c7a 00c04fc297eb which corresponds with the registry key HKEY LOCAL MACHINENSOFTWAREMIcrosoftCry ptography Protect Providers df9d8cd0 1501 11d1 8c7a 00c04fc297eb guidMasterKey Master Key GUID which data is encrypted with To decrypt data within a DPAPI blob first of all you must decrypt the Master Key with the name set in the binar
79. U my own My Own Capitalize all words delimited with space upper case the first character passworPassword and every character after a space d V V passworPaSSWoR Vowels elite d D vv passworpASSWoR Vowels noelite d D Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Rul Exa Input Output Description e mple N 4 passworpass Truncate the word to N character s length N 1 een ene Increment character at position N by 1 ASCII value N 0 E eer Decrement character at position N by 1 N 4 See eee Replace character at position N with character at position N 1 QN 1 TENTE Replace character at position N with character at position N 1 Where N N EA skip the word if it is greater than N characters long gt N Reject skip the word if it is less than N characters long aN Check all possible symbol cases for the word N is a maximal length of the word to apply this rule for DN D2D2 passworpaword Delete the character at position N d pN p3 key keykeykey Copy word N times TN T1T5 passworpAsswOrd Toggle case of the character at position N d yN y3 passworpaspaswor Duplicate first N characters d d YN Y3 passworpaswordord Duplicate last N characters d zN z3 passworppppasswo Duplicate the first character of the word N times d rd ZN Z3 passworpasswordd Duplicate the last character of the word N times d dd X 0 0 passworpasswordO Add character X to the end of the word 7 d 0
80. U thread Read more about GPU brute force attack Thread blocks 25600 Passwords per thread Automatic GPU configuration consists of only 1 parameter the number of thread blocks to run on GPU Each block consists of 256 threads Thus if you set the number of blocks to 25600 the GPU will run 25600 256 6553600 threads Each GPU thread can check multiple passwords The total number of checked passwords greatly depends on other options Setting the ThreadBlocks parameter smaller than 10000 on modern graphics cards in the majority of cases leads to poor performance To avoid performance degradation after setting up the parameter and running the attack make sure the GPU load chart has close to 100 plain graphic without peeks see the screenshot below GeForce GTX 750 Ti temperature and usage Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 8 2 16 GPU Fingerprint attack Fingerprint attack is a brand new tool for recovering complex passwords which could not be decrypted in a common way The idea of the attack is that here to recover a password we take neither individual words from the source dictionary like in the Dictionary attack nor even word combinations like in the Combined attack but so called fingerprints So every word from the source dictionary is used for generating several fingerprints If some password is found during the attack it particip
81. Windows System32 Config SAM The system has priority access to the SAM file so access to the file is denied to anyone even administrators while the system is loaded nevertheless Windows Password Recovery bypasses that restriction with ease Besides that of great interest for a potential attacker would be the backup of the SAM SAV file and the compressed archived copy of SAM in the folder windows Repair Another way to access the SAM file is to launch a special program from a boot disk and then copy the file Anyway you need a physical access to the computer with password hashes User passwords or to be accurate hashes are additionally encrypted with the SYSKEY utility which stores its service data in the SYSTEM registry file Thus to extract hashes from SAM you would also need the SYSTEM file which is located in the same folder as SAM Active Directory Domain accounts are stored in the Active Directory database Usually the Active Directory database is located in the file Windows ntds NTDS DIT it is the core of Active Directory The way user hashes are encrypted here is a bit different than that is in SAM but the recovery would also require the SYSTEM file Access to the database is also under the system s complete control however unlike SAM the ntds dit database is resistant to modifications from the outside Q If everything is so easy why not simply deny access to SAM or Active Directory to all users A That s the way it s don
82. Y M a d Y RN R40 bpassworpassord Remove character at position N if character at position M is not Y M Y d passworOpassword Insert a character from a charset C into position N of the word Where iN iO digi d 1password C should be either a predefined charset name or a custom character set C ts ies itself 9password passworpassword0 Insert a character from a charset C into last position of the word Where iZ iZ digi d password1 C should be either a predefined charset name or a custom character set C ts ids itself password9 passwor password Insert a character from a charset C into every position of the word i C i specd lpassword Where C should be either a predefined charset name or a custom ial eg character set itself password_ password 2 passworpAssword Overwrite a character at position N with a character taken from a charset ON 01 up d pBssword C Where C should be either a predefined charset name or a custom C peralp vaa character set itself ha pZssword 2 passworpassworA Overwrite a character at last position with a character taken from a oZ oZ up d passworB charset C Where C should be either a predefined charset name or a C peralp is custom character set itself ha passworZ o passwor assword Overwrite a character at every position of the word with a character taken o C d assword from a charset C Where C should be either a predefined charset name passwor or a custom character
83. ables are the next logical development of simple pre calculated tables They are most suitable for the recovery of meaningful combinations and complex passwords of literally unlimited length The original method of simple rainbow tables The operating principle of simple rainbow tables consists of setting a character range for example a z and maximum password length followed by the calculation of all the possible variants and the generation of millions of chains Each chain is calculated by the formula PO gt hash P0 gt H1 gt R H1 gt P1 gt hash P1 gt H2 gt R H2 gt P2 where P password hash hashing function R reduction function Thus from the original password the hashing function produces a hash which the reduction function then converts into the next password and the process repeats all over again and generates chains Each chain stores only the original and final value Storing only the first and the last hash is an operation leading to compromise and saving memory at the cost of time spent on cryptanalysis To recover a sought password it undergoes hashing and the reduction function and then is looked up in the table For that purpose a key chain is generated beginning with R Hn up until the maximum chain length If Hn is obtained with the password used when creating the table we finally get the key that matches the key of the respective chain This last key was saved in the table along wit
84. account NTHash 16 NTLM password hash associated with the user account NTLMHistoryHas 0 NTLM password history hashed of the user account LMHistoryHashes 0 LM password history hashed of the user account UserHint 10 User hint displayed during unsuccessful logon 4 n oo00 no 74 on cs os es es an oc Copy Data as Hex Cope Data as Ascii String Copy Data as Date Copy Data as Unicode String Undo All Changes Save Changes Permanently Description of SAM account attributes DataRevision 32 bit unsigned interger that stores version of the data structure It is divided into 2 WORDS version major and version minor LastLogon A 64 bit value equivalent to a FILETIME indicating the time at which the account last logged on LastLogoff A 64 bit value equivalent to a FILETIME indicating the time at which the account last logged off PasswordLastSet A 64 bit value equivalent to a FILETIME indicating the time at which a password was last updated AccountExpires A 64 bit value equivalent to a FILETIME indicating the time at which an account is no longer permitted to log on LastBadPasswordTime A 64 bit value equivalent to a FILETIME indicating the time at which an account last tried to logged on Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface unsuccessfully UserID A 32 bit unsigned integer representing the RID of the acc
85. acter considered as a comment All text before the Rules line is considered as comment N and M always start at O For values greater than 9 use A Z A 10 B 11 etc The following rules should be at the last position of a line aN iN C i C oN C o C iZ C oZ C Don t change the names of the standard rule files Some ones are used by the program iN C i C oN C o C iZ C oZ C rules use the following predefined charsets you can use custom character sets though digits 0123456789 loweralpha abcdefghijkl mnoparstuwxyz upperalpha ABCDEFGHIJKLMNOPQRSTUVW XYZ alpha abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUVW XYZ special Ku595 amp 2 0 Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface loweralphanumeric abcdefghijkImnopqrstuwxyz0123456789 upperalphanumeric ABCDEFGHIJKLMNOPQRSTUVW XY Z0123456789 alphanumeric abcdefghijkl mnoparstuwxyzABCDEFGHIJKLMNOPQRSTUVW XY Z0123456789 printable abcdefghijkImnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUVW XY Z01 23456789 amp _ f y lt gt Rules Rul Exa Input Output Description e mple E passworpassword Do nothing to the input word d passworasswordp Rotate the word left d passwordpasswor Rotate the word right d I passworassword Delete the first character d passworpasswor Delete the last character d c ic passworPassword Capit
86. against Onlya small password phrases its length and specifying the right character set to be searched character set incorrect password length or incorrect known portion of the source password is specified Requires to specific dictionaries know in does not take into advance that account peculiarities the password of non English being passwords endings searched for suffixes etc Witha consists of two large source or more dictionary the attack words may take considerable time relatively slow Same as the previousSame as the attack Requires setting additional previous attack mutation rules for the mutations passwords to be require generated considerable time Mutation for long Does not passwords over 16 always work characters maytake some time Does not take percentage of users into account use pass phrases as peculiarities of passwords Phrase the language mutation is imperfect limited choice the mutation and analysis take of mutations Difficulty in the excerpts from songs books Windows Password Recovery considerable time creation of Insufficient number of specialized Copyright c 2010 2015 Passcape Software All rights reserved Working with the program Rainbow tables Fingerprint Hybrid dictionary Online recovery etc Uses precalculated tables relevant dictionaries dictionaries in particular with non
87. al level adds 2 digits prepend the end of the word 2Password PASSWORD3 Head and tail Almost the same as previous one Password but appends or prepends words password12345 abbreviations characters keyboard 4everPASSWORD combinations etc Passwordqwerty Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Group name Description Creates different combinations using leet language 133t Converts several character combinations if the initial word contains any into abbreviations Abbreviation Dups and reversRevers duplicates the word etc Vowels and Mutates vowels and consonants consonants English characters only Character skip Skips a single character of the original word Character swap Exchanges two adjacent characters Character Duplicates characters duplicate Delimiters Separates characters with delimiters Dates Adds dates to the end of the word Oem convertion Converts English word into another language and vice versa using Examples for word Comments password p ssword P wOrd P WORD ihateyou gt ih8you Ih8u drowssap passwordpassword PasswordDrowssap Psswrd PaSSWoRD pAsswOrd assword Passwrd Pasword apssword Passowrd ppasword ppaasswwoorrdd Passworddddd p a s s w o r d P a s Maximal level uses 10 S w o r d delimiters Password2010 Even though the mutation password1980 engi
88. al plus more mutations and national passwords according to the installed keyboard layouts if any Ultra light this is a 2 step mutation because every generated in Weak mode password goes through the second mutation round one used in Weak mode of the simple dictionary attack Ultra normal 2 step mutation Every password generated in Normal mode is used as a source to generate additional combinations by implementing additional Normal mutation level Ultra hard every password generated in Strong mode is used as a source to generate additional combinations by using additional Strong mutation level Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Be careful Ultra modes generate a great number of passwords thus the attack may be ran extremely slow To speed up the attack consider setting up input phrase limits For example you can limit input phrases to 10 words and 100 characters Dictionary generator Pass phrase attack options 4 ammbivase dictionaticselesPhrasemutation Dictionary generator aaQnlinedictionatiess Generated by this attack passwords can easily be saved to file So you can create your own dictionary and use it in another program Be careful dictionary creation may take quite some time depending on the source Read more about pass phrase attack Dictionary generator Dictionary size unknown The third tab uses for creating pass phr
89. alize d Cc C passworpASSWOR Anti capitalize lowercase the first character uppercase the rest d D d d passworpasswordp Duplicate word d assword f f passworpassworddr Reflect word d owssap k k passworsd ibi KB Convert word using alternative first after default keyboard layout The d gfhjkm rule works in both directions For example if there s Russian keyboard n ponb layout installed previously in the system the rule should convert word password to Russian 3q ibiuu KB and Russian word n ponb to gfhjkm This is very helpful when looking for non English passwords If only one language is installed in the system the rule does nothing K K passworpasswodr Swap last two characters d passworpassword Convert all characters to lowercase d qa q passworppaassssw Duplicate all symbols d woorrdd r r passwordrowssap Reverse word d t t PassW pASSwOR Toggle case of all characters ord D u u passworPASSWORConvert all characters to uppercase d D U U my own My Own Capitalize all words delimited with space upper case the first character passworPassword and every character after a space d V V passworPaSSWoR Vowels elite d D vv passworpASSWoR Vowels noelite d D Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Rul Exa Input Output Description e mple N 4 passworpass Truncate the word to N character s length N 1 een ene Increment character
90. all to GPU Each block consists of either 128 or 256 threads Thus if you set the number of blocks to 10000 the GPU will run 10000 256 2560000 threads for one call to GPU kernel Each GPU thread can check multiple passwords The total number of checked passwords depends greatly on other options Setting the ThreadBlocks parameter smaller than 10000 in the majority of cases leads to poor performance To avoid performance degradation after setting up the parameter and running the attack make sure the GPU load chart has close to 100 plain graphic without peeks see the screenshot of NVidia GTX 750Ti running with 15000 blocks GeForce GTX 750 Ti temperature and usage Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 8 2 18 GPU Dictionary force Attack Oftentimes when creating passwords users add certain characters in the beginning end or even middle of the word To recover passwords of this specific kind we have come up with a GPU based dictionary attack which is something between simple dictionary attack and brute force attack This attack works as follows e Reads the first word from the dictionary e According to the defined character set and the minimum maximum length of the search range generates all the possible variants e Those variants characters are then added to the beginning end or middle of the word The position within the word where the gener
91. and aphorisms Phrase dictionaries Pass phrase attack options 4 Phrase dictionaries gePhtasemutations eDictionan genetatoreOnlinedictionariess gt 2 Pass phrase dictionaries list The main idea of the pass phrase attack developed by Passcape is to guess the right password by searching through predefined frequently used expressions phrases and word combinations Similar to the simple dictionary attack from the source dictionary we sequentially take a phrase and attempt to match with the Read about Passcape Wordlist Collection Dictionary name Dictionary size Phrases Full path Y phrases pcd 73372 9 286 E Program Files Passcape WPR dic phrases pcd The password phrase attack options almost completely repeat the simple dictionary attack options here you also are to select one or several dictionaries for the phrase source it also allows loading additional dictionaries from the Passcape website and it has the same way for setting phrase mutation rules creating alternative options Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Phrase mutation Pass phrase attack options 4 mePhrasedidionares Phrase mutation ssDictionan generatoreleOnlinedictionaries gt e Pass phrase mutation Weak mutation is normally justified in only one case for increasing the attack speed or when using dictionaries of large sizes Medium mu
92. and consists of 5 parts The first tab is the welcome window The second tab contains the list of hashes to be analyzed and recovered Then there goes a tab with the current attack state progress indicator and a tab with the statistics and reports And finally a tab with the hardware monitor Log Window displays information on the current state of the application current operation etc The program s log can be copied to clipboard or saved to a file right clicking opens the corresponding menu Status Bar is designed for informational purposes Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Windows Password Recovery Empty project Edit Report Tools Utils Options View Themes D Customize Recen t work Project g Open a project H Save the project kal Save the project as E Create new project Open a project Open help file Import hashes from local computer Q visit the product homepage Hashes Ex Bl Load from local comp EG Load from remote co Edit hashes list Check for updates Senda feedback Change recovery settings 3 Import from binary files 0606 Check your password strength 4 m E Load fram another nr Program size 23412736 9 08 21 33 January 12 2011 Application started Jr Ready 2 2 Project menu
93. ar is upper the rest are lower The number of passwords to be searched for a single word can be calculated using the following formula passwords R L K where R character range calculated using the formula R charset length max length charset length min length 1 1 L positions in word Calculated as follows if the insertion is made in the middle of the word L password length 1 then add plus one if the insertion is made to the beginning and end of the word K number of options specified in the group Input word utilization For example if the source word we have is window and the options are specified as shown on the image above i e character range a z A Z 0 9 symbol14 space insertion to all positions conversion to lowercase and capitalizing first letter in uppercase Let s calculate how many password we are going to check for this word charset length 26 26 10 14 1 77 R 2 77 4 77 1 35153041 L 6 1 1 1 7 K 2 passwords 35153041 7 2 492 142 574 Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Online dictionaries On the third tab you can download source wordlists for the attack The program uses internal wordlist 400000 words by default GPU dictionary force options Read about Passcape online dictionaries 4 gmbidionsticvabeeBiitedors Online dictionaries p
94. ard combinations like qwerty gazwsx etc National keyboard combinations attack The same as previous but uses national keyboard layout Complex keyboard attack Smart check complex keyboard combinations Passcape Password Prediction attack Effective against hashes imported from local computer User name mutations attack For passwords based on user name Check hex passwords ones based on hexadecimal values Numbers as words Search for non standard symbols SIS SI SIS SIS SIS ISS S S S Preliminary attack run about 10 20 minutes or even faster It consists of at least the following sub attacks Common brute force attack Performs several simple brute force attacks based on predefined character sets Simple dictionary attack Fast check the password by verifying all words from a given dictionary Extended dictionary attack It s almost the same as above but with some smart mutation options set on Attack on repeatables Checking passwords as a repeatable sequence of a character Eg 1111111 Or XXXXXXX e Attack on simple patterns like 123456 or qwerty e Attack on complex patterns The same as above for compound patterns Keyboard attack checks for keyboard passwords and all possible combinations Eg qwer qazwsx asdzxc etc National keyboard attack The same as above but checks passwords typed in
95. are searched by the graphics processing unit of your PC instead It is no secret that the performance of modern graphics cards is an order of magnitude greater than that of CPUs this makes them a convenient tool for heaw calculations such as password recovery It is important to understand that calculations using graphics cards have a number of disadvantages For example some algorithms with a great number of conditional jumps and other checks demonstrate extremely poor performance on GPU and in certain cases it may be even lower than on a regular CPU Anyway the software supports brute force password search using GPU You can compare the performance indicators of GPU vs CPU calculations through the respective menu item of the application or present it visually through the Reports menu The configuration of GPU brute force attack consists of three parts 1 Choosing a character set for the search 2 Specifying password length 3 Configuring the graphics processing unit Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Choosing a character set for the search When choosing a character set for a brute force attack you are normally guided by empirical considerations For example if the expected password consists of lower case Latin characters and digits it makes sense to choose the range a z 0 9 The smaller the character set the sooner the attack completes On the
96. aries Online dictionaries O00 Support SYSKEY decryption eee Support SYSKEY startup password decryption fe k b Support SYSKEY floppy decryption Custom wordlist generator tool in dictionary attack ee Generate dictionaries by mask e e w oO Generate dictionaries by given base word ee Combined dictionaries generator Pass phrase dictionary generator Fingerprint dictionaries generator Ice Create wordlists based on hybrid dictionary attack Fi Support for hybrid and indexed rti rainbow tables e b b Canrestictaccesstotheprogam e be e Password strength measurement eee Hash checker OOO Hash checker Random hash generator Ie Rainbow table generationtool eee Passcape rainbow table generation tool eo e b Dictionary to hash generator Dictionary to hash generator Backup system registry files Backup Active Directory database Asterisk password viewer tool dt Offline password remover tool O oOo der LSA secrets Dumper a d o Domain cached credentials explorer dede SAM Explorer CE i Active Directory Explorer e O o o Windows Vault Explorer ooo p p o i i indexing files Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved TT l l i l License and registration FEATURE Light i aan d
97. as the password lookup implementation using rainbow tables The tables it requires can be downloaded off the Internet or created manually with the RT generation tool n Y Rainbow tables generator T Create your own rainbow tables Table options Algorithm Min Length Max length Index Chain length Chain count Table count Im 1 7 0 10000 67108864 1 Charset name alpha space Character set ABCDEFGHIIKLMNOPQRSTUVWXYZ Table statistics Key space 10862674479 Disk space 1024 00 Mb Success rate 99 90 Benchmarks Hash speed 5 13 Mp s Step speed 1 92 Mp s Table precomputation time 4d 0h 54m 17s Total precomputation time 4d 0h 54m 17s Max cryptanalysis time 0m 25s Output folder C 0 Thread to run 4 Before you start generating your own tables it is important to properly configure the respective related options and find their best combination First select one of the two algorithms LM or NTLM you need and setup a proper character set passwords will be limited to The wider the character range is the more passwords will be recovered in the rainbow table attack but the more time it will take to precompute the tables and perhaps of greater size they will be Rainbow tables are used to recover passwords up to a certain length you should setup in the Min length and Max length fields An LM hash in Windows consists of two 7 character halves therefore the maximum password length to be used when generating LM tables must n
98. ase dictionaries 2 8 2 10 Rainbow tables attack A rainbow table is a lookup table offering a time memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function for example Windows passwords This is quite a sophisticated password audit tool This method was developed by Philippe Oechslin for quick recovery of password using precalculated tables It s enough to say that the sought password can be recovered within minutes or even seconds Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 4 LM rainbow tables options NTLM rainbow tables options b l q m LM rainbow tables list Rainbow attack is an implementation of the Faster Cryptanalytic Time Memory Trade Off password auditing method developed by Philippe Oechslin Recovering complex passwords with the rainbow attack is a matter of several minutes or even seconds You should aware that due to the nature of the attack not all passwords can be recovered although with a success probability up to 100 You should set LM specific tables here Read more about Rainbow table attack Table name Table size Chains Success rate Full path Im_alpha numeric 1 7_0_24 976479408 61029963 72 541 CiPasscapelRainbowslRT lm alpha numericsti 7 1 24 966 925 008 60 432813 72 284 C PasscapetRainbowsiR Im_alpha numeric 1 7_2_24 983924640 61 495290 72 740 CiPassca
99. ash pNtHash NTLM hash To guess the original CREDHIST password right click on the attributes and then select Use wordlist to Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface check password on the context menu that appears You can validate password for both currently selected and all the records The validation time increases proportionally to the number of the records i e links See the original CREDHIST password search speed comparative table The speed is measured for a single core of CPU Intel Q8400 2 66GHz for default OS configurations for example in Windows 7 the number of iterations in PBKDF2 may differ M gone dT Windows XP 3DES SHAT 4000 Windows Vista 3DES SHAT 24000 pao Windows 7 AES256 SHAS12 5600 m 2 7 4 6 Windows Vault Explorer What is Windows Vault Windows Vault is a protected storage for user or system secrets passwords network keys web password and other personal information Data stored in Windows Vault is structured and represents a set of records belonging to a certain Vault schema see pic below On the physical level Vault is a disk based folder with a set of the following files Policy vpol set of encryption keys for Vault records credentials These keys can be protected using two basic methods either using DPAPI or using a specific user password The latter protection method is not used in Windows 8
100. assword history of the user in LAN Manager one way function format The attribute is used for compatibility with LAN Manager 2 x clients Windows 95 and Windows 98 Nt Pwd History The password history of the user in Windows NT OWF format Primary Group ID Relative identifier RID for the primary group of the user This is Domain Users group by default Bad Pwd Count Contains the number of times the user tried to log on to the account using an incorrect password Admin Count Indicates that the account is a member of one of the Administrative groups directly or transitively Logon Hours The hours that the user is allowed to logon to the domain Last Logon The last time the user logged on to the account Bad Password Time The last time the user attempted to log on to the account with an invalid password This value is stored as a large 8 byte integer that represents the number of 100 nanosecond intervals since January 1 1601 UTC Last Logon Timestamp This is the time that the user last logged into the domain Pwd Last Set The date when the password for this account was last changed Account Expires The date when the account expires A value of 0 or OX7FFFFFFFFFFFFFFF indicates that the account never expires Supplemental Credentials Stores the encrypted version of the users password Used in authentication User Account Control Flags that control the behavior of the user account This value can be a combination of one
101. at position N by 1 ASCII value N 0 E eer Decrement character at position N by 1 N 4 See eee Replace character at position N with character at position N 1 QN 1 TENTE Replace character at position N with character at position N 1 Where N N EA skip the word if it is greater than N characters long gt N Reject skip the word if it is less than N characters long aN Check all possible symbol cases for the word N is a maximal length of the word to apply this rule for DN D2D2 passworpaword Delete the character at position N d pN p3 key keykeykey Copy word N times TN T1T5 passworpAsswOrd Toggle case of the character at position N d yN y3 passworpaspaswor Duplicate first N characters d d YN Y3 passworpaswordord Duplicate last N characters d zN z3 passworppppasswo Duplicate the first character of the word N times d rd ZN Z3 passworpasswordd Duplicate the last character of the word N times d dd X 0 0 passworpasswordO Add character X to the end of the word 7 d 07 AX 13 21 passwor123passwo Insert character X at the beginning of the word 1 d rd OXOs passworpaword Remove all characters X from the word d IX Reject skip the word if it contains at least one character X IX Reject skip the word if it does not contain character X X Reject skip the word if the first character is not X Xx Reject skip the word if the last character is not X eX eo mike ymike Extract a substring starting at position 0 and ending up before first ahoo c
102. ated sequences are to be inserted can be specified at your discretion e Then goes next dictionary word etc For example if we specify a search character range between 0 and 9 and the range length between 1 and 2 the program will generate 100 combinations 0 1 2 3 4 5 6 7 8 9 10 11 99 Then these sequences will be added to the beginning middle or end of the word Thus for the word test if the sequences are going to be inserted to every listed position the program will check the following passwords Otest 1test 99test tOest tlest t99est teOst teist te99st tesOt tesit tes99t testO test1 test99 Total 100 5 500 variants Let s take a closer look at the attack settings Dictionaries On the Dictionaries tab you can specify the list of dictionaries to be used in the attack The program supports text wordlists in the following formats ASCII UNICODE UTF8 RAR ZIP as well as encrypted packed dictionaries in the native PCD format developed by our company To deactivate a dictionary simply clear the check box by its name Thus although the dictionary remains on the list it will be ignored by the attack The software comes with the default 400000 word dictionary You can order the full set_of dictionaries that s over 6 GB in size on CD or take advantage of the dictionaries available online Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s
103. ates in generating new fingerprints and the attack goes another round Implementing GPU computing power allows to increase the recovery speed drastically Fingerprint options consist of 4 parts General options Before launching the attack specify the source dictionary to be used for creating the fingerprints The software comes with common pcd dictionary optimized for this attack but you can use yours or download one off the Internet Online dictionaries tab There are no certain requirements to the source wordlist except one it must not be too large otherwise the attack will take significant time You can use dictionaries with national passwords if you suspect that the sought password contains characters in a national encoding GPU fingerprint attack options 1_ General options Dictionary generator Online dictionaries GPU settings 4 e Fingerprint general options Fingerprint attack uses input dictionary to generate all possible variations for complicated passwords Once a password is found it then uses in further identification of more complicated passwords The attack is very effective if all additional mutation options are set on Read more about Fingerprint attack Initial dictionary e Program Files passcape wpr dic common pcd Additional mutation options Use Passcape Password Prediction engine to generate additional source passwords 4 Use keyboard and frequently used sequences Y Use
104. atio of regular vs blocked locked accounts With without password Shows the number of accounts with blank and set passwords User vs machine accounts Ratio of user vs system accounts Active vs expired passwords Report with statistics on accounts with active vs expired passwords Regular vs never expired passwords compares regular user accounts against those with Password never expires flag or unlimited password live date set Administrators vs limited users This report gives comparative statistics on accounts with administrative rights vs restricted user accounts Account types shows how much machine user administrator etc accounts Account status displays active against disabled accounts The same as the first report in the list but contains no additional pane on disabled accounts Top 10 active users Report on top 10 most active OS users The statistics is gathered from the system s internal user logon counter Bad password logons Top 10 users with the highest rates in the failed logon counter Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Top 10 Active users Administrator 0 1 UpdatusUser 7 4 __vmware_user__ 44 8 John 343 logons __vmware_user__ 322 logons UpdatusUser 53 logons Administrator 1 logons Last 10 failed logons dispays the list of user accounts last tried to logged on unsuccessfully Last 10 changed pass
105. ations to almost instantly and painless recover certain passwords Dictionary attack It is the most efficient recovery method when the program tries each word from the dictionary or dictionaries if there are several dictionaries you specify until it finds the original password or until the wordlist is out of words This method is very efficient since many people use regular words or phrases for password Besides this type of recovery is performed quite fast compared to brute force attack for instance Additional dictionaries and word lists can be downloaded from our site or can be ordered on CDs Brute force attack tries all possible combinations from the specified range of characters For example for a three character range of lower case Latin characters it will check all possible combinations starting with aaa aab aac and all the way through zzz This is the slowest attack so it is really great for short passwords Mask attack is a variation of the brute force attack except that some characters for finding the password remain unchanged and only a portion of the password may change The special syntax is used for setting a mask or rule for finding a password Base word attack developed by Passcape At the first glance this type of attack reminds the one we just described It is just as efficient if a portion of the password to be recovered is known to us However unlike in the previous attack here you do not have to set
106. belongs to a certain schema credential descriptor If you want to enumerate credentials for another schema step back and change the schema to one you Vault information Vault location E XWindows System32 configsystemprofile App Data NL ocalMMicrosoft Vault 4BF4C442 Selected schema WinBio Credential Manager Credential Schema Selected credential WinBio CredProv Credential Select a credential to decrypt WinBio CredProv Credential Cred name WinBio CredProv Credential Last modified Cred flags September 27 2012 15 21 41 Data size milar manner select one of the credentials of interest that belongs to the schema we have ed during the previous step Decrypting Vault credential Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Windows Vault Explorer lt View decrypted Vault credential The hexidecimal list below contains decoded data of the selected Vault credential Right click the list to display the contet menu Selected schema WinBio Credential Manager Credential Schema Credential file E Windows System32 config systemprofile AppData Local Microsoft Vault 48F4C442 _Al as l b how Sg ea ae con eS DM UE 0 DC KE 6 0 DP r G w BM e z 0 u a A M 0 0 D C And at last the final step where you can view the decrypted record copy it to clipboard or save to file for further analysis The figure sh
107. bove mentioned formats beforehand 2 7 4 3 Active Directory Explorer Active Directory Explorer is a small utility for viewing analyzing and editing properties attributes of domain accounts both public and private In the beginning select the type of the AD database you are going to work with local or external Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Active Directory Explorer ku g9 Selecting Active Directory source Step 1 4 Active Directory Explorer can help you in viewing investigating both public and private properties of your domain account Read more information about Active Directo lorer Active Directory location O Active Directory of the local computer Active Directory of an extemal PC When selecting the external database specify the path to the NTDS DIT file and to the SYSTEM registry The latter is required for decrypting private data If the automatic decryption is enabled all the encrypted attributes of an account will be decrypted on the fly In any case the editor allows editing both decrypted and raw data For safety reasons the editor mode is available for external databases only You should also specify what object you want to display There are 10 types of domain objects See the table below Domain object Description User object An object of class user A user object is a security principal objec
108. c 2010 2015 Passcape Software All rights reserved Program s interface q ictionari i Pass phrase generator Online dictionaries b Dictionary generator create a pass phrases wordlist Generated by this attack passwords can easily be saved to file So you can create your own dictionary and use it in another program Be careful dictionary creation may take quite some time depending on the source wordlists given and creation rules set Read more about combined dictionary attack Dictionary generator Dictionary size 233 401 014 strings Generate Statistics Output passwords 233 401 014 Rules combinations 6 Size strings Prim1 6237 sec2 6237 DK Cancel The third tab of options serves for creating combined attack based dictionaries available not for all editions You can also download additional dictionary modules from the Passcape Software Web site 2 8 2 9 Pass phrase attack More and more users choose to make up their pass phrases of entire phrases passages from poems movie aphorisms Latin aphorisms etc Attempting to recover such passwords using the traditional techniques is unthinkable even with the reference to the advancement of the computing power of modern computers Therefore the recovery help comes with the predefined and known phrase attack Pass phrase attack is by much similar to the simple dictionary attack except that here the password search goes phrase by phrase instead of going w
109. characters before starting a common mutation This is a helpful feature once you decide to add the same rule to all text lines of the selected ini files There s no need to modify them all Be careful though the aN super rule may increase the total number of generated passwords drastically Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 1 Dictionaries Rules Super rules Dictionary generator Online dictionaries i ine dictionari b Super rules to be automatically append or prepend to every line of common rules Super ule is a rule or several rules to be applied over the top of all other regular ones before or after them If you set a HEAD super ule it is prepended to every line from the given ini file f you set a TAIL super ule it will be automatically appended to the every line of common rules attack Read more about Hybrid dictionary HEAD super rule This super4ule is applied BEFORE every line of common rules TAIL super rule This super ule is applied AFTER every line of common rules gt 6 lt G The Dictionary generator tab is designed for generating dictionaries obtained from an attack Those custom made dictionaries could be used for example in other applications To generate a dictionary specify a source dictionary and a set of mutation rules for it The size of a target file may exceed 2 GB ass
110. chart e Password popularity displays the most popular passwords and their percentage of the total number of passwords Password format statistics on the 20 most popular formats The password format is defined by a character mask For example the DDUUUUDD mask corresponds to passwords consisting of two leading and two trailing digits with four capital letters in the middle You can save popular password masks into a file so that you can easily use them in a mask based attack later Character set exclusivity this report displays the number of passwords consisting of one unique character set and the percentage of these passwords to those consisting of several ones Character set diversity the percentage ratio of passwords consisting of one two or more character sets Character sets lists all charsets the input passwords are made of Character set ordering the most popular password templates corresponding to the character set order For example the digit string special template includes the following passwords 123password 1ove and 12monkey etc Character frequency statistics on the frequency of characters in the input words The 20 most frequent characters are displayed Unique characters the 20 least frequent characters Frequently used leading characters statistics on the most frequent combinations of 1 to 3 characters in the beginning of words Frequently used trailing characters statistics on the most frequent
111. ck one of them to see its properties Press Next button to proceed to the final Wizard step and view or edit the selected item attributes User list TslntemetUser IUSR HOME2K 1R2LZLKY IWAM HOME2K 1R2LZLKY Ana wn Y Account properties Account locked No Account disabled No Password expired Never Password required Yes Account description Built in account for administering the computer domain Each attribute consists of a name and a value For example Common Name contains the account name and Unicode Pwd attribute stores its password hash For a more detailed description of an attribute select it on the list and then click on the link that appears on the description field Double clicking on the data field opens the selected attribute for editing When done editing right click on the text to open the context menu and then save the changes to the ntds dit file or discard them Here is the description of some account attributes The complete description is available on the website of Microsoft Common Name The name of the account DBCS Pwd Contains LAN Manager password of the account Unicode Pwd The password of the user in Windows NT one way format OWF Note that you cannot derive the clear password back from the OWF form of the password Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Lm Pwd History Contains the p
112. ct files Hard disk drive C SYSTEM fixed NTFS ystem backup files stem repair folder peeccescessenseeseesenseessensees Yet another not a less helpful option is importing hashes from the system restore folders All you would need for that is to specify the path to one of the disks The program will automatically find the Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 2 2 2 2 3 2 2 4 2 2 5 2 2 6 2 2 7 2 3 2 3 1 recovery folders and if it finds the necessary files import the hashes The search is performed first of all in the system directory Second in Windows Repair folder which normally contains system registry backups Third in the System Volume Information folder which is used for undoing changes made to the system This technology has been available since Windows XP and is also known as System Restore XP or Shadow Coping Vista Be careful though the registry backups may contain obsolete data Export All project hashes along with the settings are stored in the project file wpr however for the sake of greater flexibility and compatibility with other software the program can export hashes to a PWDUMP or POT files If Export to POT is chosen all found passwords along with corresponding NTLM hashes will be saved to file in the following format hash password The passwords are UTF8 encoded New
113. d by Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program default Now boot up from the Reset Windows Password boot disk and follow the wizard s instructions to reset the password to the account However resetting the password guarantees only access to the account If you also need to regain access to EFS encrypted files or recover other passwords e g network ones this method won t do for you 2 Recover the original password By the way that can be done by that same Reset Windows Password running the intellectual attack However its capabilities are limited by only weak and vulnerable passwords For restoring the original password it is recommended to use Windows Password Recovery In this program once the hashes are imported select and launch one of the proposed attacks If the attack did not succeed you can alter the settings and run the attack over or replace it with another one Read on to find out how to choose the best attack for your hashes Q Where can I find word lists for dictionary attacks A It is not necessary to search it You can download dictionaries from within the Windows Password Recovery We have a huge set of dictionaries at our Web site Q How do make my password more secure A There are several ways how you can secure yourself from picking your passwords by potential attackers e Do not use dictionary words in any language names numb
114. d the library at https developer nvidia com nvapi Q My AMD GPU shows zeros in hardware monitor A Install reinstall the latest AMD drivers or ADL component Make sure other GPU monitoring tools for example ATI Catalyst are functioning correctly Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program 3 7 Online dictionaries 4 gop Dictionaties Filters Mutations Online dictionaries b Passcape online dictionaries First the program attempts to establish a connection with the Passcape server and retrieves the list of dictionaries available For downloading Select the dictionary you need and click Download button to retrieve it You can use Ctrl or Shift buttons For multiple selection Read about Passcape online dictionaries Dictionary name D L size Real size Strings Ratio Group Y African ped 268 Kb 1 Mb 137821 16 01 Languages Y American ped 82 Kb 399 Kb 45392 20 01 Languages Australian pcd 53 Kb 926 Kb 79409 5 01 Languages Brizilian pcd 89 Kb 1 Mb 129338 6 01 Languages Chinese pcd 1 Kb 5 Kb 802 32 01 Languages Croatian pcd 80 Kb 607 Kb 56558 13 01 Languages Czech ped 377 Kb 3 Mb 309365 11 01 Languages Y Danish pcd 614 Kb 7 Mb 564295 8955 01 Languages Y Dutch ped 393 Kb 2 Mb 245688 12 01 Languages English pcd 6 Mb 36 Mb 3540673 1795 01 Languages Finnish nrd 931 Kh A Mh 4R8n57n 14 ft Lannianes Y i lii E Please s
115. dates Y Use numbers and common stions e expensive Jse extra word muta Maximize efficiency ae aes fingerprints Loop until no more passwords are found Here is the way the fingerprints are generated first a word from the source dictionary is broken into one character passwords then into 2 character etc For instance the source word crazy is broken into one character fingerprints So we get Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface lt N9O0 Oo Now into two character cr ra az zy Next three character cra raz azy And finally four character craz razy We have got 5 4 3 2 14 fingerprints not counting the source word All word from the source dictionary are broken into fingerprints After this all the fingerprints are dumped into a single database naturally discarding duplicates So we have got a database of fingerprints that would be used for checking passwords by gluing all the fingerprints with each other and finding the match The real fingerprint generation algorithm is a bit more sophisticated Moreover there is an option in the attack settings Maximize effeciency when generating fingerprints which maximizes the efficiency at the expense of speed by generating additional fingerprints Let s take a look at the remaining options Use PPP engine to generate additional passwords use passwo
116. dows Password Recovery etc Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 12 Hardware Monitor What to show CPU usage M Show M Update interval sec 3 gt Y Show red allert zone CPU usage history 100 j 80 60 40 20 T 0 Memory usage history GeForce GTX 550 Ti temperature and usage On this tab you can view current CPU load RAM utilization GPU temperature and load By default the refresh interval is set to 2 seconds Be careful gathering these statistics also takes CPU time therefore when running heaw attacks such as brute force it is recommended to keep the system monitor disabled Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program Working with the program Working with the program Attacking Windows hashes Oe AA AAA Currently the program can decrypt Windows hashes in several ways Preliminary attack developed by Passcape Software is based upon a social engineering method and consists of several sub attacks Preliminary attack is very fast and often it is used for guessing simple and short passwords when there s no need to launch a fully scalable attack Artificial Intelligence attack is a brand new type of attack developed in our company It is based upon a social engineering method and allows without resort to time consuming and costly comput
117. e All rights reserved Program s interface r Windows Vault Explorer rm gt G Select Vault schema XT Every Vault consists of credentials encrypted user data Each credential belongs to a certain schema credential descriptor You should select one of available schemas to process further credentials enumeration Vault information Vault location E Windows System32 config systemprofile App Data ocal Microsoft Vault 4BF4C442 Selected schema WinBio Credential Manager Credential Schema Selected credential Select one of the schemas WinBio Credential Manager Credential Schema Schema name WinBio Credential Manager Credential Schema Schema flags Schema version 1 Attributes Schema GUID fec87291 14f6 40b6 bd98 Af245986b26 Credentials On the fourth step if the prevous ones passed successfully the program prompts you to select one of the schemas belonging to our Vault from the dropdown list Just below the list we can see the general characteristics of the selected schema its name version GUID flags number of attributes and credentials Selecting Vault credential Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface r In a si select Windows Vault Explorer Select Vault credential ee Step 5 6 Select a credential you need to decode Every Vault consists of credentials encrypted user data Each credential
118. e By default only the system has access to those files However these restrictions can be easily overridden For example WPR can import hashes from the current locked by the system files SAM and AD Besides that the system stores hashes in the computer memory to speed up access to them so dumping the computers memory is also an option Q I didn t quite understand it what do need to copy from the computer to recover the passwords Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program A If that s a regular computer copy these files SAM SYSTEM the SECURITY and SOFTWARE files are also desired If that s a server you will need the same files plus ntds dit one Q How long does it take to pick the password if the LM hash is available A The greatest disadvantage of the LM algorithm is that it splits the password into halves of 7 characters long If user enters a password that is shorter than 14 characters the program trails it with zeros to get a 14 character long string If user password exceeds 14 characters the LM hash appears the same as for an empty password Each of the 7 character halves is encrypted independently that considerably eases and speeds up the password recovery process Another major disadvantage of the LM hash relates to the fact that during the encryption all the alphabetic characters of the password are converted to uppercase In other words t
119. e You can include any attack more then once with different options Read more about batch attack Attack type Complexity Attack properties Preliminary attack Estimated time instantly Dictionary attack SSS SS SO Mask attack Simple brute force attack Yes Mask attack Simple dictionary attack No Mask attack Extended dictionary attack No Attack repeatable sequences Yes Attack simple patterns Yes Attack complex patterns Yes Attack keyboard combinations Yes Attack national keyboard combinations Yes Complex keyboard attack Yes Passcape Password Prediction attack No User name mutation attack Yes Combined dictionary attack Phrase attack Brute Force attack Brute Force attack Brute Force attack Brute Force attack OAWOWORDTOO WE Av SB 3 OK ancel The batch attack options are available as a list that you can extend or cut buttons and Each attack on the list can be moved up or down buttons and v and its settings can be edited A batch can include several attacks of the same kind but of the attacks can have different settings The pane to the right of the selected entry displays the properties of the selected entry brief specifications of the attack and the estimated time the attack will take to complete 2 8 2 15 GPU Brute force Attack A GPU brute force attack is fully identical to a regular brute force attack except that passwords
120. e against reused passwords chart Top reused passwords displays top 20 of the most popular passwords LM vs NT reports the number of LM and NT hashes Regular vs history passwords reports the number of common and history passwords only for hashes imported from SAM NTDS DIT files eg imported from a local computer e Password recovery time time took to crack a certain password s Most winerable passwords are marked in red palette e Recovered vs unbroken passwords displays the number of discovered and not found passwords e Passwords found shows a bit detailed report on found passwords Password Length Distribution A 5 character s 40 0 2 E 7 character s 20 0 1 G 8 character s 20 0 1 El 10 character s 20 0 1 Password count 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 gt 20 Password length 2 5 2 Attack statistics Attack statistics includes the following items Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Preferred attack statistics on number and type of used attacks Attack time analysis of time spent on each attack Attack efficiency1 efficiency analysis time spent vs passwords found during attack ratio Attack efficiency2 efficiency analysis overall efficiency for each attack Attack Timing combined dictionary 1 2 brute force 18 5 GPU brute force 7 8 fingerprint 72 5 Q9 b
121. e all or some of them Just open general settings and specify the GPU device s to be used by the program Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program Q What s the maximal number of GPU devices does your program support A lt depends on your hardware Even though the program supports up to 255 devices typically up to 8 devices can be installed into a 4 PCI E slot motherboard 4 double GPU cards Q Can I brute force passwords on devices which performance varies a lot A Yes you can Q The program can not detect my video card What can do A Update your video drivers If it didn t help try to extend your desktop to all devices if you have more than one device Re plug your device into another PCI Express slot Q Your application can t use all of my GPUs A You will have to disable SLI in order to be able to use all devices Q Can I use both NVidia and AMD devices simultaneously A Yes you can use NVidia and AMD devices simultaneously Q How can check my GPU utilization A Open Hardware Monitor tab In What to show drop box choose the device you need and select Show to display it You can then click Start or Stop buttons to manage the hardware monitoring The GPU monitor shows device load utilization temperature and fan speed Q My NVidia GPU is absent in hardware monitor A You should install reinstall NVAPI library Downloa
122. e cracked within a couple of hours on a modem computer NT passwords are much harder to decrypt compared to LM ones Note If the password is a common word or a phrase it should be always considered as weak Source password Type in your password mysecret Charset length Recovery configuration Password type Recovery speed min passwords per second Hardware Password quality Password quality Time to crack Share your benchmarks A tool for measuring password strength During its first start the program asks you to test your computer s performance To check the quality of a password e Enter the password in the corresponding field e Select the hash type LM or NT Please remember that beginning with Windows Vista operating systems store passwords as NT hashes by default e Select the computer type This computer indicates your computer s search speed e f you want to test the speed of your GPU device select This computer GPU from Hardware combo box and click Compute button Note that you can do it from Reports menu as well The quality of your password along with the time that would take your computer with the selected configuration to break it will be shown at the bottom For example breaking any LM hash of an alphanumeric password would take about 10 minutes on a modern CPU at the search speed of over 100 min passwords per second The search speed on a GPU can raise by another order of magnitude W
123. e program will try to decode all private properties automatically Otherwise raw undecrypted data will be shown In any case the editor allows modifying both decrypted and raw data Active Directory location NTDS DIT C Passcape 1 AD 2 ntds dit SYSTEM C Passcape 1 AD 2 SYSTEM Y Decrypt private data automatically What to show User objects Global domain objects Computer accounts Domain trusts Alias objects Aliases which are not used for authorization Group objects Groups which are not used for authorization Application defined groups Groups whose members are determined by a query lp Net gt Cancel Once the data source is selected move on to selecting accounts Some Active Directory databases contain tens or even hundreds of thousands of domain records Reading such large databases and completing the list of users may take some time Selecting just one record shows brief information on it at the bottom status whether a password is set and whether it is expired account description etc Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Clicking the Next button launches the process of gathering and decrypting all available attributes for the selected object Active Directory Explorer 0 o ER Select the user account whose properties you want to explore Step 3 4 The top of the page contains the list of user group alias items found Cli
124. e the range of characters generated by the mask User defined masks can be saved to disk You can also use the mask tool to generate a dictionary may not Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface be available in some editions The mask syntax is quite trivial and consists of static unmodifiable and dynamic modifiable characters or sets Dynamic characters sets always have a leading For example if you set the mask secret d 1 100 the program will generate 100 passwords secret1 secret2 secret100 Windows Password Recovery supports the following dynamic mask sets e C lower case Latin characters a z 26 symbols e C upper case Latin characters A Z 26 symbols e tt full set of special characters space total 33 symbols e small set of special characters 8 space 15 symbols e all printable characters with ASCII codes of 32 127 e all ASCII characters codes 1 through 255 e d one digit 0 9 e d x y numbers between x and y inclusive e r x y user defined characters with serial UNICODE codes between x and y e r x1 y1 x2 y2 xn yn set of several non overlapping sequences of UNICODE characters e 1 9 a Character from user defined charset 1 9 e 1 9 min max user defined range of variable length from min to max You can set up to 9 your own custom character sets e standalone static character
125. e would be grateful if you let us know the speed you ve reached on your PC Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 6 3 Password Checker Enter a password to check it s hash Password Status Matched Current password LM hash CCF9155E3E7DB453AAD3B435B51404EE NT hash 3DBDE697D71690A769204BEB12283678 Hashes to compare with LM hash to compare CCF9155E3E7DB453AAD3B435B51404EE NT hash to compare 3DBDE697D71690A769204BEB12283678 Remember Cancel This tool allows checking the password of a selected hash manually The tool is often necessary for validating certain hashes For example when an LM hash for one or the other reason doesn t match the password s NT hash 2 6 4 Hash Generator Current password Password 123 Password hash LM hash CCF9155E3E7DB453AAD3B435B51404EE Eh NT hash 3DBDE697D71690A769204BEB12283678 E PWDUMP string sample Test 123 1000 CCF9155E3E7DB453AAD3B435B51 F PITT lic Add ol Cancel The single hash generator allows to quickly generate a test entry for a specified passwords and add it to the hash list Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface With this tool you can easily create a PWDLIMP file with multiple randomly
126. ed Program s interface Word list Tools Select what kind of browser email passwords do you need to index Y Passwords for popular browsers and email clients Safari browser passwords Chrome browser passwords Opera browser passwords Mozilla Firefox Flock K Meleon Thunderbird etc passwords Intemet Explorer browser passwords TheBat email client passwords Eudora email client passwords IncrediMail email client passwords Outlook Express email client passwords Outlook email client passwords Windows Mail and Windows Live Mail passwords J a a a a a al a la In the second part of the configuration select the browsers and e mail clients passwords from which are also to be found and added to the wordlist being created The program supports the following major web browsers Safari Chrome Opera Mozilla based browsers Firefox K Meleon Flock etc Internet Explorer E mail clients are represented by TheBat Eudora IncrediMail Outlook Express Outlook Windows Mail and Windows Live Mail Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Word list Tools G X Index words and passwords in HDD sensitive areas Indexing all words from email databases messages attachments etc Index all words stored by the following programs TheBat mailboxes messag
127. el and indexing set to deep Run a rainbow table attack if there are any tables Run a Passcape rainbow table attack Run dictionary attack with the mutation option disabled Launch dictionary attack with the mutation option enabled the depth of mutation depends on the amount of available time and the attack speed When searching for passwords typed in the national keyboard layout the depth of mutation should be set to strong 7 Select and download online dictionaries and repeat steps 5 6 8 Run Hybrid dictionary attack 9 Repeat Hybrid attack using alternative wordlists 10 Launch pass phrase attack with the mutation option disabled 11 Launch pass phrase attack with the mutation option enabled and set to the maximum productivity This will allow finding even passwords typed in the national keyboard layout 12 Select and download online pass phrase dictionaries and repeat steps 10 11 13 Launch combined dictionary attack with defined phrase generation rules 14 Select and download online dictionaries for combined attack and repeat step 13 15 Run fingerprint attack with default dictionary 16 Select and download new online dictionary for the fingerprint attack adjust options set the new dictionary and repeat step 15 17 Select a charset and password length for brute force attack launch the attack 18 If necessary select a new or complete the old character set and repeat the brute force attack i e step 17 N ook OW
128. elect a dictionary to download Total files 254 total size 1 398 Mb Update list OK Cancel The online dictionary selection dialog is extremely simple When it opens up the program attempts to establish a connection with the Passcape server and then retrieves and displays the list of dictionaries available for downloading Select the dictionary you need and then click on the Download button to retrieve it and use in the program Some of the dictionaries are large For instance the size of music songs pcd is more than 59 MB in the compressed format Naturally retrieving such a large amount of data may take some time which depends upon file size bandwidth of your Internet connection and net load All online and some additional dictionaries can be ordered on CD The total size of all the dictionaries is over 7 5 GB You can also share your own dictionary with us by e mailing us the dictionary or the link where it can be downloaded The word list are used in common dictionary attack combined dictionary and pass phrase attacks Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved License and registration License and registration 4 License and registration 4 1 License agreement IMPORTANT READ CAREFULLY This is the End User License Agreement the Agreement is a legal agreement between you the end user and Passcape Software the manufacturer and the copyright owner
129. ength sort by string length and save results to multiple files associated with the string length eg 1d 2 3d etc Additionally you can sort input wordlists in alphabetic order and save results to multiple files associated with the first letter of the words For example a txt b txt c txt z xt Input wordlists C MM wl txt Sort options Sort ascending and remove duplicates Sort descending and remove duplicates Sort ascending by string length Sort descending by string length Sort by string length and save output to multiple files Sort in alphabetic order and save output to multiple files eg a txt b xt c txt Y Limit RAM usage Mb 32 Output wordlist format UTF8 text file Additionally you can sort a wordlist by length and save the results in multiple files associated with word length For example file 1 txt would contain 1 character words 2 txt two character etc The sixth sorting mode works similarly At the same time the program sorts the source wordlist in the alphabetical order and creates several target wordlists that correspond with the first letter of the word For example all words beginning with letter A would be written to file A txt words beginning with B to B txt etc You should keep in mind that certain words may begin with characters that cannot be used in a file name In this case the program automatically suggests a replacement by issuing an appropriate warning in the messag
130. ent Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface DPAPI credentials history analysis The list below contains parsed entries of the CREDHIST file Right click the list to display the context menu You can use a simple wordlist to bruteforce CREDHIST hashes CREDHIST key chains 2 CREDHIST GUID 93c85e9c 130e 4ede 9063 576492e41a 1d dwVersion guidCredHist dwNextCredSize dwCredChainType algHash dwPbkdf2lterationCoun 1 1 7d3ce967 4271 144 1 32782 5600 2 1 dbbad621 e033 0 1 32782 5600 On the screenshot you can see that the CREDHIST identifier is 93c85e9c 130e 4ede 9063 576492e41a1d This is the identifier GUID all user s Master Keys in the context of the data owner are attached to The number of links in the hash chain is 2 The list below contains all attributes and their values for each link of our CREDHIST Attribute description dwVersion data structure version guidLink current link unique identifier dwNextLinkSize next link size dwLinkType link type algHash hashing algorithm used when decrypting the link dwPbkdf2lterationCount iterations in the PKCS 5 PBKDF2 key generation routine dwSidSize owner security descriptor SID size algCrypt encryption algorithm dwShaHashSize SHA1 hash size dwNtHashSize NTLM hash size pSalt salt used in the encryption sidUser data owner SID pShaHash SHA1 h
131. ers repetitive sequences of letters and numbers abbreviations keyboard combinations personal information etc Such passwords can be guessed extremely fast and easy e Increase password length However there is a reasonable limit for everything Remember that length is not the main thing although not with passwords Finally making up a too long password will cause you to successfully forget it after a weekend party or vacation Besides that an average human s memory cannot hold more than 5 7 passwords at a time Still there are network password Web password etc that are to be remembered also e Extend the character set used in the password For example replace the characters in the password with the Using national characters also strengthens up passwords radically Use uncommon characters for instance Do not use hard to remember passwords that consist of a random set of characters unless you are a genius e Do not use the same password for logging on to Windows Web sites services etc e If you have trouble remembering all your passwords save them in a separate password protected file in a safe place A good password protection is implemented for example in the Rar archiver Do not keep that file on the local computer e Never enter your password on someone else s computer e It s not a good idea to write down your passwords on sticky notes and stick those on the monitor e Think about additional protection For
132. es attachments Eudora mailboxes messages attachments IncrediMail mailboxes messages attachments Windows Mail mailboxes messages attachments Mozilla Firefox Thunderbird K Meleon etc message store Opera messages mailboxes dictionaries Outlook Express mailboxes messages attachments Outlook mailboxes messages attachments 3 A Y A Y as Besides merely gathering passwords the program can index user s e mail communication scanning all found mailboxes messages attachments etc The hard disk search is performed for all accounts in a system so the process may take considerable time especially when the system hosts many users or when e mail clients databases are large One way or the other you can enable disable each module individually Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Word list Tools Index words and passwords in HDD sensitive areas Indexing words from recently used files Click Next to start indexation The operation may take minutes or even hours to complete be patient please Additional options 7 Limit maximal word size to characters Skip file if its size is greater than Mb 32 10 7 Use custom word delimiters 1 2 Dont index skip files with the following extention s rar 7z
133. es window If the Ignore case option is set the sorting is carried out regardless of letter case i e the words bad Bad or BAD are considered identical with all the ensuing consequences Target wordlist name may be the same as the source however that is not recommended Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Sorting large files supports files larger than 4 GB involves intensive use of RAM the amount of it can be limited by the respective option For large files it is not recommended to set the memory limit less than 16 MB as that can affect the speed of sorting While sorting the program may create auxiliary files in the application s temporary folder Make sure that the disk with the temporary folder has enough room for the swap files 2 6 7 5 Convert compress wordlist Numerous wordlists that can be found on the Internet are usually represented by three major formats ASCII UTF16 Unicode and UTF8 With this tool you can convert a wordlist from one format to another and optionally compress wordlists to ZIP files Besides the three above mentioned formats the program supports its own format PCD Passcape Compressed Dictionary which in the majority of cases gives a greater gain in size even compared to a compressed ZIP archive Creating large PCD files may take considerable time Word list Tools Select an input wordJist you wan
134. est 256 passwords with Arabic character at the end Atte st9dlt test test 1089 passwords 1 1 1pinv2 2 2 aaapin000 zzzpin999 rne 1 is user defined charset 1 a z and 2 the second user defined charset 0 9 ilove 1 1 1 1 1 iloveaaaaa iloveZZZZZ 1 is user charset a z A Z The GPU mask attack syntax differs slightly from one used in a regular mask attack The main difference is that in GPU based attack you can not set numbers between x and y and can not set user defined range of variable length i e the following syntax will not work for GPU mask attack d x y 1 2 3 9 min max GPU settings Before you can use it in an attack you must first select the graphics card in the General Options menu Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface E GPU mask attack options Mask options Dictionary generator Mask tips GPU settings l GPU specific options You can edit GPU specific settings here Thread blocks option sets the number of GPU blocks to be run simultaneously in most cases each block incorporates 256 GPU threads While passwords per thread sets the number of passwords to verify from within a single GPU thread Read more about GPU fingerprint attack Thread blocks 10000 Passwords per thread Automatic GPU configuration for the Mask attack consists of only 1 parameter the number of thread blocks to run at a single c
135. et additional option to save extra space and compress the backup files to ZIP archive Backup system files Wr Backup registry You can backup save a binary registry file here currently locked by the system Set compression option to compress the output file into ZIP archive may take En some time to complete Backup Active Directory SAM Compress output file nto ZIP archive Backing up Active Directory database is much similar to the registry backup except that the path to Active Directory the program determines automatically Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface r d Backup registry You can backup save your Active Directory database here currently locked by the system Set compression option to compress the output file s into ZIP archive may take some time to complete Compress output file into ZIP archive m Administrator or Backup Operator privileges are required to run this plug in Creating and saving Active Directory database may take quite some time minutes or even hours for huge databases Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 7 2 Asterisk Password Revealer r Asterisk Password Revealer rt WPR asterisk password revealer Run a program or switch to a window containing asterisks passwords
136. et at all the additional entropy For example Internet Explorer and Vista Ftp Manager uses the source page where the password was entered as entropy Windows Credential Manager similarly uses certain string constants and so on 2 7 4 5 2 Analyse DPAPI blob A DPAPI blob is an opaque binary structure which contains application s private data encrypted using DPAPI Many Windows applications and subsystems store passwords secrets and private data in DPAPI blobs To create files with DPAPI blobs for further analysis use our DPAPI blob look up utility Speci ath to DPAPI blob Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface DPAPI blob analysis a Select DPAPI blob location DPAPI blob is an opaque data structure that holds encrypted data Many system components System Wireless connection wizard Windows Credentials Manager CardSpace etc and popular applications such as Intemet Explorer Windows Mail Outlook Skype Google Talk uses DPAPI to securely store their secrets passwords and sensitive data in DPAPI blobs You can extract DPAPI blobs using blob search utility Read more information about DPAPI blob viewer and ana Select DPAPI blob file DPAPI blob file E win7 8D247934C92766E0F8 2824438 3A 3AE8 1 004 This is the file that was created by the blob search tool And proceed to analyzing data Windows Password Recovery Copyright c 2010 2015 Passcape
137. eters are computed automatically during runtime consider trying different combinations to maximize GPU utilization Read more about GPU dictionary force attack Max thread blocks 256 Max passwords perthread 1000 GPU configuration is pretty simple and consists of only two settings 1 The number of parallel graphics card s blocks where passwords would be searched Typically each block consists of 256 threads Thus if you set the number of blocks to 256 the GPU will run 256 256 65536 threads The total number of checked passwords for one call to GPU kernel will be 256 ThreadBlocks PasswordsPerThread In our case 256 256 1000 65 536 000 passwords Setting the ThreadBlocks smaller than 256 on modern graphics cards in the majority of cases leads to performance degradation 2 The number of passwords to be search from a single thread The greater the value the lower the overhead associated with launching threads and the higher the search speed However setting too great a value may hang the computer or cause significant fluctuations in the current search speed displayed on the attack status tab This is caused by the fact that task completion time on the GPU exceeds the time required for refreshing the current state of the attack Depending on the options you have specified a proper choice of GPU settings can dramatically often by several times increase the password search speed We recommend playing around with GPU settings t
138. eu eats va VT Ng ELE Cuv e ko CY Guana VEL a PSU eor CY e eE VY ENS SERE NEAR 162 2 10 A MENU EIN II 162 2 11 Help MEMU ee b DL t 162 2 12 Hardware MORItOTF 5 eiicxe risk ax el ot sack ch ca xor Leu Eon PE ek EYE ELSE EFE LR SE Y Nel ek FERE FEIER TE PL eR YE ER CE PETER 163 3 Working with the program 164 3 1 Attacking Windows hashes 5 rc e pe ia pd ad Ux CIE NR pua ssid CERE ida 165 3 2 Attack comparison table entre tne aca 166 3 3 Recovering passwords from hashes Lees esee cesse eese eene eene enne neenon nessun sse tnnu 170 3 4 Windows passwords FAQ usce eee neta eu pao eo ven Eo egeo o kx va eu E evesen ko E PR ceseaadesdesesasee 171 3 5 Windows Password Recovery FAQ eee ee eeee eene ee eene enne nu nens e esses haee sn senses sess sano 175 3 6 A A 177 3 7 Online DICTION A AO 180 4 License and registration 181 4 1 License agreement 1 nere e rre trennen retiarii riets eiert yE peiron e voe eo eT ek Use ave UNE No beca nav 182 4 2 Registration A A NO 183 4 3 Limitation of unregistered version csssscccccssssccccssssscesesssseecssssssccessssseesssssceesssssaes 184 4 4 Editions of the pr gram iioc ctr sexes vod d oid EL suited ode VA eZ EUR REP EVER YU DER DER aes 184 5 Technical support 187 5 1 Reporting problems susi rni aeu eges Van cd ko qu tu era YE risu a koe ER e id ad 188 5 2 Suggesting Teatules A Aaa 188 5 3 A c
139. example if you enable the SYSKEY startup password option chances are close to 10096 that not a single attacker will be able to break your passwords without having guessed the original SYSKEY password first 3 5 Windows Password Recovery FAQ n s m snpi Q What do the question marks in LM passwords mean A As you may have already known an LM password consists of two halves If an LM password has 7 leading question marks that means that only the second half of the password is found The trailing question marks indicate the first half of the password recovered Q What s the difference between LM and NT passwords have found both passwords MASTERGURU and MasterGuru Which of them is the right one Which one should use A To log on to the system you need to use the NT password Q When brute forcing an LM password the program complains and tells me that it truncates Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program the password to 7 characters Is that a bug A No As you know an LM password is split into two 7 character halves Therefore the maximum length of brute forced LM passwords is 7 characters Q know my NT password but the program fails to find it for some reason Why A The NT password is case sensitive Perhaps you have set an incorrect search range Try checking the pas
140. exing words from local files on your computer For example those could be html xml txt doc files as well as mdb paf exe files etc The indexing is based on the IFilter technology which you can read about in Wikipedia The idea of the technology developed by Microsoft comes down to the possibility of indexing the text of any file which an appropriate IFilter plugin is installed for This way you could access the text contained for example inside exe or dll files e mail client s database etc Despite the fact that numerous IF llter plugins both commercial and free can be found on the Internet Windows Password Recovery has internal support for the following types of files e Archives zip cab rar e Programs exe dll cpl ocx e Text txt dic e Internet html htm In other words files with these extensions can be parsed by the program even without a single IFilter installed on the computer sys scr drv Windows 7 has an internal Windows Desktop Search tool which has a wide range of filters for supporting the majority of popular documents Under other operating systems Windows Desktop Search can be installed manually the setup file can be downloaded from the official website of Microsoft Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Wordlist Tools e BH Set up file indexation opti
141. ficial Intelligence attack The configuration of the tool conventionally consists of four parts Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface r Word list Tools Index words and passwords in HDD sensitive areas Select what kind of system passwords do you need to index Y Enumerate all known system passwords V Active Directory plaintext passwords Autologon passwords Cached logon credentials SQL logon passwords IIS passwords Well known NT plaintext passwords Windows Media passwords MSGINA stored plaintext passwords Win2K only RAS Dialup VPN DSL connection passwords CRD credentials WCM backups Windows Credential Manager passwords Explorer FTP passwords Wireless connection passwords lt Q a a a a al a a al a a q al a First select the system modules to be used when generating the wordlist These modules find and index the following types of passwords on your computer s hard disk Active Directory plaintext passwords startup passwords and cached startup passwords SQL IIS Windows Media Win2K text passwords RAS Dialup VPN DSL WEP WPA FTP connection passwords Windows Credential Manager passwords Instant Messengers etc passwords Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserv
142. for the use of the Windows Password Recovery software product SOFTWARE All copyrights to SOFTWARE are exclusively owned by Passcape Software The SOFTWARE and any documentation included in the distribution package are protected by national copyright laws and international treaties Any unauthorized use of the SOFTWARE shall result in immediate and automatic termination of this license and may result in criminal and or civil prosecution You are granted a non exclusive license to use the SOFTWARE as set forth herein You can use trial version of SOFTWARE as long as you want but to access all functions you must purchase the fully functional version Upon payment we provide the registration code to you Once registered the user is granted a non exclusive license to use the SOFTWARE on one computer at a time for every single user license purchased With the personal license you can use the SOFTWARE as set forth in this Agreement for non commercial purposes in non business non commercial environment To use the SOFTWARE in a corporate government or business environment you should purchase a business license With the business license you can run the SOFTWARE on multiple computers of your organization no matter where they are located The registered SOFTWARE may not be rented or leased but may be permanently transferred together with the accompanying documentation if the person receiving it agrees to terms of this license If the s
143. h the first key of the chain Using the first key of the chain we can recover the entire chain in particular the value right before R Hn That is actually the key that was used for generating Hn our sought password Operating principle of Passcape rainbow tables Recovery using Passcape rainbow tables is pretty much the same as recovery using simple rainbow tables However unlike the latter it is sort of a hybrid of Fingerprint and simple table attacks where instead of setting a specific character range passwords are validated within a so called word footprint range The idea of the Fingerprint attack developed at Passcape comes down to taking the source dictionary and creating a bank of word footprints fingerprints necessary for validating the password out of that dictionary then during the attack we search for all possible variants of words that consist of two such footprints Similar to the Fingerprint attack Passcape rainbow tables first create a bank of footprints for words from a user s wordlist The word footprint bank is an analog to character set in simple rainbow tables It is used for both creating Passcape tables and validating passwords Thus a Passcape rainbow table consists of one or more prt files the actual tables and a bank of word footprints prti which can be engaged only with tables that were created with it There are a number of advantages in using word footprints instead of character sets when creat
144. he hashes for PASSWORD password Password or pAsswOrd will be completely identical By running a brute force attack against each half modern personal computers can pick an alphanumeric LM hash within a few minutes or even seconds when using the Rainbow attack Let s do a bit of calculation To pick a password for any alphanumeric combination we need to split the password into two 7 character long parts and then search 36 32 2 367 80 603 140 212 combinations Besides all the hashes will be searched simultaneously The search speed in Windows Password Recovery on a computer Intel Core i7 is over 100 million passwords per second Let s round it downward to 100 80 603 140 212 100 000 000 806 seconds That means we are guaranteed to get the right password within just a bit over 10 minutes using the brute force Can see the encryption sources Sure Let s review a working password encryption program for the LM algorithm How much time is it required to guess the password if its NT hash is known With NT hashes it s a bit more complicated The NT hash does not have the disadvantages that are common to LM Therefore the probability of the recovery of the password completely depends on its length and complexity and drops like a snowball Even despite the fact that the NT conversion algorithm is faster Let s take a look at the following table that demonstrates the how search time depends on password length and complexity Assuming that
145. he path of the home directory for the user account HomebDirectoryDrive Specifies the drive letter to assign to the user s home directory for logon purposes Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface ScriptPath Unicode string specifying the path for the user s logon script file The script file can be a CMD file an EXE file or a BAT file ProfilePath Unicode string that specifies a path to the user s profile WorkStations Unicode string that contains the names separated by commas of workstations from which the user can log on Up to eight workstations can be specified The account flag UF_ACCOUNTDISABLE allows to disable logons from all workstations to this account LogonHours 21 byte bit string that specifies the times during which the user can log on Each bit represents a unique hour in the week in Greenwich Mean Time The first bit is Sunday 0 00 to 0 59 the second bit is Sunday 1 00 to 1 59 and so on Note that bit O in word O represents Sunday from 0 00 to 0 59 only if you are in the GMT time zone In all other cases you must adjust the bits according to your time zone offset for example GMT minus 8 hours for Pacific Standard Time Groups List of groups to which the user account belongs or does not belong LMHash LM password hash associated with the user account NTHash NTLM password hash associated with the user account LMHistoryHashe
146. he search options to start scanning for DPAPI blobs Input directory to search blobs at E Users John Ey Search for binary blobs 7 Search for tex ASCII blobs Search for text UNICODE blobs Output folder to save found blobs to E Win7 Y Overwrite existing files prompt otherwise Statistics Current file Data scanned Blobs found Example of a path where you can find files containing binary DPAPI blobs Users John AppData Roaming Microsoft Credentials Example of a path where you can find files containing textual DPAPI blobs C Program Data Microsoft Wlansvc Keep in mind that if you want to search for blobs in current user s registry or in Active Directory database you should first back up the files to a separate directory 2 7 4 5 4 Master Key analysis Master Key is 64 bytes of data which are used as the primary key when decrypting a DPAPI blob A user s Master Key is encrypted with the user s logon password Set path to Master Key file and specify user SID which the program normally calculates automatically from the specified path Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface DPAPI user Master Key analysis aj j w b Select Master Key location Step 1 2 Master Key is used in DPAPI as a pimary cypher key to decrypt user protected data and passwords i e DPAPI blobs For example
147. hip cached user password actually hash Right clicking on the list of records opens the context menu which allows to Save records with all attributes to a text file Export password hashes to a PWDUMP DCC or PEIF file Please note that the PWDUMP format stores records not quite properly therefore it is more preferable to store password hashes as DCC or PEIF files Check or edit the password for a cached domain record Delete record Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Domain Cached Credintials Explorer Found and decrypted domain cached entries The list below contains found and decrypted domain cached entries Right click the list to display context menu To recover the cached passwords export the list to file and then feed it to Network Password Recovery Wizard Last logon UserID Effective name Full name April 22 2009 09 15 24 1001 AARMMHACTPaTop April 22 2009 09 15 50 cnn Mia September 10 2007 09 35 Save list to text file September 04 2008 17 50 September 04 2008 17 53 Export hashes to CACHEDUMP file Export to PSPR dcc file Export hashes to Passcape peif file Checkpassword Reset change password Remove entry To recover cached domain password you can take advantage of Network Password Recovery Wizard just have the hashes exported to a file of one of the a
148. hlighted entry to Windows clipboard Copies only the selected portion of the entry not the entire entry For example user name or the found password Select Selects hashes to be attacked ones with checkbox option is on If during the attack the password for the selected hash is found the checkbox will be automatically cleared and the record will be marked green To select the NT hashes you must first have deselected the LM hashes and the other way around Search Find what k tpraspberry EindNex Match whole string only D Cancel Up Down Match case When the number of entries exceeds a hundred of thousands finding a specific entry often takes quite a Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface bit of an effort To make the job easier the program offers the search of two types searching a specific field e g user name and quick searching of serial entries In the latter case the program scans the entire entry character by character 2 5 Reports Menu You can create print or save one of the program s reports here The following reports are available e Password reports e Attack statistics e Miscellaneous statistics e Account statistics e Password list analysis e Group information Recovery Edit Windows Password Recovery 1 Tools Utils Options Custom e Password
149. ience some troubles connecting to remote PC even if you have an Administrator account When connection to the target PC with Windows Vista 7 8 10 you may get the following error Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Y 16 34 18 June 11 2015 gt Application started e 16 35 27 June 11 2015 Importing from remote machine Y 16 35 27 June 11 2015 COMP JOHN PC e June 11 2015 SHARE C 9 16 35 27 June 11 2015 USER John 35 30 June 11 2015 system error 5 35 32 June 11 2015 Failed to run remote service can t connect remote machine The error 5 indicates that access is denied even if the target account has Administrator privileges The problem is that any remote connection in Windows Vista and higher OSes by default cannot perform administrative tasks Microsoft documentation clearly states the following When a user with an administrator account in a Windows Vista computer s local Security Accounts Manager SAM database remotely connects to a Windows Vista computer the user has no elevation potential on the remote computer and cannot perform administrative tasks If the user wants to administer the workstation wth a SAM account the user must interactively log on to the computer to be administered There s a however a flag in the Windows registry that allows to change the default behavor Just launch the registry editor of the
150. ing tables The length of passwords validated with Passcape tables is literally unlimited Unlike with simple rainbow tables which practically cannot be created for passwords longer than 9 characters with Passcape tables one can recover both one character and 50 character password with same probability Character set in the regular table greatly affects its critical parameters the wider the character range the greater the chain length or the total number of chains for storing success rate percentage of success in finding password of the table must be In a Passcape table a character set does not Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface affect the critical parameters of the table Plain tables have certain difficulties when generating tables for validating passwords in national character sets not all programs properly handle such tables and not all can create them With Passcape rainbow tables when generating tables for example for Russian passwords one can simply specify the source dictionary in Russian With Passcape tables passwords are searched for using more meaningful combinations however that largely depends on the source dictionary These can be referred to as drawbacks of Passcape rainbow tables e Not all source dictionaries are equally suitable for the tables Using large dictionaries normally greater than 1 MB generates too large of a footprint
151. ins Full path nt 0_6400x400000004word 640000000 40000000 G PRT words english nt nt 1_6400x40000000 word 640000000 40000000 G PRT words english nt nt 2_6400x40000000 word 640000000 40000000 G PRT words english nt nt 3_6400x40000000 word 640000000 40000000 G PRT words english nt 4 E Add Remove Moveup Move down 7 Limit RAM usage Total success rate 99 945 Y 128 Mb Total tables size 2 4 Gb Tables can crack only the hash function they were created for i e NT tables can crack only NT hash To create your own tables you can take advantage of the respective tool You can download sample Passcape tables for this attack from our website 2 8 2 14 Batch attack Since each attack covers its own password range sometimes in order to fully recover password hashes you have to run several different attacks one after another The basic idea behind the batch attack developed by Passcape Software is to create a list batch of attacks to be run one after another so that you could launch all those attacks with a single click of the mouse and not hassle with configuring each of them individually every time you need them Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Setup your own bundle of preferred attacks that will be executed subsequently one by one Batch attack is a set of several attacks that will be executed one by on
152. interface wa GPU dictionary force options 1 Dictiomanes Brute force Online dictionaries GPU settings p aL The GPU dictionary is a hybrid attack which actually consists of 2 ones dictionary and bruteforce First the attack generates all possible combinations using a range of symbols from a given charset then it inserts each combination to every position of the word from dictionary and check the resulted word as a password Then goes another word etc For complete list of dictionaries check out our Wordiist Collection Read about Passcape Wordlist Collection Dictionary name Dictionary size Strings Full path V wpr pcd 756 682 416 713 E Program Files Passcape WPR Miclwpr pcd Search range On this tab you should set up the range of characters to be inserted into base words its minimum and maximum length When setting up a range you can use the existing templates or having checked the respective check box define your own one When selecting the maximum range length keep in mind that specifying a too wide or too small value is inadvisable While in the first case the password search speed may drop down to 0 specifying a too narrow range of characters to be searched raises the overheads related to the irrational use of the computing power of the GPU In the second group of options specify the position in the word where the characters of the searched range would be inserted And finally
153. ion will skip all special characters Only alpha numeric passwords will be processed e Include phrases This option also allows putting phrases into destination wordlist A phrase is Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface considered as a string of characters of up to 256 symbols with at least one space character in it Limit maximum word size It is recommended to always set this option The best maximum word length in a wordlist is 16 64 characters Cutting the maximum length sometimes radically speeds up the file parsing process It wouldn t be worthless to remind that the maximum allowed password length in Windows is 128 characters Skip files with size greater than specified Some IFilters take very long to parse large files that can cause the program to hang Use custom word delimiters You can set your own word delimiters for parsing files For example you could use characters like amp lt gt _ and of course space Clicking the Next gt button launches the actual indexing which may take considerable time For the sake of speeding up the process the list of words found during the indexing is created and maintained in the computer memory that requires significant resources So if you get a runtime error of lacking the memory try decreasing the maximum word length or limiting the number of files being parsed and then try ru
154. itself ha pZssword 2 passworpassworA Overwrite a character at last position with a character taken from a oZ oZ up d passworB charset C Where C should be either a predefined charset name or a C peralp is custom character set itself ha passworZ o passwor assword Overwrite a character at every position of the word with a character taken o C d assword from a charset C Where C should be either a predefined charset name passwor or a custom character set itself Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface GPU settings Before launching the attack make sure you setup up the GPU settings properly GPU hybrid dictionary attack options 4 Online dictionaries Hybrid syntax Rule tester GPU settings gt GPU specific options You can edit GPU specific settings here Thread blocks option sets the number of GPU blocks to be run simultaneously in most cases each block incorporates 256 GPU threads While passwords per thread sets the number of passwords to verify from within a single GPU thread Read more about GPU hybrid attack Thread blocks Passwords per thread GPU configuration is pretty simple and consists of two parameters 1 The number of GPU blocks to be run at a single call to GPU Each block consists of 256 threads Thus if you set the number of blocks to 256 the GPU will run 256 256 65536 threads The total number of
155. k tips Third tab of the mask options contains a short description of the mask syntax and a couple of examples The mask syntax is pretty simple and consists of static unmodifiable and dynamic modifiable characters Dynamic characters always have a leading For example if you set the mask secret d d d d the program will generate 10000 passwords secret0000 secret0001 secret0002 secret9999 Windows Password Recovery supports the following dynamic mask sets e lower case Latin characters a z 26 symbols YC upper case Latin characters A Z 26 symbols e full set of special characters space total 33 symbols e D small set of special characters amp _ space 15 symbols e all printable characters with ASCII codes of 32 127 e all ASCII characters codes 1 through 255 d one digit 0 9 e Ya x y user defined characters with serial ASCII codes between x and y e r x1 y1 x2 y2 xn yn set of several non overlapping sequences of ASCII characters Useful Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface for defining custom character sets e g of OEM characters e 1 2 3 9 a character from user defined charset 1 9 e W standalone static character 96 Examples test d will generate password range testO test9 10 passwords total test d d d d test0000 test9999 10000 passwords test r 0x0600 0x06ff test t
156. les passcape com We will be happy to assist you with the registration Please write in English You can find other password recovery utilities at http www passcape com O 2010 2015 Passcape Software All rights reserved 05 10 2015 Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved
157. lly takes not more than 2 3 minutes Naturally the more complex is the mutation and indexation level the more efficient will be the search However reaching the topmost indexation and analysis level may take hours and even days depending on the speed of the password validation algorithm and the number of users in the system The Artificial Intelligence attack has proven itself to be most effective when the search is performed on the original system Only two options are available here password mutation depth and word indexing level The most preferred options for running a speedy attack are Light Light For a deeper and at the same time slower search set these options to Normal or even Deep The duration of an intellectual attack also depends on the configuration of your system your network load and other factors It is highly recommended to shut down all other programs before launching the attack If your Artificial Intelligence attack runs very slow you may need to remove your program s cached password eg total amount of the cached passwords exceeds 10000 Windows Password Recovery version 9 5 now comes with a brand new feature which allows password searching by indexing raw sectors on selected drives This feature works for both LM and NTLM hashes looking for both ASCII and UNICODE passwords You can change some advanced search options here For example Word Indexation level sets additional mutation on all found passwords Be careful
158. load rainbow tables at http project rainbowcrack com GPU FAQ SS P M Q What are the system requirements for the program A Currently the program supports NVidia video cards with CUDA compute capability 2 0 or higher and AMD Radeon 5xxx or higher GPUs The full list of CUDA supported devices can be found at http developer nvidia com cuda gous Compatible AMD Radeon cards are shown here http en wikipedia org wiki Comparison of AMD_graphics processing units Q What versions of Windows the program supports A GPU acceleration is supported starting up with Windows XP NVidia GPUs and Windows Vista AMD GPUS on both 32 bit and 64 bit systems Q How do know which architecture does my video card support A For NVidia devices Launch the program open the menu Options General Options select the GPU Settings tab select NVidia CUDA platform and choose your video card here The Compute capability field in the description section should display your GPU architecture For AMD devices Launch the program open the menu Options General Options select the GPU Settings tab select AMD OpenCL platform and choose your video card here The CL DEVICE VERSION and CL DEVICE OPENCL C VERSION fields should display your GPU architecture supported Q Where can get the latest video drivers A You can download the latest drivers from NVidia htto www nvidia ru drivers and AMD http suppor
159. m s interface e pSalt pSalt salt i e 16 random bytes of data involved in the decryption of the Master Key and preventing data attacks using rainbow tables dwPBKDF2lterationCount iterations in the PBKDF2 encryption key generation function HMACAIgld hashing algorithm identifier CryptAlgld encryption algorithm used pKey user s encrypted Master Key Local Encryption Key attributes e dwLocalEncKeySize current slot length e dwVersion data structure version Win2K uses only one attribute with salt e pSalt salt dwPBKDP2IterationCount iterations in the PBKDF2 encryption key generation function HMACAIgld hashing algorithm identifier CryptAlgld encryption algorithm used pKey encrypted Local Encryption Key used for decrypting Local Backup Key in Windows 2000 Local Backup Key attributes Windows 2000 e dwLocalKeySize current slot length e dwVersion data structure version e pSalt salt e pKey encrypted Local Backup Key CREDHIST file s GUID attributes Windows XP and higher e dwLocalKeySize current slot length e dwVersion data structure version e guidCredHist CREDHIST file binary identifier Domain Backup Key attributes e dwDomainKeySize current slot length e dwVersion data structure version e pSalt 16 random bytes of data involved in the decryption of the Master Key and preventing data hacks using rainbow tables dwPBKDP2IterationCount iterations in the PBKDF
160. mpare wordlists Sometimes it is necessary to determine whether two wordlists are identical That is what the wordlist comparison tool for a Word list Tools Select 2 wordJist you want to compare Keep in mind that binary mode uses byte by byte comparison while string i comparison mode is a bit different For example you can compare word ists of different types here eg PCD and UTF files Word ists to compare Wordist 1 C Downloads imdb unique txt Wordist 2 C Downloads mdb english ped Comparison mode Perform string comparison O Perform binary comparison Ignore case disregard the case of letters This tool offers two operating modes 1 Binary comparison for comparing files by byte 2 String comparison which compares words rather than bytes This mode is noteworthy for its ability to compare wordlists of different formats For example PCD and UNICODE or UNICODE and ASCII If the ignore case option is set string comparison mode only then for example the words bad and Bad Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface will be considered identical 2 6 7 7 Additional operations The additional tools are designed primarily for editing and tuning up existing wordlists i Wordlist Tools B Additional operations for existing wordlists Select what do you want to do with your wordlist
161. my and computer you will get mycomputer If word insertion option is set the program additionally creates passwords by inserting words from second dictionary into every position of the word from dictionary 1 For example if the first dictionary s word is Admin and the word from the second dictionary is 12345 the program will generate the following passwords 12345Admin A12345dmin Ad12345min Adm12345in Admi12345n And so on for all words of the second dictionary Then goes another word from dictionary 1 etc The option is active if only 2 dictionaries were set The generation rules are made to extend the password search options For example Mycomputer MyComputer MY COMPUTER my computer etc There are special rules available for this purpose you don t have to know the syntax of them for the mutation rule creation dialog is simple and intuitive Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Phrase properties Prefix none M First word first character is upper the rest are lower z Word delimiter constant text a The rest words first character is upper the rest are lower ad Postfix none z Rule string1 firstupper delimiter t2D00 stringN firstupper Example I Love My Computer total variants 1 j Saa Each mutation rule consists of five elements 1 Prefix text that will appear before each phrase This element can be a cha
162. n if you reset the password you will not be able to recover any of the following data EFS encrypted files Outlook account passwords Internet Explorer 7 9 passwords network connection passwords RAS DSL VPN etc network passwords to other computers wireless network keys MSN Messenger credentials Google Talk amp Google Chrome passwords Skype etc So in order to recover for example an Internet Explorer password would need to get the account password first right Exactly Are there any backdoors Like anywhere else For example sometimes the account password can be stored in the plain text form in the secrets Passwords to many system accounts can also be recovered with ease PO gt 0 9 Is that what the SECURITY registry file is requested for when importing hashes from the local computer A Yes The Security s main purpose is to be a storage for the so called LSA Secrets These secrets but not they alone can store plain text passwords Artificial Intelligence attack implements a check up for possible vulnerabilities in the system and as the consequence chances to recover some passwords Q Can I tuck an existing hash instead of the password when logging on to the system There are programs that do that Here is how they work Before booting up the system they extract user password hashes from SAM Then when loading the account they tuck the known hash instead of the password However the result of such ma
163. nal system where the passwords were taken May take centuries to search long passwords Does not find passwords when uses wrong character set or password length exceeds the one specified Finds only common passwords Fails to find strong non dictionary passwords mutation takes considerable time Password will the remaining portion of exact known portion not be found if a wrong Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program generation rule Combined Checks complex Depends No dictionary passwords on options composed of two or more words by gluing words from several dictionaries Combined Sameas Depends No dictionary combined attack On options with smart plus mutations mutation Base word Takes advantage Acouple No of a known base of word used for seconds if making up the the base password word length is not exceeds 16 characters Phrase Same as From No dictionary attack several except that minutes up to instead of a word this one checks a several urs phrase popular expression option when some portion of the original password is known The only attack that findsLimited set of field long and complex passwords Same as the previous attack Good for the cases when you had known the original password but have forgotten its variations e g letter case or trailing numbers The only attack
164. nches the data collection and indexation module During the execution of this step we analyze the activity of the user or all users if the indexation module selected is different than Light in the Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface system Next basing upon that we generate the list of words potential passwords selected from the text files archives internet browsers history email correspondence etc 3 Includes the semantic analysis module for the database of found passwords and the list of potential passwords 4 On the final stage the data analysis module will perform the mutation of the words and attempt to pick the passwords In the beginning of the attack the program will search the system for all passwords it knows of For that purpose there are currently 32 mini modules for decrypting system mail browser messenger archive and other passwords Then there goes the file and data indexation along the course of which the program generates a potential attack dictionary The third module breaks the passwords and words into pieces out of which in the last module it will assemble new combinations for picking and guessing the original password In average with the least indexation and mutation levels the attack time may vary between 1 minute and 10 15 minutes depending on the network activity of the user On a home computer the entire route norma
165. nd on password history hashes However once the option is set you will not be able to proceed the attack from the last saved position The second tab with the settings allows to create and record a custom dictionary using current options of fingerprint attack Be careful that dictionary may take up a lot of space on your computer s hard disk Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface r Fingerprint attack options dm NES 4 e Genemloptions Dictionary generator Online dictionaries Dictionary generator create fingerprint wordlist Generated by this attack passwords can easily be saved to file So you can create your own dictionary and use it in another program Be careful dictionary creation may take quite some time depending on the source Read more about Fingerprint attack Dictionary generator initial dictionary E MProgram Files Passcape WPR dic common pcd Generate On the third tab you can download source dictionaries for fingerprint attack from the Internet Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Fingerprint attack options Read about Passcape online dictionaries 4 4 Generaloptions Didionan generatop Online dictionaries First the program attempts to establish a connection with the Passcape server and retrieves the list of dicti
166. ne can generate more complicated variations for example password03171998 or Password19710830 this feature if turned off here even in maximal mutation level The program works correctly for 2 or even more If your OS has 2 languages installed alternative keyboard layout second let it be English and languages So if you have 5 language of the OS Word shift Stupidly shifts all characters of the word to the right or to the left Character Replaces a character of the initial substitution word Windows Password Recovery Russian the programlanguages installed locally will convert initial including English one word password into there will be 4 different Russian 3cpbibruuB combinations of the input and Russian n ponb word will be converted into gfhjkm asswordp dpasswor oassword passqord This is quite helpful rule assuming the fact that the characters for substitution are taken from a special table For example the character s will be replaced with the following ones a W e d X z You can notice that all of these characters are located near s on any qwerty keyboard Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Group name Description Examples for word Comments password Length truncate Truncates word length to probe all passwor passwo possible length combinations Pass 2 8 2 6 Mask attack Mask attack is an irreplaceable to
167. nipulations is the same as of merely resetting the password i e you won t be able to recover the majority of other passwords Q What can I do if the SAM file is hopelessly corrupt Is there a way to recover the original password in this case Yes there is However you will no longer have access to the system You can for example pick the password using the user s master key Passcape Software has means for doing that If the computer belongs to a domain the names and hashed passwords of the last ten users registered on the computer are cached in its local system registry in the SECURITY Policy Secrets section You can take advantage of Reset Windows Password for dumping those hashes they are also referred to as MSCACHE and then attack them using Network Password Recovery Wizard Q I need to regain access to my account Would you draw a picture for dummies what s the best way to do that and how do do that A Briefly there are two ways to regain access to an account 1 Reset the password e g make the password blank There are special utilities for doing that the most powerful one is Reset Windows Password Its operation principle is simple Run a boot disk creation program and create an Reset Windows Password boot CD DVD or USB disk with it Next power on the computer with the account you need to regain access to and edit the BIOS settings to enable the computer to boot from CD DVD USB Some computers have this option enable
168. nning it over again Once the operation is completed and the found words are saved to disk sort them out to get a truly valuable wordlist Found words are guaranteed to be unique i e they do not contain duplicates Be careful though some third party filters could fail to run properly and cause the application to hang fail or abnormally terminate For example some filters for parsing PDF in Windows XP are known to generate errors 2 6 7 2 Merge wordlists A wordlist merging tool is used when you need to combine two or more wordlists in one Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Wordlist Tools B Merge several wordlists into one Destination dictionary is a text unicode based file lines delimited with CRLF Set sort checkbox on to sort the output wordlist and remove duplicate strings Make sure you have enough space on your destination drive Input wordlists Full path E SYS PWC11 Wikipedia part 3 E SYS PWC11 Wikipedia part 3 RR E SYS PWC 11 Wikipedia part 3 Add folder E SYS PWC11 Wikipedia part 3 e E SYS PWC11 Wikipedia part 3 E SYSPWC11Wikipedia part 3 Delete selected E SYS PWC 11 Wikipedia part 3 E SYS PWC 11 Wikipedia part 3 Clear list Output wordlist Y Sort output wordlist Y Limit RAM usage Mb 32 hd Output wordlist format ASCII text file If the S
169. nored by the program Whatever goes below this string is considered as rules Each string can contain several rules applicable to a source word If a string contains multiple rules per word those rules are parsed left to right For example if you apply the rule pc a b c to the source word password at the output you will get Asswordabc The maximum length of an output word may not exceed 256 characters Hybrid dictionary attack options ees Dictionaries Rules Super tules Dictionary generator Online dictionaries gt DC A You should set at least one file with word mutation rules Rule file is a simple ASCII text file with Rules section in it Everything below the string is considered as rules See the syntax of the rules at the Syntax tab You can save all rules into a single file rules will be sorted duplicates and errors will be skipped hind dictionary atar ma q Rules count Full path 74585 C Program Files x86 Passcape WPR hybrid ruleslyure Super rule is a rule or several rules to be applied over the top of all other regular ones before or after them For example you can set a8 tail super rule to create all possible case combinations after a common mutation has been done So the asa4 rule from I33t ini file will become asa4a8 csc will become csc a8 etc Yet another one example setting the gt 6 lt G head rule allows you to skip all words of less than 6 or greater than 16
170. o achieve the maximum utilization of the GPU in this attack 2 8 2 19 GPU Hybrid dictionary attack GPU Hybrid dictionary attack is pretty much the same as the Hybrid Dictionary attack except that it utilizes your GPU power instead of CPU That makes it extremely fast Approximately 10 times faster than a simple Hybrid attack The value greatly depends on options and hardware used though The Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface hybrid attack allows user to set his own word modification rules and attempt to validate the modified output words Actions performed on source words from the dictionary are called rules Multiple rules can be applied to each source word GPU hybrid dictionary attack settings are grouped in eight tabs Dictionaries for setting up source dictionaries Rules files with set of rules Super rules ones to be applied over the top of regular rules Dictionary generator where you can create files of words obtained from the hybrid attack Online dictionaries for downloading new dictionaries to the application Attack syntax complete description of all rules with examples Rule tester where you can test your rules GPU settings is used to tune your GPU parameters ONOaARWN Wordlists to be used in the attack are set on the first tab Traditionally the application supports wordlists in ASCII UTF8 UNICODE PC
171. o occurrence of X character do nothing if X is not found m EX E Qe mike Qy yahoo Extract a substring starting right after first found X character and till the ahoo co end of the string do nothing if Xis not found m 96 Reject skip the word if it does not contain at least M instances of the MX character X XY 15 passworpossward Swap characters at positions X and Y d zN Reject skip the word if the character at position N is not equal to the X Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Rul Exa Input Output Description e mple X iNX i4aibbpassworpassabcwo Insert the character X in position N i amp c d rd ON 04 05 passworpass rd Overwrite a character in position N with the character X X d sXYss sopassworpa wOrd Replace all characters X with Y 0 d XN x4Z passworword Extract a substring of up to M characters length starting from position M d N INX r10 r google google com Insert the character X at position N if previous character at position N is Y com not Y INX rl0 rpassworpassword Insert the character X at position N if previous character at position N is Y d Y ON O0 passwor assword _ If the character at position N is not Y overwrite it with X character X Y p d ON OOP passworPassword If the character at position N is Y overwrite it with X character X p d Y RN RO1 passworassword Remove character at position N if character at position M is
172. oduced by the archivers What is the PCD format A That is a proprietary dictionary storage format developed in Passcape which uses additional optimization and encryption algorithms Some dictionaries can indeed be compressed harder than with a regular archiver For example the Australian pcd dictionary in the original format takes 926 KB of space while in the compressed format it s only 53 KB Q I chose to run a dictionary attack and set the medium mutation level When I launched the attack was unpleasantly surprised with the low speed only a few thousand passwords per second Why is it so slow A The program shows the attack speed without mutations For example if 1000 words has been processed within a second it shows 1000 p s although the mutation module could have generated 1000 additional words per each word during that time Thus the actual search speed is by hundreds or even thousand of times greater than what you see on the screen Q Can use the regular dictionaries in a combined dictionary attack A Yes you can Q know that the password begins with blue Which attack would be the best one to use A You can try dictionary attack For example the mask blue c c c c c c would search the range from blueaaaaaa through bluezzzzzz You can also try running a combined dictionary attack In order to do that open notepad then type blue and save the file as for instance 1 dic Then open the combined attack options and
173. of 64 random bytes used as the primary key when decrypting DPAPI blobs Master Key is encrypted with user s password or system s password if that is a system Master Key User s Master Key is always located in APPDATA Microsoft Protect SID while a system account s Master Keys are stored in SYSTEMDIR Microsoft Protect It must be noted that there can be several Master Keys and only one of them is suitable for decrypting a certain object the one with the name stored inside the DPAPI blob When searching for a Master Key the program may filter out unnecessary names The folder APPDATA Microsoft Protect also contains the CREDHIST file which is optional parameter and in the majority of cases is not required for the decryption Decrypt Master Key Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface DPAPI offline decoder i 9 G aj User system credentials needed for successful blob decription You should specify user SID and user logon password here in order to decrypt the DPAPI encrypted data However some DPAPI encrypted blobs eg encrypted using SYSTEM account require machine credentials In this case youll have to provide a path to the SYSTEM and SECURITY registry files Optional entropy file is required when the blob was was created using entropy refer to CryptProtectData API for more information You should manually create a simple binary file with
174. oftware is an update the transfer must include the update and all previous versions You may not create any copy of the SOFTWARE You can make one 1 copy the SOFTWARE for backup and archival purposes provided however that the original and each copy is kept in your possession or control and that your use of the SOFTWARE does not exceed that which is allowed in this Agreement The SOFTWARE unregistered trial version may be freely distributed provided that the distribution package is not modified No person or company may charge a fee for the distribution of the SOFTWARE without written permission from the copyright holder You agree not modify decompile disassemble otherwise reverse engineer the SOFTWARE unless Such activity is expressly permitted by applicable law Passcape Software does not warrant that the software is fit for any particular purpose Passcape Software disclaims all other warranties with respect to the SOFTWARE either express or implied Some jurisdictions do not allow the exclusion of implied warranties or limitations on how lomg an implied warranty may last do the above limitations or exclusions may not apply to you Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved License and registration The program that is licensed to you is absolutely legal and you can use it provided that you are the legal owner of all files or data you are going to recover through the use of our
175. ol when you know a fragment of the password or have any specific details about it For example when you know that the password consists of 12 characters and ends with the qwerty it is obvious that searching the entire 12 character range of passwords is unreasonable All what would be required in this case is to pick the first 6 characters ofthe sought password That is what mask attack is for In our case we could define the following mask c c c c c cqwerty That means that the program would serially check the following combinations aaaaaaqwerty zzzzzzqwerty If the original password is secretqwerty it perfectly hits our range Mask attack options 4 Mask options Dictionam generator Masktips p Brute force attack by a given mask Often the mask attack used if there s some information about the password to recover For example you know that the password begins with loveme and followed by a word or a name You can then set the following mask loveme ic ic c c c c to check all possible variants from lovemeaaaaaa to lovemezzzzzz Read more about Mask syntax Password mask 9 51 1 4 Administrator 9639653953 Custom character sets 1 0123456789 Statistics Password range OAdministrator 9999Administrator Total passwords 399 260 070 The mask entry field is used for setting the rule by which the program will try to recover the password If the mask is set correctly below you will se
176. om a dictionary by the include exclude principle If the first inclusive filter is enabled the attack will accept only the words that contain at least one of the characters entered in the filter If the second exclusive filter is set the program will skip the words that contain at least one of the entered characters The Mutation tab allows setting all kinds of possible combinations of the words to be searched For example if you set a strong mutation the program will create several hundreds of analogs for each word from the dictionary For example secret Secret s3cr3t secret123 and so on You can set up to three mutation rules Weak less number of mutations and in its turn greater verification speed Strong for greater number of mutations to the prejudice of the speed and the happy medium default option Normal You can use Dictionary Generator to create your own wordlists based on options of the first three tabs Online dictionaries The program has a great feature that allows downloading and using existing dictionaries available on the Passcape website We have accumulated quite a large dictionary collection over 250 items That should get you rid from the extra hassle on finding the required content on the Net Customizing mutations Starting with version 4 0 the program has ability to customize the smart mutation of the Dictionary attack All mutation rules are clustered into 16 primary groups You can set one of th
177. onaries available for downloading Select the dictionary you need and click Download button to retrieve Dictionary name D L size Roget pcd 47Kb Hungarian pcd 47 Kb 15 pcd 61Kb Pockt pcd 46 Kb dictionary swahili pcd 43 Kb Swahili pcd 43Kb off Common pcd 57 Kb BSD pcd 54Kb Turkish pcd 46 Kb Dir d lia md AN A Real size 186 Kb 187 Kb 191Kb 193 Kb 209 Kb 209 Kb 213 Kb 215 Kb 220 Kb 235 Kb marin Strings 18013 Ratio 25 25 23 20 20 26 26 24 19 anne 4 m Group InsidePro Softv 01 Languages 03 Sorted InsidePro Softv InsidePro Softv 01 Languages 02 Common InsidePro Softv InsidePro Softv 01 Languages Peida Man C j Please select a dictionary to download Update list Download 2 8 2 4 Brute force attack exhaustive search In cryptanalysis a brute force attack is a method of defeating a cryptographic scheme by trying a large number of possibilities for example exhaustively working through all possible keys in order to decrypt a message This definition was taken from Wikipedia site Well to put it in simple words brute force attack guess a password by trying all probable variants by Total files 250 total size 1 384 Mb given character set Eg checking all combination in lower Latin character set that is abcdefghijkImnopqrstuvwxyz Brute force attack is very slow For example once you set lower Latin charset for
178. ons The word indexation is based on Filter search engine You can index any file if an Filter was installed for the file extention Without an appropriate Filter contents of a file cannot be parsed and indexed by the program Be careful some 3d party Filters may work incorrectly Select a folder the files to be indexed are located at Parse files in the given folder only in all subfolders otherwise c uM Ey Index all files Index files with the following extension s only Index all files except the following extension s Additional options Y Accept alpha numeric passwords only nclude phrases Y Limit maximal word size to characters Skip file if its size is greater than Mb 100 Output wordlist format ASCII text file The configuration options for this tool consist of two groups In the first group you set path to the initial folder where you need to index the files and select a file parsing method namely e Parse files in the specified folder only If this option is not set the program recursively analyzes all the subfolders and files inside them e Index all files e Index files with certain extensions only e Index all files except certain extensions File extensions are to be typed without the dot and to be separated by a comma Example txt dic xml chm htm The additional options group allows to customize file parsing methods namely e Accept alpha numeric passwords only If set this opt
179. ord by word The main idea of the attack is to guess the right password by searching through predefined frequently used expressions phrases and word combinations For example if the sought password is made of the widespread phrase To be or not to be it is obvious that this is the only attack that has the virtue to cope with such a password In order to do that you are to specify a special pass phrase dictionary A simple phrase dictionary comes with the software but you can also download the online dictionaries that were compiled specifically for this attack Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface It wouldn t be an overestimation to say that 99 percent of the success in the recovery of a password with a dictionary attack depends on the quality of the dictionaries Most likely that is the reason why this type of attacks doesn t appear in just about any password cracker Passcape Software allows utilizing a whole set of online and offline dictionaries totally over 500 MB compiled specially for this type of attack For example many users make their passwords of excerpts from their favorite songs or music bands That s why we have created special unique you won t find anything like that anywhere on the Net music oriented key phrase sets There s also a biblical set movie phrases proverbs etc Windows Password Recovery comes with a short dictionary of phrases
180. ort combinations One way or the other this attack can be quite useful for example when auditing passwords as a simple vulnerability detector for certain systems Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Online recovery options ed Online recovery performs worldwide password search Online recovery searches passwords in online databases This attack is effective against simple short or well known passwords for small list of hashes lt also may acts as a password weakness indicator Read more about online recovery Attack settings Search full LM hashes recommended halves otherwise Maximize lookup effeciency Skip unnecessary files Set response timeout in seconds 15 m Limit download size for pages and documents 1 Mb z Use proxy Online recovery options Search full LM hashes use the entire 16 byte hash when searching LM hashes If this option is not set the search will be carried out over the 8 byte halves To ensure more efficient search and get rid of some stray traffic it is recommended that this option is set It is ignored when searching NT hashes Maximize lookup efficiency increase password lookup efficiency not affecting the attack speed It is also recommended to always set this option Skip unnecessary files do not check some unnecessary files if they are suspected to not contain pa
181. ort output word list option is not set merging comes down to simply adding new words without sorting or checking for duplicates In practice however more common is merging with sorting it ensures that all the words in the output wordlist are alphabetically sorted and duplicate free Sorting may take a considerable amount of memory therefore it is appropriate to set a limit for the amount of memory that can be used by the process at the expense of a little downgrade of the operation speed 2 6 7 3 Wordlist statistics Wordlist analyzer gathers and shows the following statistics Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Word list Tools Select a wordJist you want to view the statistics for and click Next button to start word analysis Word ist to view the statistics for E Program Files Microsoft Visual Studio passcape WPR debug dic Mustralian pcd Analyse also character frequency Statistics Common information File name Australian pcd File size 54 771 Last modified April 15 2011 12 24 05 Word ist type Passcape Compressed Dictionary Sorted ascending Yes ANord statistics Total words 79 409 Non English words O Multi word phrases O Bytes per word 0 69 Bits per character 0 55 1 character words 16 2 character words 62 3 character words 348 Common information e Dictionary name Size in bytes File ty
182. ot exceed 7 Chain Length affects the following parameters of the table password recovery rate table generation time and time it takes to recover a single password by the attack Chain count affects password recovery rate table generation time and its size Currently the RT generation tool does not support tables greater than 2 GB in size however when creating large tables you can increase the number of them Table count option The implementation peculiarity of the rainbow table lookup algorithm is in the fact that the success of the Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 6 6 recovery depends on several parameters which you need to pick the best ratio for depending on the size of the tables the time it takes to generate them and the max time it takes to find a password in the rainbow attack The table generation tool supports multithreading so before launching the precomputation you may want to set an appropriate number of simultaneous threads to be run for creating the tables Pascape Rainbow Tables Generator Passcape Rainbow Tables are used for recovering passwords in Passcape table attack This tool is intended for creating such tables S Y Passcape rainbow tables generator EM Create Passcape rainbow tables Table options Algorithm Chain length Chain count Table count nt 11000 67108864 2 7 Maximize lookup efficiency
183. other hand there is always a chance to make a wrong choice of the expected character set If at least one character of the password to be recovered is not included in the specified character set the password will not be found At the bottom of the attack settings dialog you can see the total number of passwords that match the specified character set and password length It is important to know that LM passwords in Windows are always converted to upper case that significantly cuts the range of passwords to be searched Specifying password length On the second tab of the options page set the minimum and maximum length of searched passwords As an alternative to minimum length you can set the source password which the search would begin with The maximum length of LM in Windows operating systems is 7 Configuring graphics processing unit Before you can use it in an attack you must first select the graphics card on the respective menu item Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface r GPU brute force attack options Brute force character set Password length and position GPU settings GPU specific options You can edit GPU specific settings here Thread blocks option sets the number of GPU blocks to be run simultaneously in most cases each block incorporates 256 GPU threads While passwords per thread sets the number of passwords to verify from within a single GP
184. ount PrimaryGroupld A 32 bit unsigned integer indicating the primary group ID of the acount UserAccountControl A 32 bit flag specifying characteristics of the account CountryCode A 16 bit unsigned integer indicating a country preference specific to this user The space of values is the international country calling code For example the country code of the United Kingdom in decimal notation is 44 CodePage A 16 bit unsigned integer indicating a code page preference specific to this user object The space of values is the Microsoft code page designation BadPasswordCount A 16 bit unsigned integer indicating the number of bad password attempts LogonCount A 16 bit unsigned integer indicating the number of times that the user account has been authenticated AdminCount A 16 bit unsigned integer indicating that the account is a member of one of the administrative groups directly or transitively OperatorCount A 16 bit unsigned integer indicating that the account is a member of the Operators group UserName Unicode string that specifies the name of the user account FullName Unicode string that contains the full name of the user AdminComment Administrator comment associated with the user account UserComment Second user comment associated with the user account Parameters Extended user parameters Microsoft products use this member to store user configuration information HomeDirectory Unicode string specifying t
185. ow the hash of user s current password to decrypt the previous hashes you need the last decrypted pair and so on along the line Windows Password Recovery is the world s first utility which allows to decrypt password history hashes from CREDHIST files To do so on the first step of the application s wizard specify the path to your CREDHIST file and Windows directory Credentials history dumper es 1 i LJ 1 i Select credentials history CREDHIST file location Step 1 2 CREDHIST is a key ting file that keeps all previous user password hashes Every time a user changes his or her password the old password hash is added at the end of this file and then encrypted by the new password Thus to decrypt the hashes youll have to know the current password of the user CREDHIST file is located at the ZAPPDATA Microsoft Protect folder For example Windows XP C Documents and Settings VAdminstrator Application Data Microsoft Protect Windows 7 C Users John App Data Roaming Microsoft Protect Read more information about credentials histo Select CREDHIST file CREDHIST file C Passcape M Win 10 users dn appdata y oaming microsoft Protect CREDHIST am Windows dir C Passcape 1 Win10 rant Then you can decrypt and save hashes from CREDHIST to a textual PWDUMP like file if saving as NTLM is selected or to a plain text file if the SHA1 hash format is selected Windows Password Recovery Copyright c 2010 2015
186. ow the value of a secret just click on its name Enter the edit mode by double clicking on one of the characters in the Hex or Ascii field this marks it in yellow and enter the new value In the edit mode use the cursor keys to move to the next character Modified values are marked in red To save changes right click on the Hex Ascii field and then select the save item on the menu that appears Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface LSA Secrets Dumper Sea Step 3 3 View and edit Windows LSA secrets The list below contains found and decrypted LSA secrets Click one of them to view its value Double click the HEX ASCII value to edit it and then right click to save changes Even though the secrets are editable be careful modifying or removing some secrets may cause your system to fail or even not reboot Secret name Data size Modified Expired 0083343a f925 4ed7 b 1d6 d95d1 09 09 2010 Yes 0083343a f925 4ed7 b 1d6 d95d1 09 09 2010 No 0083343a f925 4ed7 b 1d6 d95d1 09 09 2010 Yes 20ed87e2 3b82 4114 81f9 5e219 09 09 2010 No 20ed87e2 3b82 4114 81f9 5e219 09 09 2010 Yes DefaultPassword 30 09 2010 No Defai itDaccwnrd an na 2n1in Yec Share 0000 62 00 75 00 67 00 61 00 67 00 61 00 6B 00 SF 00 b u g a g a k 2010 38 00 BB on e l Undo All Changes Copy Data as Hex Copy Data as Unicode String
187. ows decrypted plain text password it is clobbered of the administrator account configured to logon using biometric information fingerprint 2 8 Settings menu E 2 8 1 General settings The general settings are divided into five parts Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 8 1 1 General options r General options General options Attack progress P Save attack every minutes A Update progress bar every sec 3 Attack Options Delete progress status for all attacks of the current project Password cache useing Remove cached passwords 347 entries P View cached passwords 347 entries GPU settings Check for updates at startup Duplicate log message to WPR LOG write log file a en essane View log Attack progress The first group of settings allows setting the save and update intervals for the current state of an attack By default an attack saves its state every 5 minutes further on you can resume the attack from the last saved point and updates the screen every 3 seconds Password Cache All passwords found by the program are cached by default A very helpful thing that is engaged in many subsystems For example in the intellectual or preliminary attack Deleting password cache is recommended in cases of the extreme need only For example when their number exceeded ten thousand In this case the search s
188. pe Last modified date and time Whether or not alphabetically sorted the check takes place only if the file is sorted ascending Word statistics Total words Non English words Multi word phrases i e words separated with space Bytes per word less word delimiter Shows average wordlist compression ratio Bits per character Shows real wordlist compression ratio For example in UNICODE the bits per character value tends to 16 not counting word delimiter in regular ASCII wordlists to 8 In certain compressed PCD wordlists one letter can be coded by less than 1 bit see the screenshot Word statistics how many words consist of 1 2 3 etc characters Character frequency analysis if the respective option is set e Indicates how frequently a certain character appears in a wordlist Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 6 7 4 Sort wordlist The toolkit offers 6 modes of wordlist sorting 4 of them are common and 2 are extended The common sorting modes include sorting wordlists in the alphabetical order both ascending and descending and by word length When sorting alphabetically or by word length the program automatically removes word duplicates m Wordlist Tools A 0 00 O podio ES Step 2 2 6 types of sort available here sort by ascending alphabetic string order sort by descending order sort ascending or descending by string l
189. peed for some attacks can drop significantly Additionally you can duplicate found passwords to text file So even if the program fail unexpectedly or in case of sudden power failure the found passwords guaranteed to be written to file Check for updates at startup check if an update is available every time the program starts The option works only if PC is connected to internet Duplicate log messages to wpr log file this option when set writes all messages the log window holds to WPR LOG file Setting this option may cause performance degradation on big list of hashes because the wpr log flushes its content to disk every time new message is arrived It can however be helpful when the program stalls or works unstable WPR LOG is located in the program s installation directory Overwrite log file overwrite the log file every time the program starts Otherwise new messages will be appended to the end of the log file Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 8 1 2 Attack options r General options 2 Pp 2 Es Advanced attack options Y n General options y E Automatically run preliminary attack when importing hashes Attack Options Finalize mutation on found passwords when attack is stopped or finished Run simplified fingerprint analysis upon attack completion V Automatically select all loaded hashes upon import Select only NT hashes
190. pelRainbowslRT lm alpha numericsti 7 3 24 804 082528 50255158 67 271 C Passcape Rainbows R1 lt ii P Add M MM Limit RAM usage Total success rate 99 3219 y Total tables size 3 6 Gb Gara naa The program supports the standard rt indexed rti and hybrid tables Multithreading is supported as well It must be mentioned that rainbow attack does not guarantee the recovery of all passwords but the probability of the recovery is close to 100 depending on the tables you ve got A specific rainbow table can be implemented for the hash it was created for Eg LM specific tables should be used for breaking LM hashes only The attack options allow limiting the amount of RAM that can be utilized by the attack when using old computers the attack assumes using large volumes of RAM for its calculations 2 8 2 11 Hybrid dictionary attack Hybrid dictionary attack is a form of simple dictionary attack However unlike the latter hybrid attack allows user to set his own word mutation variation rules and attempt to validate the modified words as source passwords For example user could capitalize the first letter of a password being validated append 2 to it replace the number 8 in it with the letter B O with O etc Actions performed on source words from the dictionary are called rules Multiple rules can be applied to Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface
191. percent Besides it s important to know some other things too First don t set the summary values of those parameters too high Otherwise your system may malfunction or freeze Second you d better not set the value of Passwords per thread at less than 100 as it will negatively affect the speed of attack regardless of what kind of video card is used Q Does the PCI Express bus have any impact on the performance A Actually this impact is negligible It s usually masked by other factors So the generation of your PCI Express bus and its performance don t matter much Q Does the amount of video memory matter A No it doesn t However in most cases your GPU should have at least 256 Mb of ideo memory Q A GPU based attack slows down my PC so can barely use it How can fix it A There are two ways to fix it temporary and permanent As a temporary fix to the problem go to the attack settings and try reducing the number of GPU blocks used or the number of passwords checked per GPU thread As a permanent fix install a second video device provided that you have a second slot on your motherboard and that your power supply unit can handle the additional load For example you can use some cheap card as the primary one for displaying information on your monitor and a second more powerful one for brute forcing passwords Q I have more than video cards in my computer Can use them all for brute forcing A Yes You can us
192. ple you can save all DPAPI blobs from a user s registry to individual files and use them in the program Here are storage locations for some DPAPI objects e Internet Explorer and Outlook passwords WiFi passwords XP only user s registry APPDATA ntuser dat e Google Chrome LOCALAPPDATA Google Chrome e WiFi passwords Windows Vista and higher PROGRAMDATA Microsoft Wlansvc e Network connection passwords Windows Credential Manager LOCALAPPDATA Microsoft Credentials or X APPDATA MicrosoftiCredentials Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Use the finder utility to extract DPAPI data from there Select Master Ke DPAPI offline decoder Master Key is used in DPAPI as a pimary cypher key to decrypt user protected data and passwords i e DPAPI blobs For example EFS certificates WiFi MSN Outlook Intemet Explorer Skype credentials etc User Master Key file is located at the LAPPDATA Microsoft Protect SID folder Where APPDATA is the user application data directory and SID is the textual SID of the user However SYSTEM Master Key may be located at the following folder WINDIR System32 Microsoft Protect Select Master Key file Master Key file E Users John AppData Roaming Microsoft Protect 5 1 5 21 2897855234 395020 g CREDHISTfile E Users John AppData Roaming Microsoft Protect CREDHIST GS Master Key is a set
193. program Be careful dictionary creation may take quite some time depending on the source Read more about Fingerprint attack Dictionary generator Dictionary size unknown Online dictionaries On the third tab you can download source wordlists for fingerprint attack from the Internet Be careful not all the dictionaries suit fine for the attack Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface S GPU fingerprint attack options Read about Passcape online dictionaries 4 s GeneraLoptions Dictionangenerator Online dictionaries GPU settings Passcape online dictionaries First the program should attempt to establish a connection with the Passcape server and retrieve the list of dictionaries available for downloading Select the dictionary you need and click Download button to retrieve Dictionary name off African ped Jf American pcd ff Australian pcd of Brizilian pcd of Chinese pcd ff Croatian pcd ff Czech pcd off Danish pcd f Dutch pcd off English ped D L size Strings 268 Kb 82 Kb 53 Kb 89 Kb 1Kb 80 Kb 377 Kb 614Kb 895 393 Kb 1296 6 Mb 17 nm 1 Ane 4 Group 01 L 01 Languages 01 Languages 01 Languages 01 Languages 01 Languages 01 Languages 01 Languages 01 Languages Update list GPU settings Before you can use it in an attack you must first select the
194. r great for passwords maximum methods of words and performance the social combinations thatthe attack takes engineering user stored in the considerable time system anytime in the Finds not all past passwords Brute force Searches all Depends Yes The only attack along Searching long possible on options with the mask attack passwords takes combinations within a specified character set thatis guaranteed to recover a completely unknown password Good for any short and medium passwords Dictionary Finds password Almost No Good and speedy tool by searching instantly for recovering common words from passwords predefined dictionaries word lists Dictionary Sameas Up to No Good for all sorts of with smart dictionary attack 1000000 variations of common mutation except here each times passwords word from the slower dictionary than a undergoes all simple kinds of dictionary mutations For attack instance appending numbers changing letter case deforming displacing letters etc Mask Finds passwordsDepends Yes Guaranteed to recover by specified on options mask password a password Good considerable time Hard to guess the right range of characters to be searched Requires having good dictionaries does not take into account peculiarities of the language and letter case The maximum most effective mutation takes considerable time Requires having the of the password and when run on the origi
195. r power If the video card has additional 6 pin or 8 pin power connectors make sure they are all properly connected Q When I launch a GPU attack my computer slows down a great deal How can fix that A By default the application is set up for using video cards of medium performance That s usually 256 threads per block 256 blocks and 1000 passwords per thread For older video cards such a configuration is too much and may cause a slowdown Consider reducing the value of Passwords per thread to 100 or even less Q What s the best way to find optimal values of Thread blocks and Passwords per thread in the GPU attack settings A You can do that either empirically or by doing some maths For example if the values are 100 and 100 and the average speed of attack is 1 billion passwords per second you can calculate that the GPU kernel is called about 390 times per second the number of passwords calculated each time is usually 256 ThreadBlocks PasswordsPerThread Naturally the fewer calls the less the overhead and the higher the attack speed On the other hand you must call the GPU program at least a couple of times per second So use a calculator and adjust the parameters You can also adjust them using a rule of thumb that is increasing their values until the speed of attack stops going up and the computer slows down If you have a GPU monitor installed in your system it should indicate a load of at least 98 99
196. racter plain text string one digit between O and 9 or a number For instance if you set a one digit prefix the phrases created with this rules will look as follows 0 aaa bbb 1 aaa bbb 9 aaa bbb 2 First word the action to be performed over the first word of each phrase There are only four options Namely leave intact as is in dictionary convert all characters to lowercase convert all characters to uppercase or capitalize only the first letter of the word 3 Word separator It may be absent Then all the words will be concatenated Example aaabbb aaaccc aaaddd etc You can otherwise set a custom separator e g the character aaa bbb aaa ccc aaa ddd Or you can set a range of characters Other words With this attribute similarly to 2 you can set rules for the other words of a phrase 5 Postfix text that will finalize each phrase For example if you set Postfix to the or all phrases created with this rule will have the question mark at the end S Certainly the more password generation rules you set the more chances you have to pick the right password But on the other hand the more time you will have spent on the attack The Statistics group shows the average and recommended average size of a dictionary number of words in source dictionaries total number of passwords being generated and other helpful information Dictionary generator Windows Password Recovery Copyright
197. rds found in other attacks when generating fingerprints Use keyboard and frequently use sequences add keyboard combinations and common sequences to fingerprint bank Use dates add dates to fingerprints Use numbers and common sequences use digits and simple combinations of letters The most careful attention should be paid to the option Loop until no more passwords are found That is where fingerprint attack can really show itself off Here is how it works if at least one password is found during an attack when the attack is over the password participates in generating new fingerprints and the attack runs again This option works great on large lists of hashes and on password history hashes However once the option is set you will not be able to proceed the attack from the last saved position Dictionary generator The second tab with the settings allows to create and save a custom dictionary using current options of the fingerprint attack Be careful the dictionary may take up a lot of space on your PC s hard disk drive Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface s GPU fingerprint attack options 1 ammleeperabbiliony Dictionary generator nQnlinedidionaitielmshll cHlingim Dictionary generator create fingerprint wordlist Generated by this attack passwords can easily be saved to file So you can create your own dictionary and use it in another
198. reads to be run simultaneously In the majority of cases it should match the number of cores in your CPU However if the CPU supports the Hyper Threading technology you can even double the number of search threads that run simultaneously The DES and MD4 search algorithms in Windows Password Recovery are optimized for three CPU architectures X86 MMX and SSE2 Naturally on CPU that support newer architecture the search would run faster It is not recommended to set the attack priority above normal otherwise you may observe a considerable reduction of performance of the entire system Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 8 1 4 GPU settings General options General options Platform CUDA Save device info to file Devi AI GeForce 8600 GT GeForce 8600 GT 1 1 40 4 32 Before running an attack on a GPU select it in the application s general settings by simply ticking the check box by the GPU name All the main characteristics of the device are displayed in the property table The software supports NVidia built on the CUDA platform and AMD built on OpenCL platform GPUs Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 8 1 5 Sound notifications r Windows Media tada wav When password is found
199. ree mutation levels or disable mutation separately for each group Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Dictionary attack options i Dictionaries Filters Mutations Dictionary generator Online dictionaries Smart mutation Weak less number of smart mutations and greater verification speed Strong for greater number of mutations to the prejudice of the speed and the happy medium Default option The smart mutation is based upon 150 social rules and combinations Be careful mutating even a single word may take quite significant time Read more about Dictionary attack Mutation level O Disabled C Normal slow Custom Character case Digits append prepend For example you can turn off OEM mutation and thus double your Dictionary attack speed if you sure the password you re looking for contains Latin characters only Simple description of what all these mutation groups mean is given below Group name Description Examples for word Comments password Password PassworD Maximal Strong level of Character case Checks case combinations of the input word PaSsWoRd the mutation group DOES NOT generate all possible case combinations of input words To check all possible case variants consider using Hybrid dictionary attack aN rule Digits append Adds digits to the beginning orto password99 Maxim
200. rts hashes from remote computers Import hashes from system shadow copies restore points backup and repair folders Can backup save local registry files and Active Directory database Imports password history hashes Recovers some account passwords on the fly when importing locally Supports Active Directory domain accounts Supports importing from 64 bit systems Exports hashes to the PWDUMP file The software has 17 types of different attacks 10 of them are unique developed by our company implemented upon patented technologies The program supports multithreading fully leveraging the power of modern computers e Dictionary attack supports text dictionaries in the ASCII UNICODE UTF8 PCD RAR and ZIP formats e Broad choice of online dictionaries for dictionary attacks about 2 GB Some of the program s functions e g word mutation are unique For example the total number of mutation rules exceeds a hundred and fifty Not any other similar application features that Supports unlimited number of inspected hashes Intelligent analysis of found passwords High search speed on modern computers over 100 million of passwords per second for 4 core CPUs and over billion passwords using GPU power Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Introduction Includes auxiliary tools hash generator password strength check rainbow table creation etc Extended toolset to work
201. rute force 2m 29s combined dictionary 0m 10s fingerprint 9m 44s 9 GPU brute force 1m 3s 2 5 3 Miscellaneous statistics Some additional stuff like e CPU speed password recovery speed comparison for brute force attack e GPU speed shows and compares password recovery speed for your GPU device You can benchmark your CPU or GPU performance using the Pass o meter tool e Cracked users displays the number of cracked users The full list of cracked user accounts can be saved to text file additionally e Cracked users and passwords displays the list of cracked accounts with passwords Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface CPU Speed 140 120 w 100 E AMD Sempron 3000 gt E AMD Athlon Il X2 250u D 80 E Intel Core2 Duo E4500 E Pentium Dual Core T4200 o O Intel Dual E2180 gt 60 E Intel Core2 Duo E6550 w E Intel Core2 Quad Q8300 x Bl Intel Core2 Quad Q9450 9 E Intel Core2 Quad Q8400 a 40 E This computer 20 LM passwords NTLM paswords 2 5 4 Account statistics Account statistic are available for both local and domain accounts To generate a report first select the data source local or external database SAM or Active Directory These are the reports available in this category Regular vs disabled accounts This report shows the ratio of regular vs disabled user accounts Regular vs locked accounts R
202. s LM password history hashed of the user account NTHistoryHashes NTLM password history hashed of the user account UserHint User hint displayed during unsuccessful logon UserPicture Logon picture associated with the account 2 7 4 5 DPAPI tools Starting with Windows 2000 Microsoft began equipping their operating systems with a special data protection interface Data Protection Application Programming Interface DPAPI Currently DPAPI is very widely spread and used in many Windows applications and subsystems For example in the file encryption system for storing wireless network passwords in Microsoft Vault and Credential Manager Internet Explorer Outlook Skype Google Chrome etc This system has become popular among programmers first of all for its simplicity of use as it consists of just a couple of functions for encrypting and decrypting data CryptProtectData and CryptUnprotectData However despite its apparent simplicity the technical implementation of DPAPI is quite complicated Passcape Software first in the world offers a set of 6 tools for comprehensive analysis and decrypting data encrypted with DPAPI These utilities allow you to e Decrypt DPAPI blobs for any account Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Search DPAPI blobs on disk Decrypt DPAPI blobs encrypted under the SYSTEM account e g WiFi passwords Analyze and decrypt user
203. s necessary for the recovery If you have specified path to the registry in the current system parsing it will take a bit longer normally by a few seconds Password hashes for domain accounts are stored in the Active Directory database or to be more specific in the very heart of it in the ntds dit file which resides in the folder Windows ntds The recovery of domain accounts also requires the SYSTEM registry file Be careful Dumping from the current system s AD database may take some time especially when ntds dit is of a considerable size The program works properly and supports all the SYSKEY encryption options Registry SYSKEY SYSKEY startup diskette SYSKEY startup password If you are copying the files from other system besides the SAM ntds dit and SYSTEM files it is also highly recommended to copy the SECURITY and SOFTWARE registries they should be located in the same folder with the SYSTEM file that would allow you to recover the passwords to some user accounts quicker Using additional options you can Turn on off loading history hashes Turning off history loading will increase database parsing From the other hand when processing attacking hashes guessing history passwords may give a clue to figure out the password for the primary account the hashes belong to Discard loading machine accounts ones end up with character Switch on off instant check for plaintext passwords if any 2 2 1 4 Import from
204. s reserved Program s interface Offline Password Remover L 7 e Show path to SAM and SYSTEM registry files Step 2 4 To reset a regular user password you should select two registry files SAM and SYSTEM For example you can copy the files from another system here reset the password you need and then place them back Select the files copied from another system SAM C 2 SAM eS SYSTEM C 2 SYSTEM 3 On this step we need to select the account we need to modify the password for Select the user name and move on to the final step Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Offline Password Remover A O g Select the user you want to reset the password for Step 3 4 The top of the page contains the list of user accounts found Click one of them to see its properties Press Next button to proceed to the final Wizard step and reset change the password for the account selected User list User name User ID Administrator Password set Admin 500 Yes Yes Guest 501 No No HelpAssistant 1000 No Yes SUPPORT 388945a0 1002 No Yes Nikita 1003 Yes Yes ASPNET 1004 No Yes Account properties Account locked No Account disabled No Password expired Never Password required Yes i Account description 4 The New password field is made for the new password leave it blank to reset the
205. set 1 dic as the primary dictionary and any other as the secondary dictionary This way the program would search for disyllable words like bluepig blueberry bluegirl etc If you add the third dictionary the program will search through the combination of the three components For example bluecoolgirl blueblackhash Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program 3 6 bluebadboy Q The Artificial Intelligence attack goes too slow What s the matter A It s either because the password cache is full In this case you need to try emptying it Or because you have set too deep mutation and the program has found quite many suspicious words i e the words that are considered as the potential passwords Q am launching the brute force but the program complains that it has nothing to do Why A Before launching the brute force you must first select the hashes You can do that through the Edit Select menu Q What are Rainbow tables And how can they be used for recovering passwords A To launch a rainbow attack in the attack options you need to load the RT or RTI files that contain Rainbow tables The type of the tables must match the type of the hashes selected for the attack Therefore the names of the files with the tables must begin correspondingly Im_ rt for LM hashes ntlm_ rt for NT hashes You can get some additional information and down
206. sswords e Response timeout set the maximum allowed Web resource response time e Limit download size limit download file size Some hash databases have enormous size even despite that often they do not contain passwords Therefore for slow Internet connections and to restrict stray traffic it is recommended to set a limit on the size of download pages Unfortunately there is no way to figure out what is in the data to be downloaded therefore this option is determined exclusively by your preferences and capabilities e Use proxy use proxy server for looking up passwords Min max delay between search queries minimum and maximum delays between two consecutive requests to the search server Some search servers may reject search requests if they go in series from the same IP address with a very short time interval normally less than 10 seconds Despite that Windows Password Recovery has an internal request randomizer which allows to drop this delay significantly to as little as 1 and 2 seconds respectively the safe values when a search request will be definitely processed by the server are min 15 and max 30 seconds Certainly the attack speed depends is in direct relation to these two options Be careful Online recovery may generate a lot of Internet traffic Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 8 2 13 Passcape table attack Passcape Rainbow T
207. stion is How to organize the recovery process which attack should start with to raise the probability of its successful completion For choosing the type and the sequence of the attacks we advise to follow this algorithm which is applicable in the majority of cases to all types of passwords to be recovered First enable the preliminary attack option if it is available It will help to recover simple and frequently used combinations Second select one or several passwords you need to decrypt first of all and run Online recovery to find out simple and frequently used passwords Third if you are aware of any specifics of the password you are looking for it s better to try mask attack or base word attack first Specifically if you know a part of the password using mask attack would be more effective If you know the basic component of the password or for example know the password but don t remember the sequence of caps and lowercase characters in it base word attack would do the job better Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program Fourth if you there s no information on the password you are looking for which occurs most frequently be guided by the following sequence of steps 1 Launch Artificial Intelligence attack with mutation and indexing options set to light If the password was not found try once again with mutation option set to normal lev
208. successfully utilize this attack set at least two dictionaries and the rules for generating passwords You can set the regular dictionaries used in the simple dictionary attack but it is recommended to use rather small dictionaries with the most common words Perfect dictionaries for the combined pass phrase attack are those that have different forms of words in them e g jump jumper jumped jumping Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Combined attack sets a certain limit to the number of dictionaries that can be used that s not more than 4 Thus the general limitation of this attack is that only password phrases of not more than 4 words can be recovered using this attack Another essential drawback is the wide range of phrases generated And as the consequence the proportional increase of the time spent on the validation of a password Keep in mind that when generating passwords that consist of 3 or 4 words the generation process takes considerable time If finding the right dictionary is difficult don t worry The software comes with a special dictionary for the combined attack You can also take advantage of the Online Dictionaries tab or the corresponding button to download such dictionaries from the Passcape website Dictionaries Dictionaries Secondary2 L Secondary3 Secondary4 Statistics Output passwords
209. sword manually in Tools Password Checker Password Checker automatically checks all possible combinations of uppercase and lowercase characters Q have recovered the internal administrator password but when attempting to log on with it the system tells me that the password is incorrect What s the matter A Most likely you have recovered the local administrator s password while your computer belongs to a domain Domain passwords are stored in Active Directory including the domain Administrator s password Try logging on to the system in the safe mode Q During a dictionary attack have recovered a password that was not in the dictionary How did that happen A Most likely you had set the maximum mutation level when the program also checks dictionary words typed in a non English national character set depending on the keyboard layout For example the word secret typed with the Cyrillic layout will produce the word eiyckye Besides swapping keyboard layouts the active mutations can mutilate the words to the point where they are hard to recognize Mutation is used in the preliminary intellectual dictionary and combined attacks as well as in the key word and phrase attacks Q In a batch attack can set the same attack type but with different settings A Yes you can do that Q I ve got a question concerning online dictionaries I ve noticed that they are extremely compressed to the level greater than those that are pr
210. t the principal is a person or service entity running on the computer The shared secret allows the person or service entity to authenticate itself Represents a typical domain object that do not conform to other types Represents a computer object that is associated with individual client or server machines accounts in an Active Directory domain Domain trusts Represents a user object that is used for domain trusts A trusted domain is a domain that is trusted to make authentication decisions for security principals in that domain A security or distribution group that can contain universal groups global groups other domain local groups from its own domain and accounts from any domain in the forest Aliases can be granted rights and permissions on resources that reside only in the same Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Domain object Description domain where the domain local group is located Aliases which Represents an alias object that is not used for authorization context generation Application An application defined group defined groups Query groups An application defined group whose members are determined by the results of a que r Active Directory Explorer Sy Show path to AD database and SYSTEM registry files Step 2 4 If the auto decryption option is set th
211. t Windows Vault Select Vault location a folder with policy vpol file inside E Windows System32 config systemprofile MppData Vocal Microsoft lVault 4BF4C442 988A 41A0 B380 2 There are currently two types of Vault storage system and user The user Vault storage can be located in the following folders USER APP DATA Microsoft Vault GUID USER LOCAL APP DATA2Microsoft Vault GUID For example Users John AppData Local Microsoft V ault 18289F5D 9783 43EC A50D 52DA022B046E Users Helen AppData Roaming Microsoft V ault 4BF4C442 9B8A 41 A0 B380 DD4A704DDB28 The default location of the system Vault storage is lt SYSTEM_APP_DATA gt Microsoft Vault lt GUID gt lt SYSTEM_LOCAL_APP_DATA gt Microsoft Vault lt GUID gt lt PROGRAM_DATA gt Microsoft Vault lt GUID gt For example Windows System32 config systemprofile AppData Local Microsoft V ault 4BF4C442 9B8A 41 A0 B380 DD4A704DDB28 Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Windows System32 config systemprofile AppData Roaming Microsoft V ault 4BF4C442 9B8A 41 A0 B380 DD4A704DDB28 C Program Data Microsoft V ault AC658CB4 91 26 49BD B877 31EEDAB3F204 Note that some of the specified folders have the system attribute set on which makes these folders hidden Windows has VaultCmd exe utility for creating and managing your own Vault storages Selecting Master Ke F Windows
212. t amd com us gpudownload P ages index aspx web sites Q Where can I read more info about CUDA A Wikipedia site is a good starting point to start from Q Where can read more info about AMD Radeon cards A http en wikipedia org wiki Comparison of AMD graphics processing units Q After launch a GPU based attack my computer freezes or crashes into BSOD What s the Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program problem A The problem may be caused by the following reasons Your video card had been overclocked and it was malfunctioning at high load If that s the case bring the frequencies of the video memory cores to its defaults Insufficient or ineffective cooling of your card When you launch a GPU based attack the program utilizes the most of the GPU power and the GPU temperature rises to a critical level Make sure that your video card is well cooled the GPU slot and your system unit are free from dirt and dust An unwise use of some video settings may have a negative impact on the video card s temperature and its stability under high load conditions For example some applications reduce the fan speed to minimize the noise which does result in noise reduction but also increases the core temperature Power supply problem Your card can consumes a lot of energy at full load and the power supply unit may be unable to handle such a high demand fo
213. t fluctuations in the current search speed displayed on the attack status tab This is caused by the fact that task completion time on the GPU exceeds the time required for refreshing the current state of the attack Setting too big numbers may cause a system failure 2 8 2 17 GPU Mask attack Mask options Mask attack is an irreplaceable tool when you know a fragment of the password or have any specific details about it For example when you know that the password consists of 12 characters and ends with the qwerty it is obvious that searching the entire 12 character range of passwords is unreasonable and useless for it takes ages to complete All what would be required in this case is to guess the first 6 characters of the sought password That is what mask attack is for Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface GPU mask attack options 1_ Mask options yyDictionan generator Maskstips GPU settings 4 Brute force attack by a given mask Often the mask attack used if there s some information about the password to recover For example you know that the password begins with loveme and followed by a word or a name You can then set the following mask loveme c c ic c c c to check all possible variants from lovemeaaaaaa to lovemezzzzzz Read more about Mask syntax Password mask ilove C c c Yor sc ec Statistics Pass
214. t one wordlist here in order to continue t Hybrid dictionary attack Dictionary size Strings Full path 6 290 880 2 150 822 C Program Files x86 Passcape W 7 653 774 564 295 C SYS PWCO01 01 Languages Dani 3 120 165 245 688 C SYS PWCO01 01 Languages Dutc 38 302 216 3 540 673 C SYS PWCO1 01 Languages Engli 3822 281 320 033 C SYS PWC01 01 Languages ren 21 367 379 1786 211 C SYS PWCO01 01 Languages Ger 1050 978 115 650 C SYS PWCO01 01 Languages Jap 12 658 942 809 552 C SYS PWCO1 01 Languages Wor On the Rules tab define at least one file with password mutation rules The format of the rules file is Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface quite trivial it is a plain text ASCII file with the Rules string Anything above this string is considered as comments and ignored by the program Whatever goes below this string is considered as rules Each string can contain several rules applicable to a source word The exclusion is the aN rule This rule must not be on the same line with other rules If a string contains multiple rules per word those rules are parsed left to right For example if you apply the rule pc a b c to the source word password at the output you will get Asswordabc The maximum length of an output word may not exceed 256 characters Hybrid dictionary attack options ei
215. t to convert By default the program detects input file format automatically However you can do it implicitly Input word ists E Downloads fbnames facebook f last withcount txt facebook firstlast pcd Input file format Auto detect z Output word ist file format Output file format PCD Passcape Compressed Dictionary Compress output file into ZIP archive This tool s user interface is pretty easy In the upper group select the source wordlist and its format By default the program detects the format of the file automatically but you can also specify it by hand Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface While the format of a PCD can be clearly recognized with text files it s not that easy As a rule text files wordlists in UTF16 or UTF8 begin with a two or three byte marker that describes the type of the file However there are Unicode wordlists that do not have any identifying markers For such hard cases you need to set the type of the source file manually Otherwise the program being unable to see an appropriate identifier improperly recognizes the file as ASCII Target wordlist similarly is defined by one of the four above mentioned formats With the compression option set the program additionally compresses the file to a ZIP archive Target wordlist name may be the same as the source however that is not recommended 2 6 7 6 Co
216. tData function when protecting data the decryption of that data is also possible without the user s logon password for example wireless network passwords However this is a peculiarity of an interface implementation and is not a bug Windows Password Recovery starting with version 9 7 utilizes some new vulnerabilities in DPAPI Master Key protection which were detected by our company Thus to decrypt a Master Key of a domain user the owner logon password is not necessary any longer Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Decrypt data DPAPI offline decoder Decrypted DPAPI blob The list below contains decoded data of the DPAPI blob file Right click the list to display the context menu E win7 8D247934C92766E0F8 2824438 3A 3AE8 1 004 E Users John AppData Roaming Mic osoft Protect S 1 5 21 2897855234 39502 00 00 00 00 00 00 01 8B 1A 63 D2 CB 01 08 00 00 00 OO 00 00 00 amp 5 nn 67 nn 61 nn 42 Copy Data as Hex G e n e r i c Copy Data as Ascii String DAEMONES E R M B A V V Copy Data as Unicode String ESPERE AECA DE Save to File 75 00 61 00 6C 00 58 00 Having all that is necessary Windows Password Recovery performs the final decryption of the DPAPI blob data which you can then copy to clipboard or save to file If the final step of the decryption ends up with an error it is most likely because you have not set properly or not s
217. tation is a normal balance between the operating speed and the number of generated password phrases Strong mutation allows finding more difficult passwords by generating the widest range of all possible combinations to the prejudice of the search speed For instance English phrases typed using the national keyboard layout abbreviations etc Read more about pass phrase attack Mutation level C Weak fast C Normal slow C Strong very slow Phrase limitation Limit input phrase Maximal phrase length 100 Maximal words in phrase 10 Mutation is worth saying more since as you should have known strong mutation significantly raises chances for the successful recovery Weak mutation is normally justified in only one case for increasing the attack speed or when using dictionaries of large sizes Medium mutation is a normal balance between the operating speed and the number of generated password phrases Strong mutation allows finding more difficult passwords by generating the widest range of all possible combinations to the prejudice of the search speed The greater is the mutation level the more passwords the attack will cover For instance English phrases typed using the national keyboard layout abbreviations etc Major difference in mutation levels e Weak simplest thus fastest mutations e Normal the same as Weak but generates several additional mutations and case combinations e Strong the same as norm
218. ter X at position N if previous character at position N is Y com not Y INX rl0 rpassworpassword Insert the character X at position N if previous character at position N is Y d Y ON O0 passwor assword _ If the character at position N is not Y overwrite it with X character X Y p d ON OOP passworPassword If the character at position N is Y overwrite it with X character X p d Y RN RO1 passworassword Remove character at position N if character at position M is Y M a d Y RN R40 bpassworpassord Remove character at position N if character at position M is not Y M Y d passworOpassword Insert a character from a charset C into position N of the word Where iN iO digi d 1password C should be either a predefined charset name or a custom character set C ts ies itself 9password passworpassword0 Insert a character from a charset C into last position of the word Where iZ iZ digi d password1 C should be either a predefined charset name or a custom character set C ts ids itself password9 passwor password Insert a character from a charset C into every position of the word i C i specd lpassword Where C should be either a predefined charset name or a custom ial eg character set itself password_ password 2 passworpAssword Overwrite a character at position N with a character taken from a charset ON 01 up d pBssword C Where C should be either a predefined charset name or a custom C peralp vaa character set
219. the brute force recovery speed is 10 Blin p s 1 top GPU in 2014 Character set Password length Password sample Time to crack AZ CRUEL instantly SECRET instantly MONSTER instantly COOLGIRL 22s LETMEKNOW 10m COOL3 instantly BANG13 instantly POKEROO 8s LETMEBE4 5m COOLGIRL1 3h PO PO se us JP Mb Mb Mb bb b D N o N o O O O O O Q How much time is it needed to guess NT password by it s LM hash A Almost instantly Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Working with the program Q Why can t just remove drop the hash i e set a blank password A Who said you couldn t You can For instance using this utility This way is just fine for those who need to regain access to their or someone else s e g when talking about the respective authorities account at any cost Moreover with the above mentioned utility you can do the following remember the hash then reset the hash log on to the account with an empty password do necessary manipulations with it and then restore the remembered hash back But that s not as simple as it seems Even if you have reset the password and gained access to the account you still won t be able to recover the majority of other passwords Why Because the user password participates in the creation of the user s master key which is used in the DPAPI and EFS encryption and other Windows subsystems In other words eve
220. the third group of settings these are in charge of preprocessing the words from the source dictionary Selecting the As is option makes the program use the source word as is not converting to upper or lowercase The number of passwords to be searched grows in direct proportion to the number of options specified in this group On the other hand the program is smart enough to not use repeat words For example the word 12345678 even if all the conversion options are set will be used only once Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface GPU dictionary force options 1 geemiDictionaries Brute Force Online dictionaries GPU settings b AC Brute force settings Set up a character set its minimal and maximal length The attack will use the character set to generate symbols to be inserted into dictionary words Insertion position is the position in the word where the symbols will be inserted at Read more about GPU dictionary force attack Brute force range Predefined charsets a z A Z 0 9 symbol14 space Use custom charset Minimal length Maximal length Position in the word the bruteforce symbols should be inserted at v At the beginning J At the end 4 Everywhere in the middle Input word utilization As is no conversion 7 Convert to lower case Convert to upper case Capitalize first ch
221. tionary as two original sources primary dictionary amp secondary dictionary2 see the figure After these dictionaries have been processed at the output we have the following phrases they will be used when checking the password sought actionaction actionbad actioncomputer badaction badbad badcomputer computeractio computerbad computercomputer 9 phrases total 2 In the second case we have got two different dictionaries For example the first dictionary consists of three words action bad and computer The second one also has three words date eagle fail In this case we are going to have the following phrases actiondate actioneagle actionfail baddate badeagle badfail computerdate computereagle computerfail The example is plain but demonstrative The idea is that for multiple sources you can successfully use both a single dictionary and multiple ones It all depends on your imagination The last example shows that a special attention should be paid to the order of the dictionaries if they are different The order of the words in the phrases to be created depends directly on the order of the source dictionaries In our second example if we swap the primary and the secondary dictionaries at the output we will obtain a completely different set of phrases Mutation rules Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface
222. u Pibsettingse ep Passcape online dictionaries First the program should attempt to establish a connection with the Passcape server and retrieve the list of dictionaries available for downloading Select b the dictionary you need and click Download button to retrieve it You can use Ctrl or Shift buttons for multiple selection Dictionary name D L size 268 Kb 82 Kb 53 Kb 89 Kb 1Kb 80 Kb 377 Kb 614 Kb 393 Kb 6 Mb nn 1 Real size Strings 1Mb 399 Kb 926 Kb 1Mb 5Kb 607 Kb 3 Mb 7Mb 2Mb 36 Mb ss Ratio 20 5 6 32 13 11 8 12 17 sane Group 01 L 01 Languages 01 Languages 01 Languages 01 Languages 01 Languages 01 Languages 01 Languages 01 Languages Please select a dictionary to download Update list Download GPU settings Before you can use a GPU in the attack you must first select it in the respective item of the main menu Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface GPU dictionary force options 4 AanPistionaliss y Bruteiorse s Onlinedidionaries GPU settings b T E GPU specific options Max thread blocks sets the maximal number of GPU blocks to be run simultaneously each block incorporates 256 GPU threads While Max passwords per thread sets the maximal number of passwords to verify from within a single GPU thread Even though both param
223. ue es actos 0 18 2 4 6 Select 2o O NE 18 2 4 7 A ee ai A LU LM AI UNIS 18 2 5 Reports A NO 19 2 5 1 Password A A A A 20 2 5 2 Attack Statistics caia toas 20 2 5 3 Miscellaneous Statistics ete ds d e i ed E eee aae 21 2 5 4 Account statistics Mia Aria eH eoe ee ege doe eu dae nie lise lenses a Leu eben ieee os 22 2 5 5 Pass WOrFd ltst analvsls 2 eadoseteea dots tasse vr taceo oca ahaaa aaae aana edi leat AS 24 2 5 6 Group information eate eere esee ast dfe dci 25 2 6 TOONS MENU e c O 26 2 6 1 Program access eie E E id 27 Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Table contents 2 6 2 Pass o meter o E EO RR RT tddi 28 2 6 3 Password o noniis teneor T 29 2 6 4 Hash Generato ii A AE Ui 29 2 6 5 Rainbow lables Generator caiste daaa caisean 30 2 6 6 Pascape Rainbow Tables Generator cccccccesssececeesneeecesseeeeeecseaaeeeceesaeeecesseeaeeseeeaaes 32 2 6 7 Wordlist to lS nrnna Ed 33 2 6 7 1 Create new wordlist by indexing files occ cessscssescsscsssscsesscsecsesecseceesecsessssesaesesaeseesesaeeessesasusseseeeesaeaes 33 2 6 7 2 M rge Wordlists nci et o eet e a di bd ava d e o OU E E REA eben 2 6 7 3 Wordlist statiStics iii t n OR E ADR REV E ER ad vor d i eat 2 6 7 4 Sort wordlist ssss 2 6 7 5 Convert compress wordlist 2 6 7 6 Compare wordlists er reir tein ED e eere e a EVE E VERE envy 2 6 7 7
224. ul dictionary creation may take quite some time depending on the source wordlists given and creation rules set Read more about Hybrid dictionary attack Dictionary generator Dictionary size unknown Generate You can download additional wordlists for the attack using Online dictionaries tab If you want to create your own set of rules you can use the last two tabs as sources of help While the Hybrid syntax tab gives mere descriptions of available rules on the last tab you can actually test them by specifying a source word and a rule for the hybrid attack Forward your rule sets to us if we find them interesting useful we will include them in the default distribution of the program Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Dictionary generator Online dictionaries Hybrid syntax Rule tester Hybrid rules tester You can test your own hybrid rules here Just type in a sample input word and the rule to be tested Rule tester Input word Hybrid rule Output word Rules description for the hybrid dictionary attack Several rules at a line are allowed to be set Rules if any are processed from the left to the right Maximal line length is limited to 256 characters Maximal output word length is limited to 256 characters White space is ignored as long as it is not used as a parameter A line started with char
225. uming that you save it to NTFS disk Be careful the dictionary generation process may take considerable time and disk space Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 4 Dictionaries Rules Super rules Dictionary generator Online dictionaries gt t Passwords which were generated by this attack can easily be saved to file Therefore you can create your own dictionary and use it in another program Be careful dictionary creation may take quite some time depending on the source wordlists given and creation rules set Read more about Hybrid dictionary attack Dictionary generator Dictionary size unknown Generate You can download additional wordlists for the attack using Online dictionaries tab If you want to create your own set of rules you can use the next two tabs as sources of help While the Syntax tab gives mere descriptions of available rules on the Rule tester tab you can actually check them by specifying a source word and a rule Forward your rule sets to us if we find them interesting useful we will include them in the program Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Dictionary generator Online dictionaries Hybrid syntax Rule tester Hybrid rules tester You can test your own hybrid rules here
226. ur local computer or extemal PC Domain cached credentials location Cached credentials of the local computer O Cached credentials of an extemal PC Cached domain records are stored in the SECURITY registry file Thus when selecting the option to read records from an external PC on the next step of the Wizard you should specify path to both SECURITY and SYSTEM registry used for decrypting the records When selecting the option to read cached records of the local computer on the second step of the wizard the program will automatically locate those files The registry files are located at the following folder C WINDIR system32 config where WINDIR is the Windows directory Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface x Domain Cached Credintials Explorer adem c m 8 0 Cached credentials of the local computer Step 2 3 Domain cahed credentials are stored encrypted in Windows registry under the HKEY LOCAL MACHINE SECURITY Cache key You should provide SECURITY and SYSTEM registry files in order to continue Domain cached credentials location SECURITY E Windows system32Wconfig SECURITY SYSTEM E Windows system32Wconfig SYSTEM If the reading was successful in the final dialog you will see the decrypted domain records Each record has several attributes For example user name last logon time group members
227. ve leading and trailing spaces and numbers Cut remove leading and trailing spaces numbers and special characters Split wordlist to chunks by maximum size Split wordlist to chunks by maximum word count Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Remove words of length smaller than specified Remove words of length greater than specified Change line delimiter Wipe out HTML tags and trash This menu also converts HTML entities to human readable form For example amp amp gt 8 amp 064 gt e Set your own filter based on Hybrid Dictionary rules For source wordlist the program takes ASCII UTF16 UTF8 and PCD files Target wordlist can be a text of ASCII UTF16 or UTF8 Source and target wordlist name may be identical not recommended In this case the source wordlist will be overwritten 2 6 7 8 Index HDD sensitive areas Creating a wordlist by indexing the hard disk followed by an attack using this wordlist is a pretty useful and sophisticated tool for decrypting passwords to local Windows accounts Often users instinctively set same passwords to their Windows accounts Web ICQ etc The idea of this tool is to create a wordlist of all found formerly used passwords user s messages words from recently opened files etc and then use the accumulated wordlist for looking up passwords to the local accounts This technique is engaged in the Arti
228. walking through all sectors of the target drive with this option set to Hard may take quite a time Note that the sector based scanning algorithm is not effective against drives which have a full disk encryption set on Like Bitlocker or TrueCrypt for example 2 8 2 3 Fingerprint attack Fingerprint attack is a relatively new tool for recovering complex passwords which could not be decrypted by other attacks The idea of the attack is that here to recover a password we take neither individual words from the source dictionary like in the dictionary attack nor even word combinations like in the combined attack but so called fingerprints Now every source word from the dictionary is used for generating several fingerprints If some password is found during the attack it participates in generating new fingerprints and the attack goes another round Before launching the attack specify the source dictionary to be used for creating the fingerprint bank The software comes with a dictionary common pcd optimized for this attack but you can use yours or download one off the Internet Online dictionaries tab There are no certain requirements to the dictionary except one the source dictionary must not be too large otherwise the attack will take significant time You can use dictionaries with national passwords if you suspect that the sought password contains characters in a national encoding Windows Password Recovery Copyright c
229. word range Total passwords In our case we could define the following mask c c c c c cqwerty That means that the program would successively check the following combinations aaaaaaqwerty aaaaabqwerty aaaaacqwerty zzzzzzqwerty If the original password is secretqwerty it perfectly hits the range The mask input field is used for setting the rule which will be used by the program to guess the password If the mask is set correctly below you will see the range of characters generated by the mask User defined masks can be saved to disk Dictionary generator By switching to Dictionary generator tab you can generate your own dictionary by a given mask and save it to disk This feature available in Advanced edition of the program only Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface GPU mask attack options 4 geeMaskeptions Dictionary generator Masktips GPU settings E Dictionary generator Often the mask attack used if there s some information about the password to recover For example you know that the password begins with loveme and followed by a word or a name You can then set the following mask loveme c c c c c c to check all possible variants from lovemeaaaaaa to lovemezzzzzz Read more about Mask syntax Dictionary generator Dictionary size Statistics Password range Total passwords Mas
230. words shows the time of last 10 users who changed their passwords Last 10 logons displays the time of last 10 users who logged on the system successfully Last 10 logoffs the time at which the last 10 accounts logged off Expired soon accounts user accounts that will expire soon Logon activity groups users by time passed since last logon to system Password age groups users by time passed since last password set change Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface Last 10 changed passwords 360 330 300 270 240 210 EI UpdatusUser December 15 2011 13 50 57 A John September 08 2011 10 13 25 El Guest May 25 2011 08 15 43 E VUSR JOHN PC September 01 2010 16 47 59 O Administrator July 14 2009 08 55 45 180 150 Time days ago 120 90 UpdatusUser John Guest VUSR JOHN PC Administrator 2 5 5 Password list analysis Password list reports display various statistics and perform a deep analysis for input wordlists As a source wordlists you can use for example the list of passwords recovered by the program You can generate reports for all words of the input list as well as for passwords with a certain length only The following reports are available here e Password length distribution displays the overall length of the password in a given wordlist Password uniqueness this report shows unique against identical passwords
231. ws Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface r SAM Explorer R Select the user account whose properties you want to explore The top of the page contains the list of user accounts found Click one of them to see its properties Press Next button to proceed to the final Wizard step and view edit the the account attrubutes User list Administrator Account properties Account locked No Account disabled Yes Password expired Never Password required Yes Account description Built in account for administering the computer domain That gives you the list of attributes for the selected account Selecting a certain attribute on the list shows the data common to that attribute at the bottom of the editor To open it for editing double click on the data field upon completion select the save changes item on the context menu Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface SAM Explorer m View edit attributes for selected account The list below shows found and decrypted attributes for selected user account Click one of the attribute to view the data it contains Right click the data field to view context menu Double click the data field to enter edit mode Attribute name Data size Attribute description LMHash 0 LM password hash associated with the user
232. y structure guidMasterKey Only one Master Key can be attached to a DPAPI blob dwFlags various flags For example when the bit 3 is set it indicates that the decryption of the data is to be carried out under the SYSTEM account The bit dwFlags amp 0x20000000 is set at all times szDataDescription data descriptor which is set by the optional parameter LPCWSTR szDataDescr in the function CryptProtectData algCrypt data encryption algorithm By default Windows 7 uses AES 256 which corresponds to 0x6610 in the hexadecimal or 26128 in the decimal notation Windows XP 3DES Windows 2000 RCA dwCryptAlgLen key length in the encryption algorithm pHMACKey HMAC key 1 pSalt salt optional algHash hashing algorithm By default Windows 7 uses SHA 512 Windows XP and Windows Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2000 SHA1 e dwHashAlgLen hash length in the hashing function e pHMACKey2 HMAC key 2 e pData actual encrypted data e pSignHash digital signature for verifying data integrity 2 7 4 5 3 Search DPAPI blobs The DPAPI blob search dialog is rather trivial All you need to specify is the source folder which the program would search for DPAPI blobs and the target folder where found blobs are to be stored The program searches for both binary and text blobs Search DPAPI blobs A Fill in t
233. ypes group accounts belong to Most populated groups displays top 10 groups with the largest number of users Sparsely populated groups displays top 10 groups with the smallest number of users Groups without users are not displayed here Active vs inactive groups The program assumes that active groups have at least one member while inactive groups have no users at all Admin vs non Admin groups shows statistics about Administrator privileges of the groups Last 10 created aliases 10 recently created alias accounts Last 10 changed aliases 10 recently modified alias accounts Alias types This report shows different types alias accounts belong to Most populated aliases displays top 10 aliases with the largest number of users Sparsely populated aliases displays top 10 aliases with the smallest number of members Aliases without users are not displayed Active vs inactive aliases The program assumes that active aliases have at least one user while inactive aliases have no members at all e Admin vs non Admin aliases shows how many aliases have Administrator privileges Domain object types shows information about all found objects in a domain For example users Windows Password Recovery Copyright c 2010 2015 Passcape Software All rights reserved Program s interface 2 6 groups computer accounts domain trusts etc Domain object types O Group objects 3981 O Groups which are not used for authorization
234. zABCDEFGHIJKLMNOPQRSTUVW XY Z0123456789 printable abcdefghijkImnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUVW XY Z01 23456789 amp _ f y lt gt Rules Rul Exa Input Output Description e mple E passworpassword Do nothing to the input word d passworasswordp Rotate the word left d passwordpasswor Rotate the word right d I passworassword Delete the first character d passworpasswor Delete the last character d c ic passworPassword Capitalize d Cc C passworpASSWOR Anti capitalize lowercase the first character uppercase the rest d D d d passworpasswordp Duplicate word d assword f f passworpassworddr Reflect word d owssap k k passworsd ibi KB Convert word using alternative first after default keyboard layout The d gfhjkm rule works in both directions For example if there s Russian keyboard n ponb layout installed previously in the system the rule should convert word password to Russian 3q ibiuu KB and Russian word n ponb to gfhjkm This is very helpful when looking for non English passwords If only one language is installed in the system the rule does nothing K K passworpasswodr Swap last two characters d passworpassword Convert all characters to lowercase d qa q passworppaassssw Duplicate all symbols d woorrdd r r passwordrowssap Reverse word d t t PassW pASSwOR Toggle case of all characters ord D u u passworPASSWORConvert all characters to uppercase d D U
Download Pdf Manuals
Related Search