Every day I get a lot of emails from people requesting me to hack Facebook passwords of their spouse, girlfriend or boyfriend so as to reveal their secret relationships (if any). Most of them are even willing to pay for the service. However, I strongly deny any such requests since I do not provide any paid hacking service. But anyhow, I have decided to write down this post so that you can learn the tricks for yourself and implement everything at your own risk.

With my experience of over 7 years in the field of ethical hacking and security, all I can tell you is that there are only two ways to successfully hack Facebook password.

Possible Ways to Hack Facebook Password

1. Keylogging – The Easiest Way!

Keylogging refers to simply recording each and every keystroke that is  typed on a specific computer’s keyboard. This is possible with the use of a small computer program called keylogger (also known as spy software). Once installed, this program will automatically load from the start-up, runs in the invisible mode and start capturing each and every keystroke that was typed on the computer. 

Some keyloggers with advanced features can also capture screenshots and monitor every activity of the computer. One doesn’t need to have any special knowledge in order to install and use a keylogger. That means, anyone with a basic knowledge of computer can install and use this software with ease. Hence for a novice computer user this method is the easiest way to hack Facebook password. I recommend the following keylogger as the best for gaining access to Facebook account.

SniperSpy (TESTED) is a revolutionary product that will allow you to easily access *ANY* online account or password protected material such as MySpace, Facebook, Yahoo, Gmail or Hotmail. There are absolutely *NO* limitations to what accounts or websites this software can access!

• SniperSpy – for Windows
 
• SniperSpy – for Mac

Why SniperSpy is the best?

Today there exists hundreds of keyloggers on the market but most of them are no more than a crap. However, there are only a few that stand out of the crowd and SniperSpy is the best among them. I personally like SniperSpy for it’s REMOTE INSTALLATION FEATURE. With this, you can install it on a remote computer without the need for having physical access to it. It operates in a complete stealth mode so that it remains undetected.

Here is a summary of benefits that you will receive with Sniperspy software:

1. Access ANY Password
With SniperSpy you can hack any password and gain access to Facebook or any other online account.

2. Monitor Every Activity
You can monitor every activity of the target computer, take screenshots and record chats & IM conversations.

3. Never Get Caught!
SniperSpy operates in a total stealth mode and thus remains undetectable. Therefore you need not have the fear of being traced or getting caught.

4. Remote Installation Feature
With the Remote Install feature, it is possible to install it even on computers for which you do not have physical access. However, it can also be installed on a local computer.

5. Extremely Easy to Use
Installing and using SniperSpy is simple and needs no extra skill to manage.

6. Completely Safe to Use
This software is 100% safe to use since it does not collect any personal information from your computer. SniperSpy is a reputed, trustworthy and reliable company which offers 100% privacy for it’s users.

7. Works on both Windows and Mac
Fully compatible with Windows 2000/XP/Vista/7 and Mac.

So what are you waiting for? If you are really serious to hack Facebook password then SniperSpy is for you. Go grab it now and expose the truth!

2. Phishing – The Difficult Way

The other common way to hack passwords or online accounts is via Phishing. This is the most widely used technique by many hackers to gain access to Facebook and other social networking websites. This method will make use of a fake login page (often called as spoofeed webpage) which will exactly resemble the original one. Say for example, a spoofed webpage of Facebook looks exactly same as that of the original page. This page is actually created by the hacker and is hosted on his own server. Once the victim enters his/her password in such a fake login page, the login details are stolen away by the hacker.

Most Internet users would easily fall prey to such online phishing scams. Thus phishing scams trick users in such a way that, they themselves give away their passwords. But phishing requires specialized knowledge and high level skills to implement. Hence it would not be possible for a noob user (perhaps like you) to attempt this trick. It is a punishable offense too. So, I would recommend that you stay away from phishing and make use of the keyloggers to hack Facebook password since it is the easiest and the safest way.

Facebook Hacking Methods that Do Not Work! 

Today, there are hundreds of scam websites out there that are waiting to rip off your pockets by making false promises. These websites claim to be the experts in the field of hacking and boast to instantly obtain any password for you. Most people fall victim to these websites and lose their hard earned money. Thus the idea behind this post is to expose the truth behind hacking the Facebook (or any email password) so that you can learn how to do it for yourself and stay away from all those scam websites. The following are some of the hacking methods that actually do not work:

1. Many scam websites claim to exploit a certain vulnerability of Facebook website as a means to crack the password. Unfortunately, there is no such vulnerability in Facebook (or any other online account) that can be exploited to crack the password. I advise you to stay away from such scam websites.

2. There is no ready-made software program that is available to hack Facebook password except the keylogger (spy software). In fact, keyloggers are pretty generic and meant to record the keystrokes of a computer which obviously includes the password also. Keep in mind that apart from the keylogger, there is no such program that is specifically designed to gain access to Facebook accounts. Stay away from any website that claim to sell such program.

3. Beware! On many websites and Internet forums you will often see fake articles about Facebook hacking. Most of them will tell you something like this: “you need to send an email to passwordretrieve@facebook.com along with your username and password” (or something similar). Never give away your password to anyone nor send it to any email address. If you do so, you will lose your password itself in attempt to hack somebody else’s password.

I hope this post will help you avoid scams and choose the right approach to accomplish your goal.

Most of us have experienced a situation where in we need to gain access to a computer which is password protected or at times we may forget the administrator password without which it becomes impossible to login to the computer. So here is an excellent hack using which you can reset the password or make the password empty (remove the password) so that you can gain administrator access to the computer. You can do this with a small tool called  Offline NT Password & Registry Editor. This utility works offline, that means you need to shut down your computer and boot off your using a floppy disk, CD or USB device (such as pen drive). The tool has the following features.

• You do not need to know the old password to set a new one
• Will detect and offer to unlock locked or disabled out user accounts!
• There is also a registry editor and other registry utilities that works under linux/unix, and can be used for other things than password editing.

How it works?

Most Windows operating systems stores the login passwords and other encrypted passwords in a file called sam (Security Accounts Manager). This file can be usually found in \windows\system32\config. This file is a part of Windows registry and remains inaccessible as long as the OS is active. Hence it is necessary that you need to boot off your computer and access this sam file via boot. This tool intelligently gains access to this file and will reset/remove the password associated with administrator or any other account.

The download link for both CD and floppy drives along with the complete instructions is given below

Offline NT Password & Reg Editor Download

It is recommended that you download the CD version of the tool since floppy drive is outdated and doesn’t exist in today’s computer. Once you download you’ll get a bootable image which you need to burn it onto your CD. Now boot your computer from this CD and follow the screen instructions to reset the password.

Another simple way to reset non-administrator account passwords

Here is another simple way through which you can reset the password of any non-administrator accounts. The only requirement for this is that you need to have administrator privileges. Here is a step-by-step instruction to accomplish this task.

1. Open the command prompt (Start->Run->type cmd->Enter)

2. Now type net user and hit Enter

3. Now the system will show you a list of user accounts on the computer. Say for example you need to reset the password of the account by name John, then do as follows

4. Type net user John * and hit Enter. Now the system will ask you to enter the new password for the account. That’s it. Now you’ve successfully reset the password for John without knowing his old password.

So in this way you can reset the password of any Windows account at times when you forget it so that you need not re-install your OS for any reason. I hope this helps.

MessenPass: Recovers the passwords of most popular Instant Messenger programs: MSN Messenger, Windows Messenger, Yahoo Messenger, ICQ Lite 4.x/2003, AOL Instant Messenger provided with Netscape 7, Trillian, Miranda, and GAIM.

Mail PassView: Recovers the passwords of the following email programs: Outlook Express, Microsoft Outlook 2000 (POP3 and SMTP Accounts only), Microsoft Outlook 2002/2003 (POP3, IMAP, HTTP and SMTP Accounts), IncrediMail, Eudora, Netscape Mail, Mozilla Thunderbird, Group Mail Free.
Mail PassView can also recover the passwords of Web-based email accounts (HotMail, Yahoo!, Gmail), if you use the associated programs of these accounts.

IE Passview: IE PassView is a small utility that reveals the passwords stored by Internet Explorer browser. It supports the new Internet Explorer 7.0, as well as older versions of Internet explorer, v4.0 – v6.0

Protected Storage PassView: Recovers all passwords stored inside the Protected Storage, including the AutoComplete passwords of Internet Explorer, passwords of Password-protected sites, MSN Explorer Passwords, and more…

PasswordFox: PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily select to watch the passwords of any other Firefox profile. For each password entry, the following information is displayed: Record Index, Web Site, User Name, Password, User Name Field, Password Field, and the Signons filename. 

Here is a step by step procedre to create the password hacking toolkit.

1. Download all the 5 tools, extract them and copy only the executables(.exe files) into your USB Pendrive.

ie: Copy the files – mspass.exe, mailpv.exe, iepv.exe, pspv.exe and passwordfox.exe into your USB Drive.

2. Create a new Notepad and write the following text into it

save the Notepad and rename it from

New Text Document.txt to autorun.inf

Now copy the autorun.inf file onto your USB pendrive.

3. Create another Notepad and write the following text onto it.

save the Notepad and rename it from

New Text Document.txt to launch.bat

Copy the launch.bat file also to your USB drive.

Now your rootkit is ready and you are all set to sniff the passwords. You can use this pendrive on on any computer to sniff the stored passwords. Just follow these steps

1. Insert the pendrive and the autorun window will pop-up. (This is because, we have created an autorun pendrive).

2. In the pop-up window, select the first option (Perform a Virus Scan).

3. Now all the password recovery tools will silently get executed in the background (This process takes hardly a few seconds). The passwords get stored in the .TXT files.

4. Remove the pendrive and you’ll see the stored passwords in the .TXT files.

This hack works on Windows 2000, XP and Vista

Is it possible to hack MySpace?

  
Yes! As a matter of fact, almost anything can be hacked on the Internet. However, you must be aware of the following things before you proceed to hack MySpace.    

1. Never trust any hacking service that claims to hack a MySpace password in exchange for a fee. I have personally tried and tested many of them; all I can tell you is that they are no more than a scam.  

2. With my experience of over 8 years in the field of hacking and IT security, I can tell you that there are only TWO ways to hack MySpace: They are Keylogging and Phishing. All the other ways are simply scam or don’t work!

The following are the only 2 foolproof methods that work:  

1. Keylogging: The easiest way

The easiest way to hack MySpace is by using a keylogger (also known as spy software). A keylogger is a small program that monitors each and every keystroke that a user types on a specific computer’s keyboard.

Keylogging can not only get you the password, but also has the power to monitor each and every activity that they perform on their computer. To use a keylogger you don’t need to have any special knowledge or technical experience. Anyone with a basic knowledge of computer can install and use the keyloggers with ease.

Hence, for a novice computer user, using a keylogger can be the best way to gain access to MySpace or any other online account. With my experience, I recommend the following keylogger as the best.  

SniperSpy is a revolutionary product that allows you to easily access *ANY* online account or password protected material such as MySpace, Facebook, Yahoo, Gmail etc. There are absolutely *NO* limitations to what accounts or websites this software can access!

• SniperSpy – for Windows
 
• SniperSpy – for Mac

Why Sniperspy is the best?  

1. With my experience of over 8 years in the field of IT security, I have tried almost every software currently available and know the ins and outs of what it is and how it actually works.   

2. Sniperspy is the only software that offers a complete stealth and easy access to any password. Hence I recommend SniperSpy as the best to hack MySpace password. 

Here is a summary of benefits that you will receive with Sniperspy: 

1. Access ANY Password  

Sniperspy records every keystroke typed on the computer thereby allowing you to access any type of password protected account such as MySpace, Facebook, Hi5 and other email accounts. 

2. Monitor all the Activities on the Target Computer and Access Protected MySpace Accounts  

With Sniperspy, you can secretly capture the screenshots, record IM conversations, monitor their web activity and do many more…  

 3. Never Get Caught 

This software runs in a total stealth mode which makes it possible to record the activities without anyone knowing it. Thus, you need not worry about being traced back!

4. Remote Install Feature 

No physical access to your remote PC is needed to install the spy software. You can install the software even if the PC is out of country and easily gain access to the target MySpace account! 

5. Extremely Easy to Use 

SniperSpy is designed for novice computer users and thus requires no special skills. 

How safe is to use SniperSpy?

SinperSpy is completely safe and secure since it neither collects any information from your computer nor contact you in any way unless you request assistance. SniperSpy is a reputed, trustworthy and reliable company which offers 100% privacy for it’s users.

What are the minimum system requirements?

Any computer running on Pentium or AMD 433mhz or Better, at least 64MB RAM with Windows 2000/XP/Vista/7 OR Mac.

Is my online order 100% secure?

Absolutely Yes! All the e-commerce transactions for SniperSpy are routed through a highly secure payment gateway. So all your information remains private and secure. So go grab SniperSpy now and expose the truth!

2. Other ways to hack Myspace account

Phishing is the most commonly used method to hack into MySpace or any other email account. This technique involves the use of Fake Login Page (also known as spoofed page). These fake login pages resemble the original login pages of sites like Yahoo, Gmail, MySpace etc. Here, the victim is tricked to make him believe the fake login page to be the real one and enter his password there. But once the user attempts to login through these pages, his/her login details are stolen away by the hacker who is behind the phishing attack. Therefore phishing can be a very effective way in gaining access to password protected online accounts such as MySpace. 

However, phishing requires specialized knowledge and high level skills to implement; which is not possible for a novice computer user. Also, phishing is considered as a serious crime and the attacker can go behind the bars if caught. So, I recommend the use of keyloggers as the best way to hack MySpace.

I hope this information has helped you. If you have any further queries, you can leave a comment below so that I can come up with a response. Please don’t contact me asking to hack a MySpace account for you, which I would definitely not. Kindly be advised that this website only offers information on ethical hacking and security and does not provide any sort of paid/personal hacking service.

Today in this post I’ll teach you how to protect your email account from being hacked. Nowadays I get a lot of emails where most of the people say “My Email account is hacked please help…”. Now one question which arises in our mind is: “Is it so easy to hack an email account? OR Is it so difficult to protect an email account from being hacked?”. The single answer to these two questions is “Absolutely NOT!”. It is neither easy to hack an email nor difficult to protect an email account from bieng hacked.

If this is the case, then what is the reason for many people to lose their accounts?

The answer is very simple. They don’t know how to protect themselves from being hacked! In fact most of the people who lose their email accounts are not the victims of hacking but the victims of Trapping. They lose their passwords not because they are hacked by some expert hackers but they are fooled to such an extent that they themselves give away their password.

Are you confused? If so continue reading and you’ll come to know…

Now I’ll mention some of the most commonly used online scams which fool people and make them lose their passwords. I’ll also mention how to protect your email account from these scams.

1. WEBSITE SPOOFING

Website spoofing is the act of creating a website, with the intention of misleading the readers. The website will be created by a different person or organisation (Other than the original) especially for the purposes of cheating. Normally, the website will adopt the design of the target website and sometimes has a similar URL.

For example a Spoofed Website of Yahoo.com appears exactly same as Yahoo Website. So most of the people believe that it is the original site and lose their passwords. The main intention of spoofed websites is to fool users and take away their passwords. For this,the spoofed sites offer fake login pages. These fake login pages resemble the original login pages of sites like Yahoo,Gmail,Orkut etc. Since it resemble’s the original login page people beleive that it is true and give away their username and passwords by trying to login to their accounts.

Solution:

• Never try to login/access your email account from the sites other than the original site.
• Always type the URL of the site in the address bar to get into the site. Never click on the hyperlink to enter the site.

2. BY USING KEYLOGGERS

The other commonly used method to steal password is by using a Keylogger. A Keylogger is nothing but a spyware. The detailed description of keylogger and it’s usage is discussed in the post Hacking an email account. If you read this post you’ll come to know that it is too easy to steal the password using a keylogger program. If you just access your email account from a computer installed with keylogger, you definitely lose your password. This is because the keylogger records each and every keystroke that you type.

Solution:

Protecting yourselves from a keylogger scam is very easy.Just install a good anti-spyware program and update it regularly. This keeps your PC secure from a keylogger. Also there is a program called Anti-keylogger which is specially designed to detect and remove keyloggers. You can use this program to detect some stealth keyloggers which remain undetected by many anti-spyware programs.

3. ACCESSING YOUR EMAIL ACCOUNT FROM CYBER CAFES

Do you access your email from cyber cafes?  Then definitely you are under the risk of loosing your password.In fact many people lose their email account in cyber cafes. For the owner of the cyber cafe it’s just a cakewalk to steal your password. For this he just need’s to install a keylogger on his computers. So when you login to your email account from this PC, you give away your password to the cafe owner. Also there are many Remote Administration Tools (RATs) which can be used to monitor your browsing activities in real time.

This doesn’t mean that you should never use cyber cafes for browsing the internet. I know, not all the cyber cafe owners will be so wicked but it is recommended not to use cafes for accessing confidential information. If it comes to the matter of security never trust anyone, not even your friend. I always use my own PC to login to my accounts to ensure safety.

So with this I conclude my post and assume that I have helped my readers to protect their email accounts from being hacked. Please pass your comments…

A software keylogger (or simple keylogger) is a stealth computer program that captures every keystroke entered through the keyboard.

Now I’ll tell you what is a hardware keylogger and how it can be used for hacking an email.

Hardware Keyloggers are used for keystroke logging, a method of capturing and recording computer user keystrokes. They plug in between a computer keyboard and a computer and log all keyboard activity to an internal memory. They are designed to work with PS/2 keyboards, and more recently with USB keyboards. A hardware keylogger appears simply as a USB pendrive (thumb drive) or any other computer peripheral so that the victims can never doubt that it is a keylogger. So by looking at it’s appearence it is not possible to identify it as a keylogger. Here are some of the images of hardware keyloggers for your convenience.

So by looking at the above images we can come to know that hardware keyloggers look just like any USB or PS/2 device. So it is very hard to identify it as a keylogger.

Insatalling a Hardware Keylogger to Hack the Email Password

The hardware keylogger must be installed between the keyboard plug and the USB or PS/2 port socket. That is you have to just plug in the keylogger to your keyboard’s plug (PS/2 or USB) and then plug it to the PC socket. The following image shows how the keylogger is installed.

Once you install the hardware keylogger as shown in the above two images the keylogger starts recording each and every keystroke of the keyboard including email passwords and other confidential information. The hardware keylogger has an inbuilt memory in which the logs are stored.

Every day,  a lot of people contact me about suspecting their boyfriend or girlfriend of cheating, and ask me how to hack their Yahoo password so as to find out the truth. If you are in a similar situation and wondering to know how to hack a Yahoo password, then this is the post for you. In this post, I will uncover some of the real and working ways to do that.

Is it possible to hack Yahoo?

Yes! As a matter of fact, it is possible to hack almost any email password. But before you learn the real ways of hacking, the following are the things you should be aware of:

1. Never trust any hacking service that claims to hack Yahoo password for just $100 or $200. In most cases they will rip off your pockets with false promises. Sometimes they may even start to threaten you by blackmailing that they are going to inform the victim or the cyber crime officials about your hack attempt. So, to be on the safer side, it is better to stay away from such scam websites.

2. Beware! On many websites and web portals you will often come across a fake tutorial on email hacking. The tutorial will tell you something like “You need to send the target email address along with your username and password to yahoo_pass_reset@yahoo.com (or similar)” to hack the password of the target account. This method seems too good to be true but, if you follow this method, you will lose your own password in attempt to hack someone else’s password.

With my experience of over 7 years in the field of hacking and cyber security, I can tell you that there are only TWO ways to hack Yahoo password. They are keylogging and phishing.

All the other email hacking methods are simply scam or don’t work! The following are the only 2 foolproof methods that work.

1. Keylogging: Easiest Way to Hack Yahoo Password

Using a keylogger is the easiest way to hack Yahoo password. A keylogger is a small program that records each and every keystroke (including passwords) that a user types on a specific computer’s keyboard. A keylogger is also called as spy program or spy software. To use it, you don’t need to have any special knowledge. Anyone with a basic knowledge of computer should be able to install and use this software. With my experience, I recommend the following two keyloggers as the best for hacking Yahoo password.

I don’t have physical access to the target computer, can I still use SniperSpy?

Yes, you can! Since both SniperSpy and WinSpy offers Remote Installation Feature, it is possible to remotely install the keylogger on the target computer. However, it will also work on a local computer.

How to use SniperSpy?

1. After you download it, you will be able to create the installation module. You need to email this module to the remote user as an attachment.

2. When the remote user runs the module, it will get installed silently and the monitoring process will begin. The keystrokes are captured and uploaded to the SniperSpy servers continuously.

3. You can login to your online SniperSpy account (you get this after purchase) to see the logs which contains the password.

NOTE: If you have physical access to the target computer, you can simply install the module by yourself without the need to email it as an attachment.

The working of Winspy is somewhat similar to that of SniperSpy.

Once I install SniperSpy, can the victim come to know about it’s presence?

No. The victim will not come to know about it’s presence on his/her computer. This is because, after the installation, SniperSpy will run in a total stealth mode. Unlike other spy programs, it will never show up in start-menu, start-up, program files, add/remove programs or task manager.

Can I be traced back if I install it on some other computer?

No, it’s almost impossible to trace back to you for installing the keylogger on other’s computer.

How safe is to use SniperSpy?

Sniperspy is completely safe to use since all the customer databases remain confidential and private. SniperSpy will neither collect any information from your system nor will contact you in any way unless you request assistance.

What are the other features of SniperSpy software?

1. With SniperSpy, you can gain access to any password protected account including Yahoo, Gmail, Hotmail, MySpace, Facebook etc.

2. This software will not only capture passwords, but will also take screenshots and record chat conversations.

3. This product is extremely easy to use so that, even novice users can install and use it with ease.

For more details on keylogger, you can read my post on How to use Keyloggers.

2. Other Ways To Hack Yahoo Password

The other most commonly used trick to hack Yahoo password is by using a fake login Page (also called as Phishing). Today, phishing is the most widely used technique to hack Yahoo password. A fake login page is a page that appears exactly similar to the login pages of sites like Yahoo, Gmail, Facebook etc. The victim is tricked to believe this fake login page to be the real one. But once he/she enters the password there, they end up losing it.

Phishing can be very effective when implemented successfully. But creating a fake login page and taking it online to make the hack attempt successful is not an easy job. It demands an in depth technical knowledge of HTML and scripting languages like PHP or JSP.

So, if you are new to the concept of hacking passwords, then I recommend the use of keyloggers as the best to hack Yahoo password.

Some of the password basics

Most accounts on a computer system usually have some method of restricting access to that account, usually in the form of a password. When accessing the system, the user has to present a valid ID to use the system, followed by a password to use the account. Most systems either do not echo the password back on the screen as it is typed, or they print an asterisk in place of the real character.

On most systems,the password is typically ran through some type of algorithm to generate a hash. The hash is usually more than just a scrambled version of the original text that made up the password, it is usually a one-way hash. The one-way hash is a string of characters that cannot be reversed into its original text. You see, most systems do not “decrypt” the stored password during authentication, they store the one-way hash. During the login process, you supply an account and password. The password is ran through an algorithm that generates a one-way hash. This hash is compared to the hash stored on the system. If they are the same, it is assumed the proper password was supplied.

Cryptographically speaking, some algorithms are better than others at generating a one-way hash. The main operating systems we are covering here — NT, Netware, and Unix — all use an algorithm that has been made publically available and has been scrutinized to some degree.

To crack a password requires getting a copy of the one-way hash stored on the server, and then using the algorithm generate your own hash until you get a match. When you get a match, whatever word you used to generate your hash will allow you to log into that system. Since this can be rather time-consuming, automation is typically used. There are freeware password crackers available for NT, Netware, and Unix.

1. Why protect the hashes?

If the one-way hashes are not the password itself but a mathematical derivative, why should they be protected? Well, since the algorithm is already known, a password cracker could be used to simply encrypt the possible passwords and compare the one-way hashes until you get a match. There are two types of approaches to this — dictionary and brute force.
Usually the hashes are stored in a part of the system that has extra security to limit access from potential crackers.

2. What is a dictionary password cracker?

A dictionary password cracker simply takes a list of dictionary words, and one at a time encrypts them to see if they encrypt to the one way hash from the system. If the hashes are equal, the password is considered cracked, and the word tried from the dictionary list is the password.

Some of these dictionary crackers can “manipulate” each word in the wordlist by using filters. These rules/filters allow you to change “idiot” to “1d10t” and other advanced variations to get the most from a word list. The best known of these mutation filters are the rules that come with Crack (for Unix). These filtering rules are so popular they have been ported over to cracking software for NT.

If your dictionary cracker does not have manipulation rules, you can “pre-treat” the wordlist. There are plenty of wordlist manipulation tools that allow all kinds of ways to filter, expand, and alter wordlists. With a little careful planning, you can turn a small collection of wordlists into a very large and thorough list for dictionary crackers without those fancy word manipulations built in.

3. What is a brute force password cracker?

A brute force cracker simply tries all possible passwords until it gets the password. From a cracker perspective, this is usually very time consuming. However, given enough time and CPU power, the password eventually gets cracked.

Most modern brute force crackers allow a number of options to be specified, such as maximum password length or characters to brute force with.

4. Which method is best for cracking?

It really depends on your goal, the cracking software you have, and the operating system you are trying to crack. Let’s go through several scenarios.

If you remotely retrieved the password file through some system bug, your goal may be to simply get logged into that system. With the password file, you now have the user accounts and the hashes. A dictionary attack seems like the quickest method, as you may simply want access to the box. This is typical if you have a method of leveraging basic access to gain god status.

If you already have basic access and used this access to get the password file, maybe you have a particular account you wish to crack. While a couple of swipes with a dictionary cracker might help, brute force may be the way to go.

If your cracking software does both dictionary and brute force, and both are quite slow, you may just wish to kick off a brute force attack and then go about your day. By all means, we recommend a dictionary attack with a pre-treated wordlist first, followed up by brute force only on the accounts you really want the password to.

You should pre-treat your wordlists if the machine you are going to be cracking from bottlenecks more at the CPU than at the disk controller. For example, some slower computers with extremely fast drives make good candidates for large pre-treated wordlists, but if you have the CPU cycles to spare you might want to let the cracking program’s manipulation filters do their thing.

A lot of serious hackers have a large wordlist in both regular and pre-treated form to accommodate either need.

5. What is a salt?

To increase the overhead in cracking passwords, some algorithms employ salts to add further complexity and difficulty to the cracking of passwords. These salts are typically 2 to 8 bytes in length, and algorithmically introduced to further obfuscate the one-way hash. Of the major operating systems covered here, only NT does not use a salt. The specifics for salts for both Unix and Netware systems are covered in their individual password sections.

Historically, the way cracking has been done is to take a potential password, encrypt it and produce the hash, and then compare the result to each account in the password file. By adding a salt, you force the cracker to have to read the salt in and encrypt the potential password with each salt present in the password file. This increases the amount of time to break all of the passwords, although it is certainly no guarantee that the passwords can’t be cracked. Because of this most modern password crackers when dealing with salts do give the option of checking a specific account.

6. What are the dangers of cracking passwords?

The dangers are quite simple, and quite real. If you are caught with a password file you do not have legitimate access to, you are technically in possession of stolen property in the eyes of the law. For this reason, some hackers like to run the cracking on someone else’s systems, thereby limiting their liability. I would only recommend doing this on a system you have a legitimate or well-established account on if you wish to keep a good eye on things, but perhaps have a way of running the cracking software under a different account than your own. This way, if the cracking is discovered (as it often is — cracking is fairly CPU-intensive), it looks to belong to someone else. Obviously, you would want to run this under system adminstrator priviledges as you may have a bit more control, such as assigning lower priority to the cracking software, and hiding the results (making it less obvious to the real administrator).

Being on a system you have legit access to also allows you better access to check on the progress. Of course, if it is known you are a hacker, you’ll still be the first to be blamed whether the cracking software is yours or not!

Running the cracking software in the privacy of your own home has the advantage of allowing you to throw any and all computing power you have at your disposal at a password, but if caught (say you get raided) then there is little doubt whose cracking job is running. However, there are a couple of things you can do to protect yourself: encrypt your files. Only decrypt them when you are viewing them, and wipe and/or encrypt them back after you are done viewing them.

7. Is there any way I can open a password-protected Microsoft Office document?

Certainly! There are plenty of commercial programs that will do this, but we give props to Elcomsoft. 30-day trial versions are available here.