STORY LOOP FURRY PORN GAMES C SERVICES [?] [R] RND POPULAR | Archived flashes: 228066 |
/disc/ · /res/ — /show/ · /fap/ · /gg/ · /swf/ | P0001 · P2560 · P5120 |
This is the info page for Flash #8745 |
Loading |
<p align="center"><font face="Arial" size="24" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Local Password Exploits and Countermeasures |
This presentation will demonstrate the cracking of locally stored passwords and password hashes and how deviant users can use them to escalate privileges on the target host and other devices on the network. Also covered will be best practices to keep deviant users from exploiting these weaknesses. The following password cracking exploits will be covered: •Local SAM and Syskey •Cached ADS/Domain credentials •VNC Server •Protected Storage |
Next > |
Next > |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Why Crack Local Passwords? |
There are several reasons why an attacker may want to crack local passwords: •To escalate privileges on the local host (install games, sniffers, key stroke catchers and other software or just to bypass restrictions). •To use the local passwords to gain access to other systems on the network. Admins may reuse the same usernames and passwords on other network hosts (more than likely if they use hard drive imaging). •Just for the fun of doing it. |
< Back |
< Back |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Escalating Network Privileges Example |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Public Workstation |
Chuck's Workstation |
File Server |
Janice's Workstation |
Web Server |
1. Ben uses a boot disk to copy the SAM and SYSTEM files off of a public workstation. He then goes home to crack them with SAMDump2 and John the Ripper. |
p0n3d |
2. Ben then uses the local administrator password he cracked to get admin level privileges on Chuck the sysadmin’s workstation from across the network. |
Methodology |
“Sounds boring as hell to me. A bunch of managerial types wafting hot air on various pithy, high level statements that are brutally obvious to anyone with half a clue. I would rather subject myself to the tender mercies of the North Korean Police. They should have technical content of which there is none.” ~Alt.don from Security-Forums.com Target Audience: Workstation Installers, System Admins, Security Folk and General Gear-heads. Presentation Format: 1.Explain the background of the exploit. 2.Show the exploit. 3.Point the audience towards countermeasures. A Flash video version of this presentation, with narration, should be available from my website. Links to most of the software mentioned can be found though out the presentation. |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Glossary |
Brute force attack: Using all possible character combinations till a match for the password is found. Also know as an incremental attack in John the Ripper. Dictionary attack: Using each entry in a word list until a match for the password is found. Hashing: Applying a mathematical formula to a piece of text to get a shorter number or string. One way hash: A hash where the original string the hash was derived from can not be easily found by a simple method. Plain text: The un-obfuscated or un-encrypted form of a string. Opposite of cipher text. Password Hash: The “hashed” version of a password that’s stored for later authentication. Reversible Encryption (Obfuscation): Encryption that is easily reversed if the algorithm is know. Example: ROT13. Salt: A number used to seed a hashing or encryption algorithm to add to the possible number of outcome the ciphertexts. |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
What’s meant by Password Cracking? |
Cracking a password is the act of finding the plain text password by reversing the obfuscation/encryption method it’s stored with. This is done by fast mathematical means in the case of some obfuscation scheme (like ROT13) and by slower dictionary/brute force attacks when more secure encryption or hashing schemes are used. |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
What’s not meant by Password Cracking? |
Password hash insertion or the changing of local passwords and accounts is not the same as password cracking. Examples: Bart’s PE Builder+Sala’s Password Renew Tool Offline NT Password & Registry Editor The above methods, while not password cracking can still be useful to the password cracker because admin privileges are sometime needed to pull off the attack. |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
<p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.nu2.nu/pebuilder/ ">http://www.nu2.nu/pebuilder/ </a><font color="#000000"> </font></font></p><p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.sala.pri.ee/">http://www.sala.pri.ee/</a></font></p> |
<p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html">http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html</a></font></p> |
Cracking passwords in the SAM |
SAM stands for Security Accounts Manager. The SAM file is where local account passwords are stored on NT based systems. The SAM file is normally found in: %SYSTEMROOT%\system32\config\SAM Where %SYSTEMROOT%\ is the Windows directory, most often C:\WINDOWS (XP) or C:\WINNT (NT4 and 2000). In Service Pack 3 (SP3) for NT 4 Microsoft introduced SysKey. SysKey added an extra level of encryption to keep older versions of tools like L0phtcrack from easily cracking NT passwords. I will show in just a bit how easy it is to get around SysKey with modern tools that extract the key from the SYSTEM hive. |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Two types of hashes in the SAM |
LAN Manager (Used in older Windows Operating System) 1.Convert password to upper case. 2.Pad the plaintext with null characters to make it 14 bytes long. 3.Split into two 7 character (byte) chunks. 4.Use each 7 byte chunks separately as keys to DES encrypt the magic value ("KGS!@#$%" or in HEX 0x4b47532140232425). 5.Concatenate the two cipher texts from step four to produce the hash. 6.Store the hash in the SAM file. NT Manager 1.Take the Unicode mixed-case password and use the Message Digest 4 (MD4) algorithm to obtain the hash. 2.Store the hash in the SAM file. |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
<p align="left"><font face="Arial" size="16" color="#000000">Sources:</font></p><p align="left"><font face="Arial" size="13" color="#0000ff"><a href="http://www.microsoft.com/singapore/sme/english/issues/sgc/articles/select_sec_passwords.mspx">http://www.microsoft.com/singapore/sme/english/issues/sgc/articles/select_sec_passwords.mspx</a></font></p><p align="left"><font face="Arial" size="13" color="#0000ff"><a href="http://davenport.sourceforge.net/ntlm.html#theLmResponse ">http://davenport.sourceforge.net/ntlm.html#theLmResponse </a></font></p><p align="left"><font face="Arial" size="13" color="#0000ff"><a href="http://is-it-true.org/nt/atips/atips92.shtml">http://is-it-true.org/nt/atips/atips92.shtml</a></font></p> |
password |
password PASSWORD |
password PASSWORD PASSWORD\0\0\0\0\0\0 |
password PASSWORD PASSWORD\0\0\0\0\0\0 PASSWOR D\0\0\0\0\0\0 |
password PASSWORD PASSWORD\0\0\0\0\0\0 PASSWOR D\0\0\0\0\0\0 E52CAC67419A9A22 4A3B108F3FA6CB6D |
password PASSWORD PASSWORD\0\0\0\0\0\0 PASSWOR D\0\0\0\0\0\0 E52CAC67419A9A22 4A3B108F3FA6CB6D E52CAC67419A9A224A3B108F3FA6CB6D |
password |
password 8846F7EAEE8FB117AD06BDD830B7586C |
How does a dictionary or brute force attack work? |
Since the hash is created with a one way algorithm we can’t easily reverse it. We can however take a list of words or incremental strings, hash them using the same algorithm, then compare them to the stored results. If the hash we create matches the one extracted from the SAM we know we have found the right password. |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
"Aardvark" 7CE61D3EA5EA50FCC5E14AA27A468F72 |
8846F7EAEE8FB117AD06BDD830B7586C |
"baseball" 320A78179516C385E35A93FFA0B1C4AC |
"cat" 1E0E867AB8043BBBA9EF4639DBDF562E |
"dog" F923482E5BF859B28CD74AF4CB5D14CE |
"monkey" F2477A144DFF4F216AB81F2AC3E3207D |
"orangutan"7734694AD72BE33D653655560AE49718 |
"password" 8846F7EAEE8FB117AD06BDD830B7586C |
Match Found! |
Match Found! |
Mouse Over |
Commercial tools for cracking the SAM |
<p align="left"><font face="Arial" size="20" color="#000000"><b>L0phtcrack</b></font></p><p align="left"><font face="Arial" size="20" color="#000000">The most popular tool for SAM cracking, but not free. Can <sbr />read Pwdump files, or dump the hashes itself. Has a built in <sbr />cracking engine that can do dictionary, brute force and <sbr />hybrid attacks. Admin access is needed to dump the <sbr />hashes.</font></p><p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.atstake.com/products/lc/ ">http://www.atstake.com/products/lc/ </a></font></p><p align="left"></p><p align="left"><font face="Arial" size="20" color="#000000"><b>SAMInside</b></font></p><p align="left"><font face="Arial" size="20" color="#000000">Password cracker that lets you get around SysKey by <sbr />extracting the system key from the SYSTEM hive. <sbr />Unfortunate to get all of the features it costs money. You <sbr />don’t need to be an admin on the system to get the hashes, <sbr />just copy off the SAM and SYSTEM files using a boot CD.</font></p><p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.insidepro.com/eng/saminside.shtml ">http://www.insidepro.com/eng/saminside.shtml</a></font></p><p align="left"></p><p align="left"></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Open Source/Free tools for cracking the SAM |
<p align="left"><font face="Arial" size="20" color="#000000"><b>Pwdump2/Pwdump3</b></font></p><p align="left"><font face="Arial" size="20" color="#000000">Uses DLL injection to get the passwords from lsass.exe, <sbr />bypassing SysKey. Pwdump3 adds network support so you <sbr />can dump hashes from across the network. Admin access is <sbr />needed to dump the hashes.</font></p><p align="left"><font face="Arial" size="14" color="#0000ff"><a href="http://www.bindview.com/Services/RAZOR/Utilities/Windows/pwdump2_readme.cfm">http://www.bindview.com/Services/RAZOR/Utilities/Windows/pwdump2_readme.cfm</a><font color="#000000"> </font></font></p><p align="left"><font face="Arial" size="14" color="#0000ff"><a href="http://vh224401.truman.edu/pub/win32/apps/pwdump3/">http://vh224401.truman.edu/pub/win32/apps/pwdump3/</a> </font></p><p align="left"><font face="Arial" size="20" color="#000000"><b>Cain</b></font></p><p align="left"><font face="Arial" size="20" color="#000000">Free tool that can do many of the same things as <sbr />L0phtcrack, plus tons of other cracking and sniffing functions <sbr />(like ARP poisoning). Admin access is needed to dump the <sbr />hashes.</font></p><p align="left"><font face="Arial" size="13" color="#0000ff"><a href="http://www.oxid.it/cain.html">http://www.oxid.it/cain.html</a> </font></p><p align="left"><font face="Arial" size="20" color="#000000"><b>SAMDump2/BKhive/John the Ripper</b></font></p><p align="left"><font face="Arial" size="20" color="#000000">Using these three tools you can do everything that <sbr />L0phtcrack and SAMInside can do, but with free open <sbr />source tools. They can all be ran from the Auditor boot CD.</font></p><p align="left"><font face="Arial" size="13" color="#0000ff"><a href="http://studenti.unina.it/~ncuomo/syskey/">http://studenti.unina.it/~ncuomo/syskey/</a><font color="#000000"> <font color="#0000ff"><a href="http://www.openwall.com/john/">http://www.openwall.com/john/</a></font> </font></font></p><p align="left"><font face="Arial" size="13" color="#0000ff"><a href="http://new.remote-exploit.org/index.php/Auditor_main">http://new.remote-exploit.org/index.php/Auditor_main</a></font></p><p align="left"></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
RainbowCrack |
RainbowCrack was designed to show off the faster time-memory trade-off technique. Since NT and LM hashes contain no salts all possible hashes for a certain character set can be pre-generated. These pre-generated hashes (a Rainbow Table) can be loaded into memory and compared to the stored hash much quicker than generating each hash on the fly. You can make your own Rainbow Tables with the free tools that the Rainbow crack project provides, but that takes time. You can also buy pre-generated Rainbow Tables from them. |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Character Set Table Size Load/Crack Time System A-Z 610MB 6s/24s (P4 3Ghz, 512MB) A-Z+0-9 3GB 41s/39s (P4 3Ghz, 512MB) A-Z+0-9+Top keys 24GB 148s/178s (P4 2.8GHz, 1GB) All Keyboard Chrs 64GB 290s/1658.13s (P4 3Ghz, 512MB) * All passwords are up to 14 characters, case insensitive, times rounded to the nearest second, "All Keyboard Characters" does not include ALT+Num-pad characters. |
<p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.antsight.com/zsl/rainbowcrack/">http://www.antsight.com/zsl/rainbowcrack/</a></font></p> |
SAM Cracking Prevention |
<p align="left"><font face="Arial" size="20" color="#000000"><b>Practical Methods</b>:</font></p><p align="left"></p><p align="left"><font face="Arial" size="17" color="#000000">•Choose stronger local passwords. Use more than just alpha-numeric <sbr />characters and perhaps throw in some extended ASCII characters by <sbr />way of the Alt+num-pad method.</font></p><p align="left"><font face="Arial" size="17" color="#000000">•Turn off LM Hash storage in the SAM via local policy, registry or GPO.</font></p><p align="left"><font face="Arial" size="17" color="#0000ff"><a href="http://support.microsoft.com/kb/q299656/">http://support.microsoft.com/kb/q299656/</a></font></p><p align="left"></p><p align="left"><font face="Arial" size="17" color="#000000">• If you use a password longer than 14 characters no LM hash will be <sbr />stored. Try using a pass phrase. </font></p><p align="left"><font face="Arial" size="17" color="#000000">•Change local password frequently, then rely on domain passwords if <sbr />possible. </font></p><p align="left"><font face="Arial" size="17" color="#000000">•Don’t use the same local admin password on public and staff boxes.</font></p><p align="left"></p><p align="left"><font face="Arial" size="17" color="#000000"><b>Fascist Method</b> (Not practical in most cases):</font></p><p align="left"></p><p align="left"><font face="Arial" size="17" color="#000000">•Use the BIOS to disable booting from anything but the hard drive, put <sbr />on a bios password and lock the case.</font></p><p align="left"><font face="Arial" size="17" color="#000000">•Configure SysKey to require a password or a disk at boot time. <sbr />(syskey.exe)</font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Cracking Cached Domain/ADS Passwords |
By default Windows 2000 and XP systems in a domain or Active Directory tree cache the passwords and credentials of the last ten previously logged in users. This is done so that the users can still login again if the Domain Controller or ADS tree can not be reached either because of Controller failure or network problems. These cached passwords are stored as hashes in the local systems registry at the values: HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$10 |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
<p align="left"><font face="Arial" size="17" color="#0000ff"><a href="http://www.cr0.net:8040/misc/cachedump.html">http://www.cr0.net:8040/misc/cachedump.html</a></font></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"><font face="Arial" size="17" color="#0000ff"><a href="http://www.cr0.net:8040/misc/cachedump.html">http://www.cr0.net:8040/misc/cachedump.html</a></font></p><p align="left"></p><p align="left"><font face="Arial" size="17" color="#0000ff"><a href="http://www.openwall.com/john/">http://www.openwall.com/john/</a></font></p><p align="left"></p><p align="left"><font face="Arial" size="17" color="#0000ff"><a href="http://www.oxid.it/cain.html">http://www.oxid.it/cain.html</a></font></p> |
The cached credential registry keys contain encrypted information like username, domain, NT hash and sometimes LM hash. Exact details on the encryption methods can be found at the CacheDump Homepage: While these cached password are harder to crack than LM or NT hashes it’s not impossible. Arnaud Pilon and team have created a tool for dumping the cached hashes. They have also provided patches for John the Ripper that allow you to crack the hashes. CacheDump needs to be run under an admin level account. Tool Needed: CacheDump and John patches: John the Ripper Cain v2.68 or Higher |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
root@Cthulhu:~# apt-get install john Reading Package Lists... Done Building Dependency Tree... Done Suggested packages: wenglish wordlist The following NEW packages will be installed: john 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0B/547kB of archives. After unpacking 1163kB of additional disk space will be used. Preconfiguring packages ... Selecting previously deselected package john. (Reading database ... 88927 files and directories currently installed.) Unpacking john (from .../archives/john_1.6-33_i386.deb) ... Setting up john (1.6-33) ... root@Cthulhu:~# gunzip -c /usr/share/doc/john/examples/john.ini.gz > /etc/john/john.ini |
root@Cthulhu:~# wget http://www.openwall.com/john/b/john-1.6.37.tar.gz --16:24:28-- http://www.openwall.com/john/b/john-1.6.37.tar.gz => `john-1.6.37.tar.gz' Resolving www.openwall.com... 195.42.179.202 Connecting to www.openwall.com[195.42.179.202]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 139,372 [application/x-tar] 100%[====================================>] 139,372 66.87K/s 16:24:31 (66.73 KB/s) - `john-1.6.37.tar.gz' saved [139372/139372] root@Cthulhu:~# tar xfz john-1.6.37.tar.gz root@Cthulhu:~# wget http://www.cr0.net:8040/misc/john-1.6.37-bigpatch-10.diff.gz --16:25:11-- http://www.cr0.net:8040/misc/john-1.6.37-bigpatch-10.diff.gz => `john-1.6.37-bigpatch-10.diff.gz' Resolving www.cr0.net... 213.186.59.43 Connecting to www.cr0.net[213.186.59.43]:8040... connected. HTTP request sent, awaiting response... 200 OK Length: 43,560 [text/plain] 100%[====================================>] 43,560 61.64K/s 16:25:12 (61.55 KB/s) - `john-1.6.37-bigpatch-10.diff.gz' saved [43560/43560] root@Cthulhu: |
root@Cthulhu:~# gunzip -c john-1.6.37-bigpatch-10.diff.gz | patch -p0 patching file john-1.6.37/doc/JOHN-BIGPATCH-FAQ patching file john-1.6.37/doc/JOHN-NTLM-FAQ patching file john-1.6.37/src/base64.c patching file john-1.6.37/src/base64.h patching file john-1.6.37/src/BFEgg_fmt.c patching file john-1.6.37/src/bf_tab.h patching file john-1.6.37/src/blowfish.c patching file john-1.6.37/src/blowfish.h patching file john-1.6.37/src/byteorder.h patching file john-1.6.37/src/john.c patching file john-1.6.37/src/JOHN-NTLM-FAQ patching file john-1.6.37/src/loader.c patching file john-1.6.37/src/logger.c patching file john-1.6.37/src/logger.h patching file john-1.6.37/src/lotus5_fmt.c patching file john-1.6.37/src/Makefile patching file john-1.6.37/src/md4.c patching file john-1.6.37/src/md4.h ... patching file john-1.6.37/src/sha.h patching file john-1.6.37/src/sha_locl.h patching file john-1.6.37/src/smbencrypt.c patching file john-1.6.37/src/undrop.c root@Cthulhu:~# cd john-1.6.37/src/ root@Cthulhu:~/john-1.6.37/src# |
root@Cthulhu:~/john-1.6.37/src# make linux-x86-mmx-elf ln -sf x86-mmx.h arch.h make ../run/john ../run/unshadow ../run/unafs ../run/unique ../run/undrop \ JOHN_OBJS="DES_fmt.o DES_std.o DES_bs.o BSDI_fmt.o MD5_fmt.o MD5_std.o MD5_apache_fmt.o BF_fmt.o BF_std.o AFS_fmt.o BFEgg_fmt.o LM_fmt.o lotus5_fmt.o md5.o NSLDAP_fmt.o sha1.o base64.o MYSQL_fmt.o NT_fmt.o md4.o smbencrypt.o rawMD5_fmt.o mscash_fmt.o batch.o bench.o charset.o common.o compiler.o config.o cracker.o external.o formats.o getopt.o idle.o inc.o john.o list.o loader.o logger.o math.o memory.o misc.o options.o params.o path.o recovery.o rpp.o rules.o signals.o single.o status.o tty.o wordlist.o unshadow.o unafs.o undrop.o unique.o x86.o x86-mmx.o" make[1]: Entering directory `/root/john-1.6.37/src' gcc -c -Wall -O3 -fomit-frame-pointer -I/usr/local/include -L/usr/local/lib -funroll-loops DES_fmt.c ... rm -f ../run/unshadow ln -s john ../run/unshadow rm -f ../run/unafs ln -s john ../run/unafs rm -f ../run/unique ln -s john ../run/unique rm -f ../run/undrop ln -s john ../run/undrop make[1]: Leaving directory `/root/john-1.6.37/src' root@Cthulhu:~/john-1.6.37/src# |
root@Cthulhu:~/john-1.6.37/src# cd ../run/ root@Cthulhu:~/john-1.6.37/run# ./john --wordlist:password.lst -format:mscash mydump.txt Loaded 2 password hashes with 2 different salts (M$ Cache Hash [mscash]) m0nk3y@ (irongeek) guesses: 1 time: 0:00:00:00 100% c/s: 232900 trying: zhongguo root@Cthulhu:~/john-1.6.37/run# ./john -i:all -format:mscash mydump.txt Loaded 1 password hash (M$ Cache Hash [mscash]) guesses: 0 time: 0:00:00:04 c/s: 28954 trying: samm% guesses: 0 time: 0:00:00:05 c/s: 43431 trying: sabrard guesses: 0 time: 0:00:00:06 c/s: 60009 trying: samm2 guesses: 0 time: 0:00:00:07 c/s: 82858 trying: uvw guesses: 0 time: 0:00:00:09 c/s: 121920 trying: 106swi |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Credential Cache Cracking Countermeasures |
1. Choose stronger domain passwords. Use more than just alpha- numeric characters and perhaps throw in some extended ASCII characters by way of the Alt+num-pad method. 2. For those who are still paranoid and have a VERY reliable connection to their domain controller, they can follow these steps to disable the caching of passwords and credentials: Set the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount to 0 then reboot. This can also be done with the Local Security Policy or with a GPO: 3.Use same “Fascist Methods” as before for restricting physical access to the computer. |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
VNC(Virtual Network Computing) Background |
VNC is an Open Source tool used for remotely controlling another computer’s GUI. There is a server daemon for Windows, *nix and Mac OS. There are clients for too many platforms to even mention. Some folks use it for end user support because Microsoft’s Remote Assistance service built into Windows XP is so cumbersome as to be practically useless. The two most popular versions of VNC are: |
<p align="left"><font face="Arial" size="20" color="#000000">TightVNC</font></p><p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.tightvnc.com/">http://www.tightvnc.com/</a></font></p><p align="left"><font face="Arial" size="20" color="#000000">RealVNC</font></p><p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.realvnc.com/">http://www.realvnc.com/</a><font color="#000000"> </font></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Cracking VNC Passwords Store in the Windows Registry |
VNC’s encrypted password may be found in one of these keys: TightVNC: HKEY_CURRENT_USER\Software\ORL\WinVNC3 HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3 HKEY_USERS\.DEFAULT\SOftware\ORL\WinVNC3 RealVNC: HKEY_CURRENT_USER\Software\RealVNC\WinVNC4 HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 HKEY_USERS\.DEFAULT\SOftware\RealVNC\WinVNC4 Do a search with Regedit if you can’t find it. In some cases these keys will be restricted so that only admin level accounts can read them, but with a boot disk that’s easy to get around. The password is DES encrypted, but since the fixed key (23 82 107 6 35 78 88 7) is known it’s easy to decrypt. |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Tools for Cracking VNC |
VNCrack VNCrack can decrypt stored password, as well as dictionary attack remote hosts. Both Windows and Linux versions are available. Cain Cain has a built in stored VNC password decryption function. VNCPwdump This is the tool I’ll be using for the demonstration. VNCPwdump supports dumping from the current user’s registry, an NTUSER.DAT file, decrypting the HEX string from the command line and injecting into the VNC server process to dump the password. Source code is available at their website. |
<p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.phenoelit.de/vncrack/download.html">http://www.phenoelit.de/vncrack/download.html</a></font></p><p align="left"></p><p align="left"></p><p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.oxid.it/cain.html ">http://www.oxid.it/cain.html </a></font></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"></p><p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.cqure.net/tools.jsp?id=12 ">http://www.cqure.net/tools.jsp?id=12 </a></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
VNC’s encrypted password may be found in one of these keys: TightVNC: HKEY_CURRENT_USER\Software\ORL\WinVNC3 HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3 HKEY_USERS\.DEFAULT\SOftware\ORL\WinVNC3 RealVNC: HKEY_CURRENT_USER\Software\RealVNC\WinVNC4 HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 HKEY_USERS\.DEFAULT\SOftware\RealVNC\WinVNC4 Do a search with Regedit if you can’t find it. In some cases these keys will be restricted so that only admin level accounts can read them, but with a boot disk that’s easy to get around. The password is DES encrypted, but since the fixed key (23 82 107 6 35 78 88 7) is known it’s easy to decrypt. |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
VNC Password Cracking Countermeasures |
A few of the many options: 1. Don’t use remote control software, just walk to the users station. This may be better for your organizations customer service image anyway. 2. Have the user start the VNC server manually, and only when needed. Or you can start an stop it when needed yourself by using the SC command: sc \\ComputerName config winvnc start= demand sc \\ComputerName start winvnc sc \\ComputerName stop winvnc 3. Try UltraVNC. It allows you to require a Windows Local or Domain account to authenticate (MS Logon option). If you choose this option it will disable the normal VNC logon method. A few quirks: •The Java client does not work with MS Logon. •The client and server only supports Windows. •It’s still a little flakey. •The development version is more stable than the “stable” version. |
<p align="left"><font face="Arial" size="19" color="#0000ff"><a href="http://www.ultravnc.com/">http://www.ultravnc.com/</a></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Retrieving Passwords from Protected Storage |
Internet Explorer, Outlook Express and MSN Explorer can store user passwords using a service called Protected Storage. The encrypted values reside in the registry at: HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider There are a few tools for decrypting these store passwords, including the previously mentioned Cain. The most popular is Protected Storage PassView from Nir Sofer: Its one draw back is that it can only read the current user's Protected Storage, but there are work-arounds to get past this limitation. |
<p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.nirsoft.net/utils/pspv.html">http://www.nirsoft.net/utils/pspv.html</a></font></p> |
<p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.nirsoft.net/utils/pspv.html">http://www.nirsoft.net/utils/pspv.html</a></font></p> |
<p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.nirsoft.net/utils/pspv.html">http://www.nirsoft.net/utils/pspv.html</a></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Output |
================================================== Resource Name : cthulhu.com:443/Login is Required Resource Type : IE: Password-Protected Sites User Name/Value : peng Password : p2$$w0rd ================================================== ================================================== Resource Name : http://www.linuxmonkey.nl/phpbb2/index.php Resource Type : AutoComplete Passwords User Name/Value : irongeek Password : letmein ================================================== |
c:\Documents and Settings\irongeek\pspv.txt |
<p align="center"><font face="Arial" size="17" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Protected Storage Countermeasures |
1. Keep the attacker from becoming Admin on the box using the techniques discussed previously. 2. Check to see what’s set to run at startup using tools like MSConfig, Regedit and HijackThis. 3. Disable the option to store passwords in Protected Storage. |
<p align="center"><font face="Arial" size="24" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Play Again |
Play Again |
Credits |
Credits |
Further Research: |
<p align="left"><font face="Arial" size="20" color="#000000">Cracking Syskey and the SAM on Windows XP, 2000 and NT 4 <sbr />using Open Source Tools:</font></p><p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.irongeek.com/i.php?page=security/localsamcrack2">http://www.irongeek.com/i.php?page=security/localsamcrack2</a></font></p><p align="left"></p><p align="left"><font face="Arial" size="20" color="#000000">Cracking Cached Domain/Active Directory Passwords on <sbr />Windows XP/2000/2003:</font></p><p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.irongeek.com/i.php?page=security/cachecrack ">http://www.irongeek.com/i.php?page=security/cachecrack </a></font></p><p align="left"></p><p align="left"><font face="Arial" size="20" color="#000000">Sites with password cracking tools:</font></p><p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.nirsoft.net/utils/index.html#password_utils">http://www.nirsoft.net/utils/index.html#password_utils</a><font color="#000000"> </font></font></p><p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://packetstormsecurity.org/">http://packetstormsecurity.org/</a></font></p><p align="left"><font face="Arial" size="20" color="#0000ff"><a href="http://www.elcomsoft.com ">http://www.elcomsoft.com </a></font></p><p align="left"></p><p align="left"><font face="Arial" size="20" color="#000000">Thanks to <font color="#0000ff"><a href="http://cacr.iu.edu/">CACR</a></font>, <font color="#0000ff"><a href="http://www.antionline.com/member.php?s=&action=getinfo&userid=177708">Sec_ware</a></font> and the rest of the folks at <sbr /><font color="#0000ff"><a href="http://www.antionline.com">Antionline</a></font> and <font color="#0000ff"><a href="http://www.binrev.com">Binrev.</a></font> </font></p><p align="left"></p> |
<p align="center"><font face="Arial" size="24" color="#0000ff"><a href="http://www.Irongeek.com">http://www.Irongeek.com</a></font></p> |
Credits |
<p align="left"><font face="Arial" size="20" color="#000000">Narrated, Written and Directed by <font color="#0000ff"><a href="http://www.irongeek.com">Adrian Duane Crenshaw</a></font></font></p><p align="left"></p><p align="left"><font face="Arial" size="20" color="#000000">Created in <font color="#0000ff"><a href="http://www.macromedia.com/software/flash/">Flash MX 2004</a></font></font></p><p align="left"></p><p align="left"><font face="Arial" size="20" color="#000000">Sound recorded and edited with <font color="#0000ff"><a href="http://audacity.sourceforge.net/">Audacity</a></font></font></p><p align="left"></p><p align="left"><font face="Arial" size="20" color="#000000">Screen capture video done by <font color="#0000ff"><a href="http://www.funchords.com/favorite/freeware/cam_studio_20/">CamStudio 2.0</a></font> Open Source</font></p><p align="left"></p> |
ActionScript [AS1/AS2]
Frame 1stop();Instance of Symbol 6 MovieClip in Frame 1onClipEvent (enterFrame) { loading = _parent.getBytesLoaded(); total = _parent.getBytesTotal(); percent = percent - ((percent - ((loading / total) * 100)) * 0.25); per = int(percent); percentage = per + "%"; loadBar._width = per * 2; if (percent > 99) { _parent.gotoAndStop(2); } }Frame 2stop();Frame 3stop();Frame 9stop();Frame 11stop();Frame 13stop();Frame 14play();Frame 1158stopAllSounds(); stop();Frame 1159stop();Frame 1161stop();Frame 1168stop();Frame 1169play();Frame 1658stop(); stopAllSounds();Frame 1659stop();Frame 1660stop();Frame 1667stop();Frame 1671stop();Frame 1672stop();Symbol 6 MovieClip Frame 1stop();Symbol 16 Buttonon (release) { stopAllSounds(); nextFrame(); }Symbol 25 Buttonon (release) { stopAllSounds(); prevFrame(); }Symbol 86 MovieClip Frame 432stop();Symbol 141 MovieClip Frame 70Symbol 152 MovieClip Frame 10stop();Symbol 161 MovieClip Frame 10stop();Symbol 165 MovieClip Frame 45stop();Symbol 169 Buttonon (release) { _parent.stop(); }Symbol 174 Buttonon (press) { gotoAndPlay ("fastforward"); } on (release) { gotoAndStop ("stop"); }Symbol 178 Buttonon (press) { gotoAndPlay ("rewind"); } on (release) { gotoAndStop ("stop"); }Symbol 182 Buttonon (release) { _parent.play(); }Symbol 183 MovieClip Frame 1stop();Symbol 183 MovieClip Frame 5_parent.gotoAndPlay(_parent._currentframe + 5);Symbol 183 MovieClip Frame 6gotoAndPlay ("fastforward");Symbol 183 MovieClip Frame 10_parent.gotoAndPlay(_parent._currentframe - 5);Symbol 183 MovieClip Frame 11gotoAndPlay ("rewind");Symbol 184 Buttonon (release) { stopAllSounds(); gotoAndStop (1159); }Symbol 185 Buttonon (release) { stopAllSounds(); gotoAndPlay ("SamCrack6"); }Symbol 227 Buttonon (release) { stopAllSounds(); gotoAndStop (1659); }Symbol 228 Buttonon (release) { stopAllSounds(); gotoAndPlay ("CacheCrack8"); }Symbol 239 MovieClip Frame 10stop();Symbol 255 MovieClip Frame 10stop();Symbol 280 MovieClip Frame 10stop();Symbol 290 MovieClip Frame 10stop();Symbol 308 MovieClip Frame 10stop();Symbol 312 MovieClip Frame 10stop();Symbol 316 MovieClip Frame 10stop();Symbol 323 Buttonon (release) { gotoAndPlay (2); }Symbol 324 Buttonon (release) { stopAllSounds(); gotoAndStop (1667); }Symbol 327 Buttonon (release) { gotoAndPlay ("Credits"); }Symbol 332 Buttonon (release) { stopAllSounds(); gotoAndPlay ("1"); }
Library Items
Symbol 1 Font | Used by:2 5 9 10 11 13 15 17 19 20 22 24 26 28 29 73 74 75 76 77 78 79 80 88 89 90 92 94 95 97 98 99 101 102 103 104 105 107 108 109 111 112 113 114 127 128 129 146 147 148 155 156 157 186 189 192 193 194 195 196 199 200 201 203 204 205 207 208 209 211 216 217 219 221 223 225 229 232 233 234 235 242 243 244 245 250 251 252 258 259 260 261 263 267 270 271 274 275 276 277 283 284 285 286 289 291 294 298 299 300 301 303 304 305 319 321 322 325 326 328 329 331 333 334 | |
Symbol 2 Text | Uses:1 | Used by:6 |
Symbol 3 Graphic | Used by:4 | |
Symbol 4 MovieClip | Uses:3 | Used by:6 |
Symbol 5 EditableText | Uses:1 | Used by:6 |
Symbol 6 MovieClip | Uses:2 4 5 | Used by:Timeline |
Symbol 7 Bitmap | Used by:8 | |
Symbol 8 Graphic | Uses:7 | Used by:Timeline |
Symbol 9 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 10 Text | Uses:1 | Used by:Timeline |
Symbol 11 Text | Uses:1 | Used by:Timeline |
Symbol 12 Graphic | Used by:16 184 227 | |
Symbol 13 Text | Uses:1 | Used by:16 184 227 |
Symbol 14 Graphic | Used by:16 184 227 | |
Symbol 15 Text | Uses:1 | Used by:16 184 227 |
Symbol 16 Button | Uses:12 13 14 15 | Used by:Timeline |
Symbol 17 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 18 Sound | Used by:Timeline | |
Symbol 19 Text | Uses:1 | Used by:Timeline |
Symbol 20 Text | Uses:1 | Used by:Timeline |
Symbol 21 Graphic | Used by:25 185 228 324 332 | |
Symbol 22 Text | Uses:1 | Used by:25 185 228 324 332 |
Symbol 23 Graphic | Used by:25 185 228 324 327 332 | |
Symbol 24 Text | Uses:1 | Used by:25 185 228 324 332 |
Symbol 25 Button | Uses:21 22 23 24 | Used by:Timeline |
Symbol 26 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 27 Sound | Used by:Timeline | |
Symbol 28 Text | Uses:1 | Used by:Timeline |
Symbol 29 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 30 Bitmap | Used by:31 | |
Symbol 31 Graphic | Uses:30 | Used by:72 |
Symbol 32 Bitmap | Used by:33 | |
Symbol 33 Graphic | Uses:32 | Used by:72 |
Symbol 34 Bitmap | Used by:35 | |
Symbol 35 Graphic | Uses:34 | Used by:72 |
Symbol 36 Bitmap | Used by:37 | |
Symbol 37 Graphic | Uses:36 | Used by:72 |
Symbol 38 Bitmap | Used by:39 | |
Symbol 39 Graphic | Uses:38 | Used by:72 |
Symbol 40 Bitmap | Used by:41 | |
Symbol 41 Graphic | Uses:40 | Used by:72 |
Symbol 42 Bitmap | Used by:43 | |
Symbol 43 Graphic | Uses:42 | Used by:72 |
Symbol 44 Bitmap | Used by:45 | |
Symbol 45 Graphic | Uses:44 | Used by:72 |
Symbol 46 Bitmap | Used by:47 | |
Symbol 47 Graphic | Uses:46 | Used by:72 |
Symbol 48 Bitmap | Used by:49 | |
Symbol 49 Graphic | Uses:48 | Used by:72 |
Symbol 50 Bitmap | Used by:51 | |
Symbol 51 Graphic | Uses:50 | Used by:72 |
Symbol 52 Bitmap | Used by:53 | |
Symbol 53 Graphic | Uses:52 | Used by:72 |
Symbol 54 Bitmap | Used by:55 | |
Symbol 55 Graphic | Uses:54 | Used by:72 |
Symbol 56 Bitmap | Used by:57 | |
Symbol 57 Graphic | Uses:56 | Used by:72 |
Symbol 58 Bitmap | Used by:59 | |
Symbol 59 Graphic | Uses:58 | Used by:72 |
Symbol 60 Bitmap | Used by:61 | |
Symbol 61 Graphic | Uses:60 | Used by:72 |
Symbol 62 Bitmap | Used by:63 | |
Symbol 63 Graphic | Uses:62 | Used by:72 |
Symbol 64 Bitmap | Used by:65 | |
Symbol 65 Graphic | Uses:64 | Used by:72 |
Symbol 66 Bitmap | Used by:67 | |
Symbol 67 Graphic | Uses:66 | Used by:72 |
Symbol 68 Bitmap | Used by:69 | |
Symbol 69 Graphic | Uses:68 | Used by:72 |
Symbol 70 Bitmap | Used by:71 | |
Symbol 71 Graphic | Uses:70 | Used by:72 |
Symbol 72 MovieClip | Uses:31 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63 65 67 69 71 | Used by:86 |
Symbol 73 Text | Uses:1 | Used by:86 |
Symbol 74 Text | Uses:1 | Used by:86 |
Symbol 75 Text | Uses:1 | Used by:86 |
Symbol 76 Text | Uses:1 | Used by:86 |
Symbol 77 Text | Uses:1 | Used by:86 |
Symbol 78 Text | Uses:1 | Used by:86 |
Symbol 79 Text | Uses:1 | Used by:86 |
Symbol 80 Text | Uses:1 | Used by:86 |
Symbol 81 Bitmap | Used by:82 | |
Symbol 82 Graphic | Uses:81 | Used by:83 |
Symbol 83 MovieClip | Uses:82 | Used by:86 |
Symbol 84 Sound | Used by:86 | |
Symbol 85 Sound | Used by:86 | |
Symbol 86 MovieClip | Uses:72 73 74 75 76 77 78 79 80 83 84 85 | Used by:Timeline |
Symbol 87 Sound | Used by:Timeline | |
Symbol 88 Text | Uses:1 | Used by:Timeline |
Symbol 89 Text | Uses:1 | Used by:Timeline |
Symbol 90 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 91 Sound | Used by:Timeline | |
Symbol 92 Text | Uses:1 | Used by:Timeline |
Symbol 93 Font | Used by:9 17 26 29 90 94 95 99 103 104 105 109 113 114 129 144 147 148 156 157 186 189 194 195 196 200 201 203 207 208 211 216 217 219 221 223 225 229 232 233 242 245 250 258 260 261 263 267 270 274 276 277 283 286 289 291 294 298 303 319 329 331 334 | |
Symbol 94 Text | Uses:93 1 | Used by:Timeline |
Symbol 95 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 96 Sound | Used by:Timeline | |
Symbol 97 Text | Uses:1 | Used by:Timeline |
Symbol 98 Text | Uses:1 | Used by:Timeline |
Symbol 99 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 100 Sound | Used by:Timeline | |
Symbol 101 Text | Uses:1 | Used by:Timeline |
Symbol 102 Text | Uses:1 | Used by:Timeline |
Symbol 103 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 104 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 105 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 106 Sound | Used by:Timeline | |
Symbol 107 Text | Uses:1 | Used by:Timeline |
Symbol 108 Text | Uses:1 | Used by:Timeline |
Symbol 109 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 110 Sound | Used by:Timeline | |
Symbol 111 Text | Uses:1 | Used by:Timeline |
Symbol 112 Text | Uses:1 | Used by:Timeline |
Symbol 113 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 114 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 115 Font | Used by:116 117 118 119 120 121 123 124 130 131 132 133 134 135 136 137 139 140 | |
Symbol 116 Text | Uses:115 | Used by:122 |
Symbol 117 Text | Uses:115 | Used by:122 |
Symbol 118 Text | Uses:115 | Used by:122 |
Symbol 119 Text | Uses:115 | Used by:122 |
Symbol 120 Text | Uses:115 | Used by:122 |
Symbol 121 Text | Uses:115 | Used by:122 |
Symbol 122 MovieClip | Uses:116 117 118 119 120 121 | Used by:Timeline |
Symbol 123 Text | Uses:115 | Used by:125 |
Symbol 124 Text | Uses:115 | Used by:125 |
Symbol 125 MovieClip | Uses:123 124 | Used by:Timeline |
Symbol 126 Sound | Used by:Timeline | |
Symbol 127 Text | Uses:1 | Used by:Timeline |
Symbol 128 Text | Uses:1 | Used by:Timeline |
Symbol 129 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 130 Text | Uses:115 | Used by:141 |
Symbol 131 Text | Uses:115 | Used by:141 |
Symbol 132 Text | Uses:115 | Used by:141 |
Symbol 133 Text | Uses:115 | Used by:141 |
Symbol 134 Text | Uses:115 | Used by:141 |
Symbol 135 Text | Uses:115 | Used by:141 |
Symbol 136 Text | Uses:115 | Used by:141 |
Symbol 137 Text | Uses:115 | Used by:141 |
Symbol 138 Font | Used by:139 140 | |
Symbol 139 Text | Uses:138 115 | Used by:141 |
Symbol 140 Text | Uses:138 115 | Used by:141 |
Symbol 141 MovieClip | Uses:130 131 132 133 134 135 136 137 139 140 | Used by:142 |
Symbol 142 MovieClip | Uses:141 | Used by:Timeline |
Symbol 143 Sound | Used by:Timeline | |
Symbol 144 Text | Uses:93 | Used by:145 |
Symbol 145 MovieClip | Uses:144 | Used by:Timeline |
Symbol 146 Text | Uses:1 | Used by:Timeline |
Symbol 147 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 148 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 149 Bitmap | Used by:150 151 | |
Symbol 150 Graphic | Uses:149 | Used by:153 |
Symbol 151 Graphic | Uses:149 | Used by:152 |
Symbol 152 MovieClip | Uses:151 | Used by:153 |
Symbol 153 Button | Uses:150 152 | Used by:Timeline |
Symbol 154 Sound | Used by:Timeline | |
Symbol 155 Text | Uses:1 | Used by:Timeline |
Symbol 156 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 157 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 158 Bitmap | Used by:159 160 | |
Symbol 159 Graphic | Uses:158 | Used by:162 |
Symbol 160 Graphic | Uses:158 | Used by:161 |
Symbol 161 MovieClip | Uses:160 | Used by:162 |
Symbol 162 Button | Uses:159 161 | Used by:Timeline |
Symbol 163 Bitmap | Used by:164 | |
Symbol 164 Graphic | Uses:163 | Used by:165 |
Symbol 165 MovieClip | Uses:164 | Used by:Timeline |
Symbol 166 Sound | Used by:Timeline | |
Symbol 167 Graphic | Used by:169 | |
Symbol 168 Graphic | Used by:169 | |
Symbol 169 Button | Uses:167 168 | Used by:183 |
Symbol 170 Graphic | Used by:174 178 | |
Symbol 171 Graphic | Used by:174 | |
Symbol 172 Graphic | Used by:174 | |
Symbol 173 Graphic | Used by:174 | |
Symbol 174 Button | Uses:170 171 172 173 | Used by:183 |
Symbol 175 Graphic | Used by:178 | |
Symbol 176 Graphic | Used by:178 | |
Symbol 177 Graphic | Used by:178 | |
Symbol 178 Button | Uses:170 175 176 177 | Used by:183 |
Symbol 179 Graphic | Used by:182 | |
Symbol 180 Graphic | Used by:182 | |
Symbol 181 Graphic | Used by:182 | |
Symbol 182 Button | Uses:179 180 181 | Used by:183 |
Symbol 183 MovieClip | Uses:169 174 178 182 | Used by:Timeline |
Symbol 184 Button | Uses:12 13 14 15 | Used by:Timeline |
Symbol 185 Button | Uses:21 22 23 24 | Used by:Timeline |
Symbol 186 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 187 Video | Used by:Timeline | |
Symbol 188 Sound | Used by:Timeline | |
Symbol 189 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 190 Bitmap | Used by:191 | |
Symbol 191 Graphic | Uses:190 | Used by:Timeline |
Symbol 192 Text | Uses:1 | Used by:Timeline |
Symbol 193 Text | Uses:1 | Used by:Timeline |
Symbol 194 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 195 Text | Uses:93 1 | Used by:Timeline |
Symbol 196 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 197 Text | Used by:Timeline | |
Symbol 198 Sound | Used by:Timeline | |
Symbol 199 Text | Uses:1 | Used by:Timeline |
Symbol 200 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 201 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 202 Sound | Used by:Timeline | |
Symbol 203 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 204 Text | Uses:1 | Used by:Timeline |
Symbol 205 Text | Uses:1 | Used by:Timeline |
Symbol 206 Sound | Used by:Timeline | |
Symbol 207 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 208 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 209 Text | Uses:1 | Used by:Timeline |
Symbol 210 Sound | Used by:Timeline | |
Symbol 211 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 212 Bitmap | Used by:213 | |
Symbol 213 Graphic | Uses:212 | Used by:Timeline |
Symbol 214 Sound | Used by:Timeline | |
Symbol 215 Graphic | Used by:Timeline | |
Symbol 216 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 217 Text | Uses:1 93 | Used by:Timeline |
Symbol 218 Sound | Used by:Timeline | |
Symbol 219 Text | Uses:1 93 | Used by:Timeline |
Symbol 220 Sound | Used by:Timeline | |
Symbol 221 Text | Uses:1 93 | Used by:Timeline |
Symbol 222 Sound | Used by:Timeline | |
Symbol 223 Text | Uses:1 93 | Used by:Timeline |
Symbol 224 Sound | Used by:Timeline | |
Symbol 225 Text | Uses:1 93 | Used by:Timeline |
Symbol 226 Sound | Used by:Timeline | |
Symbol 227 Button | Uses:12 13 14 15 | Used by:Timeline |
Symbol 228 Button | Uses:21 22 23 24 | Used by:Timeline |
Symbol 229 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 230 Video | Used by:Timeline | |
Symbol 231 Sound | Used by:Timeline | |
Symbol 232 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 233 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 234 Text | Uses:1 | Used by:Timeline |
Symbol 235 Text | Uses:1 | Used by:Timeline |
Symbol 236 Bitmap | Used by:237 238 | |
Symbol 237 Graphic | Uses:236 | Used by:240 |
Symbol 238 Graphic | Uses:236 | Used by:239 |
Symbol 239 MovieClip | Uses:238 | Used by:240 |
Symbol 240 Button | Uses:237 239 | Used by:Timeline |
Symbol 241 Sound | Used by:Timeline | |
Symbol 242 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 243 Text | Uses:1 | Used by:Timeline |
Symbol 244 Text | Uses:1 | Used by:Timeline |
Symbol 245 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 246 Bitmap | Used by:248 | |
Symbol 247 Bitmap | Used by:248 | |
Symbol 248 Graphic | Uses:246 247 | Used by:Timeline |
Symbol 249 Sound | Used by:Timeline | |
Symbol 250 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 251 Text | Uses:1 | Used by:Timeline |
Symbol 252 Text | Uses:1 | Used by:Timeline |
Symbol 253 Bitmap | Used by:254 | |
Symbol 254 Graphic | Uses:253 | Used by:255 256 |
Symbol 255 MovieClip | Uses:254 | Used by:256 |
Symbol 256 Button | Uses:254 255 | Used by:Timeline |
Symbol 257 Sound | Used by:Timeline | |
Symbol 258 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 259 Text | Uses:1 | Used by:Timeline |
Symbol 260 Text | Uses:93 1 | Used by:Timeline |
Symbol 261 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 262 Sound | Used by:Timeline | |
Symbol 263 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 264 Bitmap | Used by:265 268 272 | |
Symbol 265 Graphic | Uses:264 | Used by:Timeline |
Symbol 266 Sound | Used by:Timeline | |
Symbol 267 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 268 Graphic | Uses:264 | Used by:Timeline |
Symbol 269 Sound | Used by:Timeline | |
Symbol 270 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 271 Text | Uses:1 | Used by:Timeline |
Symbol 272 Graphic | Uses:264 | Used by:Timeline |
Symbol 273 Sound | Used by:Timeline | |
Symbol 274 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 275 Text | Uses:1 | Used by:Timeline |
Symbol 276 Text | Uses:1 93 | Used by:Timeline |
Symbol 277 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 278 Bitmap | Used by:279 | |
Symbol 279 Graphic | Uses:278 | Used by:280 281 |
Symbol 280 MovieClip | Uses:279 | Used by:281 |
Symbol 281 Button | Uses:279 280 | Used by:Timeline |
Symbol 282 Sound | Used by:Timeline | |
Symbol 283 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 284 Text | Uses:1 | Used by:292 |
Symbol 285 Text | Uses:1 | Used by:292 |
Symbol 286 EditableText | Uses:1 93 | Used by:292 |
Symbol 287 Bitmap | Used by:288 | |
Symbol 288 Graphic | Uses:287 | Used by:290 292 |
Symbol 289 EditableText | Uses:1 93 | Used by:292 |
Symbol 290 MovieClip | Uses:288 | Used by:292 |
Symbol 291 EditableText | Uses:1 93 | Used by:292 |
Symbol 292 Button | Uses:284 285 286 288 289 290 291 | Used by:Timeline |
Symbol 293 Sound | Used by:Timeline | |
Symbol 294 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 295 Bitmap | Used by:296 | |
Symbol 296 Graphic | Uses:295 | Used by:Timeline |
Symbol 297 Sound | Used by:Timeline | |
Symbol 298 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 299 Text | Uses:1 | Used by:Timeline |
Symbol 300 Text | Uses:1 | Used by:Timeline |
Symbol 301 Text | Uses:1 | Used by:Timeline |
Symbol 302 Sound | Used by:Timeline | |
Symbol 303 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 304 Text | Uses:1 | Used by:Timeline |
Symbol 305 Text | Uses:1 | Used by:Timeline |
Symbol 306 Bitmap | Used by:307 | |
Symbol 307 Graphic | Uses:306 | Used by:308 309 |
Symbol 308 MovieClip | Uses:307 | Used by:309 |
Symbol 309 Button | Uses:307 308 | Used by:Timeline |
Symbol 310 Bitmap | Used by:311 | |
Symbol 311 Graphic | Uses:310 | Used by:312 313 |
Symbol 312 MovieClip | Uses:311 | Used by:313 |
Symbol 313 Button | Uses:311 312 | Used by:Timeline |
Symbol 314 Bitmap | Used by:315 | |
Symbol 315 Graphic | Uses:314 | Used by:316 317 |
Symbol 316 MovieClip | Uses:315 | Used by:317 |
Symbol 317 Button | Uses:315 316 | Used by:Timeline |
Symbol 318 Sound | Used by:Timeline | |
Symbol 319 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 320 Graphic | Used by:323 | |
Symbol 321 Text | Uses:1 | Used by:323 |
Symbol 322 Text | Uses:1 | Used by:323 |
Symbol 323 Button | Uses:320 321 322 | Used by:Timeline |
Symbol 324 Button | Uses:21 22 23 24 | Used by:Timeline |
Symbol 325 Text | Uses:1 | Used by:327 |
Symbol 326 Text | Uses:1 | Used by:327 |
Symbol 327 Button | Uses:23 325 326 | Used by:Timeline |
Symbol 328 Text | Uses:1 | Used by:Timeline |
Symbol 329 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 330 Sound | Used by:Timeline | |
Symbol 331 EditableText | Uses:1 93 | Used by:Timeline |
Symbol 332 Button | Uses:21 22 23 24 | Used by:Timeline |
Symbol 333 Text | Uses:1 | Used by:Timeline |
Symbol 334 EditableText | Uses:1 93 | Used by:Timeline |
Streaming Sound 1 | Used by:Timeline |
Instance Names
"loadBar" | Symbol 6 MovieClip Frame 1 | Symbol 4 MovieClip |
Labels
"SamCrack6" | Frame 13 |
"CacheCrack8" | Frame 1168 |
"Credits" | Frame 1672 |
"stop" | Symbol 183 MovieClip Frame 1 |
"fastforward" | Symbol 183 MovieClip Frame 5 |
"rewind" | Symbol 183 MovieClip Frame 10 |
Dynamic Text Variables
percentage | Symbol 5 EditableText | "" |
|