swfchan: Local-Password-Cracking.swf (info)

Text

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Local Password Exploits and
Countermeasures

This presentation will demonstrate the
cracking of locally stored passwords and
password hashes and how deviant users can use
them to escalate privileges on the target host and
other devices on the network. Also covered will be
best practices to keep deviant users from
exploiting these weaknesses. The following
password cracking exploits will be covered:

•Local SAM and Syskey
•Cached ADS/Domain credentials
•VNC Server
•Protected Storage

Next >

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Why Crack Local Passwords?

There are several reasons why an attacker
may want to crack local passwords:
•To escalate privileges on the local host (install
games, sniffers, key stroke catchers and other
software or just to bypass restrictions).
•To use the local passwords to gain access to
other systems on the network. Admins may reuse
the same usernames and passwords on other
network hosts (more than likely if they use hard
drive imaging).
•Just for the fun of doing it.

< Back

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Escalating Network Privileges Example

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Public
Workstation

Chuck's
Workstation

File Server

Janice's
Workstation

Web Server

1. Ben uses a boot disk to copy
the SAM and SYSTEM files off of
a public workstation. He then
goes home to crack them with
SAMDump2 and John the Ripper.

p0n3d

2. Ben then uses the local
administrator password he
cracked to get admin level
privileges on Chuck the
sysadmin’s workstation from
across the network.

Methodology

“Sounds boring as hell to me. A bunch of managerial types
wafting hot air on various pithy, high level statements that are
brutally obvious to anyone with half a clue. I would rather subject
myself to the tender mercies of the North Korean Police. They
should have technical content of which there is none.”
~Alt.don from Security-Forums.com
Target Audience: Workstation Installers, System Admins, Security
Folk and General Gear-heads.
Presentation Format:
1.Explain the background of the exploit.
2.Show the exploit.
3.Point the audience towards countermeasures.
A Flash video version of this presentation, with narration,
should be available from my website. Links to most of the software
mentioned can be found though out the presentation.

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Glossary

Brute force attack: Using all possible character combinations till a match for the
password is found. Also know as an incremental attack in John the Ripper.
Dictionary attack: Using each entry in a word list until a match for the password is
found.
Hashing: Applying a mathematical formula to a piece of text to get a shorter number
or string.

One way hash: A hash where the original string the hash was derived from can not
be easily found by a simple method.
Plain text: The un-obfuscated or un-encrypted form of a string. Opposite of cipher
text.
Password Hash: The “hashed” version of a password that’s stored for later
authentication.
Reversible Encryption (Obfuscation): Encryption that is easily reversed if the
algorithm is know. Example: ROT13.
Salt: A number used to seed a hashing or encryption algorithm to add to the possible
number of outcome the ciphertexts.

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

What’s meant by Password Cracking?

Cracking a password is the act of finding the plain text
password by reversing the obfuscation/encryption method
it’s stored with. This is done by fast mathematical means in
the case of some obfuscation scheme (like ROT13) and by
slower dictionary/brute force attacks when more secure
encryption or hashing schemes are used.

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

What’s not meant by Password Cracking?

Password hash insertion or the changing of local
passwords and accounts is not the same as password
cracking. Examples:
Bart’s PE Builder+Sala’s Password Renew Tool
Offline NT Password & Registry Editor
The above methods, while not password cracking can
still be useful to the password cracker because admin
privileges are sometime needed to pull off the attack.

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

<a href="http://www.nu2.nu/pebuilder/ ">http://www.nu2.nu/pebuilder/ </a> <a href="http://www.sala.pri.ee/">http://www.sala.pri.ee/</a>

<a href="http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html">http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html</a>

Cracking passwords in the SAM

SAM stands for Security Accounts Manager. The SAM
file is where local account passwords are stored on NT
based systems. The SAM file is normally found in:
%SYSTEMROOT%\system32\config\SAM
Where %SYSTEMROOT%\ is the Windows directory,
most often C:\WINDOWS (XP) or C:\WINNT (NT4 and
2000).
In Service Pack 3 (SP3) for NT 4 Microsoft introduced
SysKey. SysKey added an extra level of encryption to keep
older versions of tools like L0phtcrack from easily cracking
NT passwords. I will show in just a bit how easy it is to get
around SysKey with modern tools that extract the key from
the SYSTEM hive.

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Two types of hashes in the SAM

LAN Manager
(Used in older Windows Operating System)
1.Convert password to upper case.
2.Pad the plaintext with null characters to make it 14
bytes long.
3.Split into two 7 character (byte) chunks.
4.Use each 7 byte chunks separately as keys to DES
encrypt the magic value ("KGS!@#$%" or in HEX
0x4b47532140232425).
5.Concatenate the two cipher texts from step four to
produce the hash.
6.Store the hash in the SAM file.
NT Manager
1.Take the Unicode mixed-case password and use
the Message Digest 4 (MD4) algorithm to obtain the
hash.
2.Store the hash in the SAM file.

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Sources:<a href="http://www.microsoft.com/singapore/sme/english/issues/sgc/articles/select_sec_passwords.mspx">http://www.microsoft.com/singapore/sme/english/issues/sgc/articles/select_sec_passwords.mspx</a><a href="http://davenport.sourceforge.net/ntlm.html#theLmResponse ">http://davenport.sourceforge.net/ntlm.html#theLmResponse </a><a href="http://is-it-true.org/nt/atips/atips92.shtml">http://is-it-true.org/nt/atips/atips92.shtml</a>

password

password
PASSWORD

password
PASSWORD
PASSWORD\0\0\0\0\0\0

password
PASSWORD
PASSWORD\0\0\0\0\0\0
PASSWOR D\0\0\0\0\0\0

password
PASSWORD
PASSWORD\0\0\0\0\0\0
PASSWOR D\0\0\0\0\0\0
E52CAC67419A9A22 4A3B108F3FA6CB6D

password
PASSWORD
PASSWORD\0\0\0\0\0\0
PASSWOR D\0\0\0\0\0\0
E52CAC67419A9A22 4A3B108F3FA6CB6D
E52CAC67419A9A224A3B108F3FA6CB6D

password

password
8846F7EAEE8FB117AD06BDD830B7586C

How does a dictionary or brute force attack work?

Since the hash is created with a one way algorithm we
can’t easily reverse it. We can however take a list of words
or incremental strings, hash them using the same algorithm,
then compare them to the stored results. If the hash we
create matches the one extracted from the SAM we know
we have found the right password.

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

"Aardvark" 7CE61D3EA5EA50FCC5E14AA27A468F72

8846F7EAEE8FB117AD06BDD830B7586C

"baseball" 320A78179516C385E35A93FFA0B1C4AC

"cat" 1E0E867AB8043BBBA9EF4639DBDF562E

"dog" F923482E5BF859B28CD74AF4CB5D14CE

"monkey" F2477A144DFF4F216AB81F2AC3E3207D

"orangutan"7734694AD72BE33D653655560AE49718

"password" 8846F7EAEE8FB117AD06BDD830B7586C

Match Found!

Mouse Over

Commercial tools for cracking the SAM

L0phtcrackThe most popular tool for SAM cracking, but not free. Can <sbr />read Pwdump files, or dump the hashes itself. Has a built in <sbr />cracking engine that can do dictionary, brute force and <sbr />hybrid attacks.  Admin access is needed to dump the <sbr />hashes.<a href="http://www.atstake.com/products/lc/ ">http://www.atstake.com/products/lc/ </a>SAMInsidePassword cracker that lets you get around SysKey by <sbr />extracting the system key from the SYSTEM hive. <sbr />Unfortunate to get all of the features it costs money. You <sbr />don’t need to be an admin on the system to get the hashes, <sbr />just copy off the SAM and SYSTEM files using a boot CD.<a href="http://www.insidepro.com/eng/saminside.shtml ">http://www.insidepro.com/eng/saminside.shtml</a>

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Open Source/Free tools for cracking the SAM

Pwdump2/Pwdump3Uses DLL injection to get the passwords from lsass.exe, <sbr />bypassing SysKey. Pwdump3 adds network support so you <sbr />can dump hashes from across the network. Admin access is <sbr />needed to dump the hashes.<a href="http://www.bindview.com/Services/RAZOR/Utilities/Windows/pwdump2_readme.cfm">http://www.bindview.com/Services/RAZOR/Utilities/Windows/pwdump2_readme.cfm</a> <a href="http://vh224401.truman.edu/pub/win32/apps/pwdump3/">http://vh224401.truman.edu/pub/win32/apps/pwdump3/</a>  CainFree tool that can do many of the same things as <sbr />L0phtcrack, plus tons of other cracking and sniffing functions <sbr />(like ARP poisoning). Admin access is needed to dump the <sbr />hashes.<a href="http://www.oxid.it/cain.html">http://www.oxid.it/cain.html</a> SAMDump2/BKhive/John the RipperUsing these three tools you can do everything that <sbr />L0phtcrack and SAMInside can do, but with free open <sbr />source tools. They can all be ran from the Auditor boot CD.<a href="http://studenti.unina.it/~ncuomo/syskey/">http://studenti.unina.it/~ncuomo/syskey/</a>   <a href="http://www.openwall.com/john/">http://www.openwall.com/john/</a> <a href="http://new.remote-exploit.org/index.php/Auditor_main">http://new.remote-exploit.org/index.php/Auditor_main</a>

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

RainbowCrack

RainbowCrack was designed to show off the faster
time-memory trade-off technique. Since NT and LM hashes
contain no salts all possible hashes for a certain character
set can be pre-generated. These pre-generated hashes (a
Rainbow Table) can be loaded into memory and compared
to the stored hash much quicker than generating each hash
on the fly. You can make your own Rainbow Tables with the
free tools that the Rainbow crack project provides, but that
takes time. You can also buy pre-generated Rainbow Tables
from them.

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Character Set    Table Size   Load/Crack Time    System
A-Z 610MB 6s/24s (P4 3Ghz, 512MB)
A-Z+0-9 3GB    41s/39s (P4 3Ghz, 512MB)
A-Z+0-9+Top keys   24GB    148s/178s    (P4 2.8GHz, 1GB)
All Keyboard Chrs   64GB    290s/1658.13s (P4 3Ghz, 512MB)
* All passwords are up to 14 characters, case insensitive, times rounded to the nearest second, "All Keyboard
Characters" does not include ALT+Num-pad characters.

<a href="http://www.antsight.com/zsl/rainbowcrack/">http://www.antsight.com/zsl/rainbowcrack/</a>

SAM Cracking Prevention

Practical Methods:•Choose stronger local passwords. Use more than just alpha-numeric <sbr />characters and perhaps throw in some extended ASCII characters by <sbr />way of the Alt+num-pad method.•Turn off LM Hash storage in the SAM via local policy, registry or GPO.<a href="http://support.microsoft.com/kb/q299656/">http://support.microsoft.com/kb/q299656/</a>• If you use a password longer than 14 characters no LM hash will be <sbr />stored. Try using a pass phrase. •Change local password frequently, then rely on domain passwords if <sbr />possible. •Don’t use the same local admin password on public and staff boxes.Fascist Method (Not practical in most cases):•Use the BIOS to disable booting from anything but the hard drive, put <sbr />on a bios password and lock the case.•Configure SysKey to require a password or a disk at boot time. <sbr />(syskey.exe)

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Cracking Cached Domain/ADS Passwords

By default Windows 2000 and XP systems in a
domain or Active Directory tree cache the passwords and
credentials of the last ten previously logged in users. This is
done so that the users can still login again if the Domain
Controller or ADS tree can not be reached either because of
Controller failure or network problems. These cached
passwords are stored as hashes in the local systems
registry at the values:
HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1
through
HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$10

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

<a href="http://www.cr0.net:8040/misc/cachedump.html">http://www.cr0.net:8040/misc/cachedump.html</a><a href="http://www.cr0.net:8040/misc/cachedump.html">http://www.cr0.net:8040/misc/cachedump.html</a><a href="http://www.openwall.com/john/">http://www.openwall.com/john/</a><a href="http://www.oxid.it/cain.html">http://www.oxid.it/cain.html</a>

The cached credential registry keys contain encrypted
information like username, domain, NT hash and sometimes LM hash.
Exact details on the encryption methods can be found at the
CacheDump Homepage:
While these cached password are harder to crack than LM or
NT hashes it’s not impossible. Arnaud Pilon and team have created a
tool for dumping the cached hashes. They have also provided patches
for John the Ripper that allow you to crack the hashes. CacheDump
needs to be run under an admin level account.
Tool Needed:
CacheDump and John patches:
John the Ripper
Cain v2.68 or Higher

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

root@Cthulhu:~# apt-get install john
Reading Package Lists... Done
Building Dependency Tree... Done
Suggested packages:
wenglish wordlist
The following NEW packages will be installed:
john
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/547kB of archives.
After unpacking 1163kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package john.
(Reading database ... 88927 files and directories currently installed.)
Unpacking john (from .../archives/john_1.6-33_i386.deb) ...
Setting up john (1.6-33) ...
root@Cthulhu:~# gunzip -c /usr/share/doc/john/examples/john.ini.gz > /etc/john/john.ini

root@Cthulhu:~# wget http://www.openwall.com/john/b/john-1.6.37.tar.gz
--16:24:28-- http://www.openwall.com/john/b/john-1.6.37.tar.gz
=> `john-1.6.37.tar.gz'
Resolving www.openwall.com... 195.42.179.202
Connecting to www.openwall.com[195.42.179.202]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 139,372 [application/x-tar]
100%[====================================>] 139,372 66.87K/s
16:24:31 (66.73 KB/s) - `john-1.6.37.tar.gz' saved [139372/139372]
root@Cthulhu:~# tar xfz john-1.6.37.tar.gz
root@Cthulhu:~# wget http://www.cr0.net:8040/misc/john-1.6.37-bigpatch-10.diff.gz
--16:25:11-- http://www.cr0.net:8040/misc/john-1.6.37-bigpatch-10.diff.gz
=> `john-1.6.37-bigpatch-10.diff.gz'
Resolving www.cr0.net... 213.186.59.43
Connecting to www.cr0.net[213.186.59.43]:8040... connected.
HTTP request sent, awaiting response... 200 OK
Length: 43,560 [text/plain]
100%[====================================>] 43,560 61.64K/s
16:25:12 (61.55 KB/s) - `john-1.6.37-bigpatch-10.diff.gz' saved [43560/43560]
root@Cthulhu:

root@Cthulhu:~# gunzip -c john-1.6.37-bigpatch-10.diff.gz | patch -p0
patching file john-1.6.37/doc/JOHN-BIGPATCH-FAQ
patching file john-1.6.37/doc/JOHN-NTLM-FAQ
patching file john-1.6.37/src/base64.c
patching file john-1.6.37/src/base64.h
patching file john-1.6.37/src/BFEgg_fmt.c
patching file john-1.6.37/src/bf_tab.h
patching file john-1.6.37/src/blowfish.c
patching file john-1.6.37/src/blowfish.h
patching file john-1.6.37/src/byteorder.h
patching file john-1.6.37/src/john.c
patching file john-1.6.37/src/JOHN-NTLM-FAQ
patching file john-1.6.37/src/loader.c
patching file john-1.6.37/src/logger.c
patching file john-1.6.37/src/logger.h
patching file john-1.6.37/src/lotus5_fmt.c
patching file john-1.6.37/src/Makefile
patching file john-1.6.37/src/md4.c
patching file john-1.6.37/src/md4.h
...
patching file john-1.6.37/src/sha.h
patching file john-1.6.37/src/sha_locl.h
patching file john-1.6.37/src/smbencrypt.c
patching file john-1.6.37/src/undrop.c
root@Cthulhu:~# cd john-1.6.37/src/
root@Cthulhu:~/john-1.6.37/src#

root@Cthulhu:~/john-1.6.37/src# make linux-x86-mmx-elf
ln -sf x86-mmx.h arch.h
make ../run/john ../run/unshadow ../run/unafs ../run/unique ../run/undrop \
JOHN_OBJS="DES_fmt.o DES_std.o DES_bs.o BSDI_fmt.o MD5_fmt.o MD5_std.o
MD5_apache_fmt.o BF_fmt.o BF_std.o AFS_fmt.o BFEgg_fmt.o LM_fmt.o lotus5_fmt.o md5.o
NSLDAP_fmt.o sha1.o base64.o MYSQL_fmt.o NT_fmt.o md4.o smbencrypt.o rawMD5_fmt.o
mscash_fmt.o batch.o bench.o charset.o common.o compiler.o config.o cracker.o external.o
formats.o getopt.o idle.o inc.o john.o list.o loader.o logger.o math.o memory.o misc.o options.o
params.o path.o recovery.o rpp.o rules.o signals.o single.o status.o tty.o wordlist.o unshadow.o
unafs.o undrop.o unique.o x86.o x86-mmx.o"
make[1]: Entering directory `/root/john-1.6.37/src'
gcc -c -Wall -O3 -fomit-frame-pointer -I/usr/local/include -L/usr/local/lib -funroll-loops DES_fmt.c
...
rm -f ../run/unshadow
ln -s john ../run/unshadow
rm -f ../run/unafs
ln -s john ../run/unafs
rm -f ../run/unique
ln -s john ../run/unique
rm -f ../run/undrop
ln -s john ../run/undrop
make[1]: Leaving directory `/root/john-1.6.37/src'
root@Cthulhu:~/john-1.6.37/src#

root@Cthulhu:~/john-1.6.37/src# cd ../run/
root@Cthulhu:~/john-1.6.37/run# ./john --wordlist:password.lst -format:mscash mydump.txt
Loaded 2 password hashes with 2 different salts (M$ Cache Hash [mscash])
m0nk3y@ (irongeek)
guesses: 1 time: 0:00:00:00 100% c/s: 232900 trying: zhongguo
root@Cthulhu:~/john-1.6.37/run# ./john -i:all -format:mscash mydump.txt
Loaded 1 password hash (M$ Cache Hash [mscash])
guesses: 0 time: 0:00:00:04 c/s: 28954 trying: samm%
guesses: 0 time: 0:00:00:05 c/s: 43431 trying: sabrard
guesses: 0 time: 0:00:00:06 c/s: 60009 trying: samm2
guesses: 0 time: 0:00:00:07 c/s: 82858 trying: uvw
guesses: 0 time: 0:00:00:09 c/s: 121920 trying: 106swi

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Credential Cache Cracking Countermeasures

1. Choose stronger domain passwords. Use more than just alpha-
numeric characters and perhaps throw in some extended ASCII
characters by way of the Alt+num-pad method.
2. For those who are still paranoid and have a VERY reliable
connection to their domain controller, they can follow these steps to
disable the caching of passwords and credentials: Set the registry
value
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
to 0 then reboot. This can also be done with the Local Security Policy
or with a GPO:

3.Use same “Fascist Methods” as before for restricting physical access
to the computer.

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

VNC(Virtual Network Computing)
Background

VNC is an Open Source tool used for remotely
controlling another computer’s GUI. There is a server
daemon for Windows, *nix and Mac OS. There are clients
for too many platforms to even mention. Some folks use it
for end user support because Microsoft’s Remote
Assistance service built into Windows XP is so cumbersome
as to be practically useless.
The two most popular versions of VNC are:

TightVNC<a href="http://www.tightvnc.com/">http://www.tightvnc.com/</a>RealVNC<a href="http://www.realvnc.com/">http://www.realvnc.com/</a> 

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Cracking VNC Passwords Store in the
Windows Registry

VNC’s encrypted password may be found in one of these keys:
TightVNC:
HKEY_CURRENT_USER\Software\ORL\WinVNC3
HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3
HKEY_USERS\.DEFAULT\SOftware\ORL\WinVNC3
RealVNC:
HKEY_CURRENT_USER\Software\RealVNC\WinVNC4
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4
HKEY_USERS\.DEFAULT\SOftware\RealVNC\WinVNC4
Do a search with Regedit if you can’t find it. In some cases
these keys will be restricted so that only admin level accounts can
read them, but with a boot disk that’s easy to get around. The
password is DES encrypted, but since the fixed key (23 82 107 6 35
78 88 7) is known it’s easy to decrypt.

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Tools for Cracking VNC

VNCrack
VNCrack can decrypt stored password, as well as dictionary
attack remote hosts. Both Windows and Linux versions are
available.
Cain
Cain has a built in stored VNC password decryption function.
VNCPwdump
This is the tool I’ll be using for the demonstration.
VNCPwdump supports dumping from the current user’s
registry, an NTUSER.DAT file, decrypting the HEX string from
the command line and injecting into the VNC server process to
dump the password. Source code is available at their website.

<a href="http://www.phenoelit.de/vncrack/download.html">http://www.phenoelit.de/vncrack/download.html</a><a href="http://www.oxid.it/cain.html ">http://www.oxid.it/cain.html </a><a href="http://www.cqure.net/tools.jsp?id=12 ">http://www.cqure.net/tools.jsp?id=12 </a>

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

VNC Password Cracking Countermeasures

A few of the many options:
1. Don’t use remote control software, just walk to the users station.
This may be better for your organizations customer service image
anyway.
2. Have the user start the VNC server manually, and only when
needed. Or you can start an stop it when needed yourself by using
the SC command:
sc \\ComputerName config winvnc start= demand
sc \\ComputerName start winvnc
sc \\ComputerName stop winvnc
3. Try UltraVNC.
It allows you to require a Windows Local or Domain account
to authenticate (MS Logon option). If you choose this option it will
disable the normal VNC logon method. A few quirks:
•The Java client does not work with MS Logon.
•The client and server only supports Windows.
•It’s still a little flakey.
•The development version is more stable than the “stable” version.

<a href="http://www.ultravnc.com/">http://www.ultravnc.com/</a>

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Retrieving Passwords from Protected
Storage

Internet Explorer, Outlook Express and MSN Explorer
can store user passwords using a service called Protected
Storage. The encrypted values reside in the registry at:
HKEY_CURRENT_USER\Software\Microsoft\Protected
Storage System Provider
There are a few tools for decrypting these store
passwords, including the previously mentioned Cain. The
most popular is Protected Storage PassView from Nir Sofer:
Its one draw back is that it can only read the current
user's Protected Storage, but there are work-arounds to get
past this limitation.

<a href="http://www.nirsoft.net/utils/pspv.html">http://www.nirsoft.net/utils/pspv.html</a>

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Output

==================================================
Resource Name    : cthulhu.com:443/Login is Required
Resource Type    : IE: Password-Protected Sites
User Name/Value    : peng
Password : p2$$w0rd
==================================================
==================================================
Resource Name    : http://www.linuxmonkey.nl/phpbb2/index.php
Resource Type    : AutoComplete Passwords
User Name/Value    : irongeek
Password : letmein
==================================================

c:\Documents and Settings\irongeek\pspv.txt

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Protected Storage Countermeasures

1. Keep the attacker from becoming Admin on the box
using the techniques discussed previously.
2. Check to see what’s set to run at startup using tools like
MSConfig, Regedit and HijackThis.
3. Disable the option to store passwords in Protected
Storage.

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Play Again

Credits

Further Research:

Cracking Syskey and the SAM on Windows XP, 2000 and NT 4 <sbr />using Open Source Tools:<a href="http://www.irongeek.com/i.php?page=security/localsamcrack2">http://www.irongeek.com/i.php?page=security/localsamcrack2</a>Cracking Cached Domain/Active Directory Passwords on <sbr />Windows XP/2000/2003:<a href="http://www.irongeek.com/i.php?page=security/cachecrack ">http://www.irongeek.com/i.php?page=security/cachecrack </a>Sites with password cracking tools:<a href="http://www.nirsoft.net/utils/index.html#password_utils">http://www.nirsoft.net/utils/index.html#password_utils</a> <a href="http://packetstormsecurity.org/">http://packetstormsecurity.org/</a><a href="http://www.elcomsoft.com ">http://www.elcomsoft.com </a>Thanks to <a href="http://cacr.iu.edu/">CACR</a>, <a href="http://www.antionline.com/member.php?s=&action=getinfo&userid=177708">Sec_ware</a> and the rest of the folks at <sbr /><a href="http://www.antionline.com">Antionline</a> and <a href="http://www.binrev.com">Binrev.</a> 

<a href="http://www.Irongeek.com">http://www.Irongeek.com</a>

Credits

Narrated, Written and Directed by <a href="http://www.irongeek.com">Adrian Duane Crenshaw</a>Created in <a href="http://www.macromedia.com/software/flash/">Flash MX 2004</a>Sound recorded and edited with <a href="http://audacity.sourceforge.net/">Audacity</a>Screen capture video done by <a href="http://www.funchords.com/favorite/freeware/cam_studio_20/">CamStudio 2.0</a> Open Source

ActionScript [AS1/AS2]

Frame 1
	stop();
Instance of Symbol 6 MovieClip in Frame 1
onClipEvent (enterFrame) {
	loading = _parent.getBytesLoaded();
	total = _parent.getBytesTotal();
	percent = percent - ((percent - ((loading / total) * 100)) * 0.25);
	per = int(percent);
	percentage = per + "%";
	loadBar._width = per * 2;
	if (percent > 99) {
		_parent.gotoAndStop(2);
	}
}
Frame 2
	stop();
Frame 3
	stop();
Frame 9
	stop();
Frame 11
	stop();
Frame 13
	stop();
Frame 14
	play();
Frame 1158
	stopAllSounds();
	stop();
Frame 1159
	stop();
Frame 1161
	stop();
Frame 1168
	stop();
Frame 1169
	play();
Frame 1658
	stop();
	stopAllSounds();
Frame 1659
	stop();
Frame 1660
	stop();
Frame 1667
	stop();
Frame 1671
	stop();
Frame 1672
	stop();
Symbol 6 MovieClip Frame 1
	stop();
Symbol 16 Button
on (release) {
	stopAllSounds();
	nextFrame();
}
Symbol 25 Button
on (release) {
	stopAllSounds();
	prevFrame();
}
Symbol 86 MovieClip Frame 432
	stop();
Symbol 141 MovieClip Frame 70
 
Symbol 152 MovieClip Frame 10
	stop();
Symbol 161 MovieClip Frame 10
	stop();
Symbol 165 MovieClip Frame 45
	stop();
Symbol 169 Button
on (release) {
	_parent.stop();
}
Symbol 174 Button
on (press) {
	gotoAndPlay ("fastforward");
}
on (release) {
	gotoAndStop ("stop");
}
Symbol 178 Button
on (press) {
	gotoAndPlay ("rewind");
}
on (release) {
	gotoAndStop ("stop");
}
Symbol 182 Button
on (release) {
	_parent.play();
}
Symbol 183 MovieClip Frame 1
	stop();
Symbol 183 MovieClip Frame 5
	_parent.gotoAndPlay(_parent._currentframe + 5);
Symbol 183 MovieClip Frame 6
	gotoAndPlay ("fastforward");
Symbol 183 MovieClip Frame 10
	_parent.gotoAndPlay(_parent._currentframe - 5);
Symbol 183 MovieClip Frame 11
	gotoAndPlay ("rewind");
Symbol 184 Button
on (release) {
	stopAllSounds();
	gotoAndStop (1159);
}
Symbol 185 Button
on (release) {
	stopAllSounds();
	gotoAndPlay ("SamCrack6");
}
Symbol 227 Button
on (release) {
	stopAllSounds();
	gotoAndStop (1659);
}
Symbol 228 Button
on (release) {
	stopAllSounds();
	gotoAndPlay ("CacheCrack8");
}
Symbol 239 MovieClip Frame 10
	stop();
Symbol 255 MovieClip Frame 10
	stop();
Symbol 280 MovieClip Frame 10
	stop();
Symbol 290 MovieClip Frame 10
	stop();
Symbol 308 MovieClip Frame 10
	stop();
Symbol 312 MovieClip Frame 10
	stop();
Symbol 316 MovieClip Frame 10
	stop();
Symbol 323 Button
on (release) {
	gotoAndPlay (2);
}
Symbol 324 Button
on (release) {
	stopAllSounds();
	gotoAndStop (1667);
}
Symbol 327 Button
on (release) {
	gotoAndPlay ("Credits");
}
Symbol 332 Button
on (release) {
	stopAllSounds();
	gotoAndPlay ("1");
}

Library Items

Symbol 1 Font	Used by:2 5 9 10 11 13 15 17 19 20 22 24 26 28 29 73 74 75 76 77 78 79 80 88 89 90 92 94 95 97 98 99 101 102 103 104 105 107 108 109 111 112 113 114 127 128 129 146 147 148 155 156 157 186 189 192 193 194 195 196 199 200 201 203 204 205 207 208 209 211 216 217 219 221 223 225 229 232 233 234 235 242 243 244 245 250 251 252 258 259 260 261 263 267 270 271 274 275 276 277 283 284 285 286 289 291 294 298 299 300 301 303 304 305 319 321 322 325 326 328 329 331 333 334
Symbol 2 Text	Uses:1	Used by:6
Symbol 3 Graphic	Used by:4
Symbol 4 MovieClip	Uses:3	Used by:6
Symbol 5 EditableText	Uses:1	Used by:6
Symbol 6 MovieClip	Uses:2 4 5	Used by:Timeline
Symbol 7 Bitmap	Used by:8
Symbol 8 Graphic	Uses:7	Used by:Timeline
Symbol 9 EditableText	Uses:1 93	Used by:Timeline
Symbol 10 Text	Uses:1	Used by:Timeline
Symbol 11 Text	Uses:1	Used by:Timeline
Symbol 12 Graphic	Used by:16 184 227
Symbol 13 Text	Uses:1	Used by:16 184 227
Symbol 14 Graphic	Used by:16 184 227
Symbol 15 Text	Uses:1	Used by:16 184 227
Symbol 16 Button	Uses:12 13 14 15	Used by:Timeline
Symbol 17 EditableText	Uses:1 93	Used by:Timeline
Symbol 18 Sound	Used by:Timeline
Symbol 19 Text	Uses:1	Used by:Timeline
Symbol 20 Text	Uses:1	Used by:Timeline
Symbol 21 Graphic	Used by:25 185 228 324 332
Symbol 22 Text	Uses:1	Used by:25 185 228 324 332
Symbol 23 Graphic	Used by:25 185 228 324 327 332
Symbol 24 Text	Uses:1	Used by:25 185 228 324 332
Symbol 25 Button	Uses:21 22 23 24	Used by:Timeline
Symbol 26 EditableText	Uses:1 93	Used by:Timeline
Symbol 27 Sound	Used by:Timeline
Symbol 28 Text	Uses:1	Used by:Timeline
Symbol 29 EditableText	Uses:1 93	Used by:Timeline
Symbol 30 Bitmap	Used by:31
Symbol 31 Graphic	Uses:30	Used by:72
Symbol 32 Bitmap	Used by:33
Symbol 33 Graphic	Uses:32	Used by:72
Symbol 34 Bitmap	Used by:35
Symbol 35 Graphic	Uses:34	Used by:72
Symbol 36 Bitmap	Used by:37
Symbol 37 Graphic	Uses:36	Used by:72
Symbol 38 Bitmap	Used by:39
Symbol 39 Graphic	Uses:38	Used by:72
Symbol 40 Bitmap	Used by:41
Symbol 41 Graphic	Uses:40	Used by:72
Symbol 42 Bitmap	Used by:43
Symbol 43 Graphic	Uses:42	Used by:72
Symbol 44 Bitmap	Used by:45
Symbol 45 Graphic	Uses:44	Used by:72
Symbol 46 Bitmap	Used by:47
Symbol 47 Graphic	Uses:46	Used by:72
Symbol 48 Bitmap	Used by:49
Symbol 49 Graphic	Uses:48	Used by:72
Symbol 50 Bitmap	Used by:51
Symbol 51 Graphic	Uses:50	Used by:72
Symbol 52 Bitmap	Used by:53
Symbol 53 Graphic	Uses:52	Used by:72
Symbol 54 Bitmap	Used by:55
Symbol 55 Graphic	Uses:54	Used by:72
Symbol 56 Bitmap	Used by:57
Symbol 57 Graphic	Uses:56	Used by:72
Symbol 58 Bitmap	Used by:59
Symbol 59 Graphic	Uses:58	Used by:72
Symbol 60 Bitmap	Used by:61
Symbol 61 Graphic	Uses:60	Used by:72
Symbol 62 Bitmap	Used by:63
Symbol 63 Graphic	Uses:62	Used by:72
Symbol 64 Bitmap	Used by:65
Symbol 65 Graphic	Uses:64	Used by:72
Symbol 66 Bitmap	Used by:67
Symbol 67 Graphic	Uses:66	Used by:72
Symbol 68 Bitmap	Used by:69
Symbol 69 Graphic	Uses:68	Used by:72
Symbol 70 Bitmap	Used by:71
Symbol 71 Graphic	Uses:70	Used by:72
Symbol 72 MovieClip	Uses:31 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63 65 67 69 71	Used by:86
Symbol 73 Text	Uses:1	Used by:86
Symbol 74 Text	Uses:1	Used by:86
Symbol 75 Text	Uses:1	Used by:86
Symbol 76 Text	Uses:1	Used by:86
Symbol 77 Text	Uses:1	Used by:86
Symbol 78 Text	Uses:1	Used by:86
Symbol 79 Text	Uses:1	Used by:86
Symbol 80 Text	Uses:1	Used by:86
Symbol 81 Bitmap	Used by:82
Symbol 82 Graphic	Uses:81	Used by:83
Symbol 83 MovieClip	Uses:82	Used by:86
Symbol 84 Sound	Used by:86
Symbol 85 Sound	Used by:86
Symbol 86 MovieClip	Uses:72 73 74 75 76 77 78 79 80 83 84 85	Used by:Timeline
Symbol 87 Sound	Used by:Timeline
Symbol 88 Text	Uses:1	Used by:Timeline
Symbol 89 Text	Uses:1	Used by:Timeline
Symbol 90 EditableText	Uses:1 93	Used by:Timeline
Symbol 91 Sound	Used by:Timeline
Symbol 92 Text	Uses:1	Used by:Timeline
Symbol 93 Font	Used by:9 17 26 29 90 94 95 99 103 104 105 109 113 114 129 144 147 148 156 157 186 189 194 195 196 200 201 203 207 208 211 216 217 219 221 223 225 229 232 233 242 245 250 258 260 261 263 267 270 274 276 277 283 286 289 291 294 298 303 319 329 331 334
Symbol 94 Text	Uses:93 1	Used by:Timeline
Symbol 95 EditableText	Uses:1 93	Used by:Timeline
Symbol 96 Sound	Used by:Timeline
Symbol 97 Text	Uses:1	Used by:Timeline
Symbol 98 Text	Uses:1	Used by:Timeline
Symbol 99 EditableText	Uses:1 93	Used by:Timeline
Symbol 100 Sound	Used by:Timeline
Symbol 101 Text	Uses:1	Used by:Timeline
Symbol 102 Text	Uses:1	Used by:Timeline
Symbol 103 EditableText	Uses:1 93	Used by:Timeline
Symbol 104 EditableText	Uses:1 93	Used by:Timeline
Symbol 105 EditableText	Uses:1 93	Used by:Timeline
Symbol 106 Sound	Used by:Timeline
Symbol 107 Text	Uses:1	Used by:Timeline
Symbol 108 Text	Uses:1	Used by:Timeline
Symbol 109 EditableText	Uses:1 93	Used by:Timeline
Symbol 110 Sound	Used by:Timeline
Symbol 111 Text	Uses:1	Used by:Timeline
Symbol 112 Text	Uses:1	Used by:Timeline
Symbol 113 EditableText	Uses:1 93	Used by:Timeline
Symbol 114 EditableText	Uses:1 93	Used by:Timeline
Symbol 115 Font	Used by:116 117 118 119 120 121 123 124 130 131 132 133 134 135 136 137 139 140
Symbol 116 Text	Uses:115	Used by:122
Symbol 117 Text	Uses:115	Used by:122
Symbol 118 Text	Uses:115	Used by:122
Symbol 119 Text	Uses:115	Used by:122
Symbol 120 Text	Uses:115	Used by:122
Symbol 121 Text	Uses:115	Used by:122
Symbol 122 MovieClip	Uses:116 117 118 119 120 121	Used by:Timeline
Symbol 123 Text	Uses:115	Used by:125
Symbol 124 Text	Uses:115	Used by:125
Symbol 125 MovieClip	Uses:123 124	Used by:Timeline
Symbol 126 Sound	Used by:Timeline
Symbol 127 Text	Uses:1	Used by:Timeline
Symbol 128 Text	Uses:1	Used by:Timeline
Symbol 129 EditableText	Uses:1 93	Used by:Timeline
Symbol 130 Text	Uses:115	Used by:141
Symbol 131 Text	Uses:115	Used by:141
Symbol 132 Text	Uses:115	Used by:141
Symbol 133 Text	Uses:115	Used by:141
Symbol 134 Text	Uses:115	Used by:141
Symbol 135 Text	Uses:115	Used by:141
Symbol 136 Text	Uses:115	Used by:141
Symbol 137 Text	Uses:115	Used by:141
Symbol 138 Font	Used by:139 140
Symbol 139 Text	Uses:138 115	Used by:141
Symbol 140 Text	Uses:138 115	Used by:141
Symbol 141 MovieClip	Uses:130 131 132 133 134 135 136 137 139 140	Used by:142
Symbol 142 MovieClip	Uses:141	Used by:Timeline
Symbol 143 Sound	Used by:Timeline
Symbol 144 Text	Uses:93	Used by:145
Symbol 145 MovieClip	Uses:144	Used by:Timeline
Symbol 146 Text	Uses:1	Used by:Timeline
Symbol 147 EditableText	Uses:1 93	Used by:Timeline
Symbol 148 EditableText	Uses:1 93	Used by:Timeline
Symbol 149 Bitmap	Used by:150 151
Symbol 150 Graphic	Uses:149	Used by:153
Symbol 151 Graphic	Uses:149	Used by:152
Symbol 152 MovieClip	Uses:151	Used by:153
Symbol 153 Button	Uses:150 152	Used by:Timeline
Symbol 154 Sound	Used by:Timeline
Symbol 155 Text	Uses:1	Used by:Timeline
Symbol 156 EditableText	Uses:1 93	Used by:Timeline
Symbol 157 EditableText	Uses:1 93	Used by:Timeline
Symbol 158 Bitmap	Used by:159 160
Symbol 159 Graphic	Uses:158	Used by:162
Symbol 160 Graphic	Uses:158	Used by:161
Symbol 161 MovieClip	Uses:160	Used by:162
Symbol 162 Button	Uses:159 161	Used by:Timeline
Symbol 163 Bitmap	Used by:164
Symbol 164 Graphic	Uses:163	Used by:165
Symbol 165 MovieClip	Uses:164	Used by:Timeline
Symbol 166 Sound	Used by:Timeline
Symbol 167 Graphic	Used by:169
Symbol 168 Graphic	Used by:169
Symbol 169 Button	Uses:167 168	Used by:183
Symbol 170 Graphic	Used by:174 178
Symbol 171 Graphic	Used by:174
Symbol 172 Graphic	Used by:174
Symbol 173 Graphic	Used by:174
Symbol 174 Button	Uses:170 171 172 173	Used by:183
Symbol 175 Graphic	Used by:178
Symbol 176 Graphic	Used by:178
Symbol 177 Graphic	Used by:178
Symbol 178 Button	Uses:170 175 176 177	Used by:183
Symbol 179 Graphic	Used by:182
Symbol 180 Graphic	Used by:182
Symbol 181 Graphic	Used by:182
Symbol 182 Button	Uses:179 180 181	Used by:183
Symbol 183 MovieClip	Uses:169 174 178 182	Used by:Timeline
Symbol 184 Button	Uses:12 13 14 15	Used by:Timeline
Symbol 185 Button	Uses:21 22 23 24	Used by:Timeline
Symbol 186 EditableText	Uses:1 93	Used by:Timeline
Symbol 187 Video	Used by:Timeline
Symbol 188 Sound	Used by:Timeline
Symbol 189 EditableText	Uses:1 93	Used by:Timeline
Symbol 190 Bitmap	Used by:191
Symbol 191 Graphic	Uses:190	Used by:Timeline
Symbol 192 Text	Uses:1	Used by:Timeline
Symbol 193 Text	Uses:1	Used by:Timeline
Symbol 194 EditableText	Uses:1 93	Used by:Timeline
Symbol 195 Text	Uses:93 1	Used by:Timeline
Symbol 196 EditableText	Uses:1 93	Used by:Timeline
Symbol 197 Text	Used by:Timeline
Symbol 198 Sound	Used by:Timeline
Symbol 199 Text	Uses:1	Used by:Timeline
Symbol 200 EditableText	Uses:1 93	Used by:Timeline
Symbol 201 EditableText	Uses:1 93	Used by:Timeline
Symbol 202 Sound	Used by:Timeline
Symbol 203 EditableText	Uses:1 93	Used by:Timeline
Symbol 204 Text	Uses:1	Used by:Timeline
Symbol 205 Text	Uses:1	Used by:Timeline
Symbol 206 Sound	Used by:Timeline
Symbol 207 EditableText	Uses:1 93	Used by:Timeline
Symbol 208 EditableText	Uses:1 93	Used by:Timeline
Symbol 209 Text	Uses:1	Used by:Timeline
Symbol 210 Sound	Used by:Timeline
Symbol 211 EditableText	Uses:1 93	Used by:Timeline
Symbol 212 Bitmap	Used by:213
Symbol 213 Graphic	Uses:212	Used by:Timeline
Symbol 214 Sound	Used by:Timeline
Symbol 215 Graphic	Used by:Timeline
Symbol 216 EditableText	Uses:1 93	Used by:Timeline
Symbol 217 Text	Uses:1 93	Used by:Timeline
Symbol 218 Sound	Used by:Timeline
Symbol 219 Text	Uses:1 93	Used by:Timeline
Symbol 220 Sound	Used by:Timeline
Symbol 221 Text	Uses:1 93	Used by:Timeline
Symbol 222 Sound	Used by:Timeline
Symbol 223 Text	Uses:1 93	Used by:Timeline
Symbol 224 Sound	Used by:Timeline
Symbol 225 Text	Uses:1 93	Used by:Timeline
Symbol 226 Sound	Used by:Timeline
Symbol 227 Button	Uses:12 13 14 15	Used by:Timeline
Symbol 228 Button	Uses:21 22 23 24	Used by:Timeline
Symbol 229 EditableText	Uses:1 93	Used by:Timeline
Symbol 230 Video	Used by:Timeline
Symbol 231 Sound	Used by:Timeline
Symbol 232 EditableText	Uses:1 93	Used by:Timeline
Symbol 233 EditableText	Uses:1 93	Used by:Timeline
Symbol 234 Text	Uses:1	Used by:Timeline
Symbol 235 Text	Uses:1	Used by:Timeline
Symbol 236 Bitmap	Used by:237 238
Symbol 237 Graphic	Uses:236	Used by:240
Symbol 238 Graphic	Uses:236	Used by:239
Symbol 239 MovieClip	Uses:238	Used by:240
Symbol 240 Button	Uses:237 239	Used by:Timeline
Symbol 241 Sound	Used by:Timeline
Symbol 242 EditableText	Uses:1 93	Used by:Timeline
Symbol 243 Text	Uses:1	Used by:Timeline
Symbol 244 Text	Uses:1	Used by:Timeline
Symbol 245 EditableText	Uses:1 93	Used by:Timeline
Symbol 246 Bitmap	Used by:248
Symbol 247 Bitmap	Used by:248
Symbol 248 Graphic	Uses:246 247	Used by:Timeline
Symbol 249 Sound	Used by:Timeline
Symbol 250 EditableText	Uses:1 93	Used by:Timeline
Symbol 251 Text	Uses:1	Used by:Timeline
Symbol 252 Text	Uses:1	Used by:Timeline
Symbol 253 Bitmap	Used by:254
Symbol 254 Graphic	Uses:253	Used by:255 256
Symbol 255 MovieClip	Uses:254	Used by:256
Symbol 256 Button	Uses:254 255	Used by:Timeline
Symbol 257 Sound	Used by:Timeline
Symbol 258 EditableText	Uses:1 93	Used by:Timeline
Symbol 259 Text	Uses:1	Used by:Timeline
Symbol 260 Text	Uses:93 1	Used by:Timeline
Symbol 261 EditableText	Uses:1 93	Used by:Timeline
Symbol 262 Sound	Used by:Timeline
Symbol 263 EditableText	Uses:1 93	Used by:Timeline
Symbol 264 Bitmap	Used by:265 268 272
Symbol 265 Graphic	Uses:264	Used by:Timeline
Symbol 266 Sound	Used by:Timeline
Symbol 267 EditableText	Uses:1 93	Used by:Timeline
Symbol 268 Graphic	Uses:264	Used by:Timeline
Symbol 269 Sound	Used by:Timeline
Symbol 270 EditableText	Uses:1 93	Used by:Timeline
Symbol 271 Text	Uses:1	Used by:Timeline
Symbol 272 Graphic	Uses:264	Used by:Timeline
Symbol 273 Sound	Used by:Timeline
Symbol 274 EditableText	Uses:1 93	Used by:Timeline
Symbol 275 Text	Uses:1	Used by:Timeline
Symbol 276 Text	Uses:1 93	Used by:Timeline
Symbol 277 EditableText	Uses:1 93	Used by:Timeline
Symbol 278 Bitmap	Used by:279
Symbol 279 Graphic	Uses:278	Used by:280 281
Symbol 280 MovieClip	Uses:279	Used by:281
Symbol 281 Button	Uses:279 280	Used by:Timeline
Symbol 282 Sound	Used by:Timeline
Symbol 283 EditableText	Uses:1 93	Used by:Timeline
Symbol 284 Text	Uses:1	Used by:292
Symbol 285 Text	Uses:1	Used by:292
Symbol 286 EditableText	Uses:1 93	Used by:292
Symbol 287 Bitmap	Used by:288
Symbol 288 Graphic	Uses:287	Used by:290 292
Symbol 289 EditableText	Uses:1 93	Used by:292
Symbol 290 MovieClip	Uses:288	Used by:292
Symbol 291 EditableText	Uses:1 93	Used by:292
Symbol 292 Button	Uses:284 285 286 288 289 290 291	Used by:Timeline
Symbol 293 Sound	Used by:Timeline
Symbol 294 EditableText	Uses:1 93	Used by:Timeline
Symbol 295 Bitmap	Used by:296
Symbol 296 Graphic	Uses:295	Used by:Timeline
Symbol 297 Sound	Used by:Timeline
Symbol 298 EditableText	Uses:1 93	Used by:Timeline
Symbol 299 Text	Uses:1	Used by:Timeline
Symbol 300 Text	Uses:1	Used by:Timeline
Symbol 301 Text	Uses:1	Used by:Timeline
Symbol 302 Sound	Used by:Timeline
Symbol 303 EditableText	Uses:1 93	Used by:Timeline
Symbol 304 Text	Uses:1	Used by:Timeline
Symbol 305 Text	Uses:1	Used by:Timeline
Symbol 306 Bitmap	Used by:307
Symbol 307 Graphic	Uses:306	Used by:308 309
Symbol 308 MovieClip	Uses:307	Used by:309
Symbol 309 Button	Uses:307 308	Used by:Timeline
Symbol 310 Bitmap	Used by:311
Symbol 311 Graphic	Uses:310	Used by:312 313
Symbol 312 MovieClip	Uses:311	Used by:313
Symbol 313 Button	Uses:311 312	Used by:Timeline
Symbol 314 Bitmap	Used by:315
Symbol 315 Graphic	Uses:314	Used by:316 317
Symbol 316 MovieClip	Uses:315	Used by:317
Symbol 317 Button	Uses:315 316	Used by:Timeline
Symbol 318 Sound	Used by:Timeline
Symbol 319 EditableText	Uses:1 93	Used by:Timeline
Symbol 320 Graphic	Used by:323
Symbol 321 Text	Uses:1	Used by:323
Symbol 322 Text	Uses:1	Used by:323
Symbol 323 Button	Uses:320 321 322	Used by:Timeline
Symbol 324 Button	Uses:21 22 23 24	Used by:Timeline
Symbol 325 Text	Uses:1	Used by:327
Symbol 326 Text	Uses:1	Used by:327
Symbol 327 Button	Uses:23 325 326	Used by:Timeline
Symbol 328 Text	Uses:1	Used by:Timeline
Symbol 329 EditableText	Uses:1 93	Used by:Timeline
Symbol 330 Sound	Used by:Timeline
Symbol 331 EditableText	Uses:1 93	Used by:Timeline
Symbol 332 Button	Uses:21 22 23 24	Used by:Timeline
Symbol 333 Text	Uses:1	Used by:Timeline
Symbol 334 EditableText	Uses:1 93	Used by:Timeline
Streaming Sound 1	Used by:Timeline

Instance Names

"loadBar"

Symbol 6 MovieClip Frame 1

Symbol 4 MovieClip

Labels

"SamCrack6"	Frame 13
"CacheCrack8"	Frame 1168
"Credits"	Frame 1672
"stop"	Symbol 183 MovieClip Frame 1
"fastforward"	Symbol 183 MovieClip Frame 5
"rewind"	Symbol 183 MovieClip Frame 10

Dynamic Text Variables

percentage

Symbol 5 EditableText