High-tech password cracking involves using a program that tries to guess a
password by determining all possible password combinations. These hightech
methods are mostly automated after you access the computer and password
Password cracking software
You can try to crack your organization’s operating-system and Internetapplication
passwords with various password cracking tools:
- LC4 (previously called L0phtcrack) can sniff out password hashes fromthe wire. Go to www.atstake.com/research/lc
- NetBIOS Auditing Tool (NAT) specializes in network-based passwordattacks. Go to www.securityfocus.com/tools/543
- Chknull (www.phreak.org/archives/exploits/novell) for Novell NetWare password testing
- These tools require physical access on the tested computer:
• John the Ripper (www.openwall.com/john)
• pwdump2 (razor.bindview.com/tools/desc/pwdump2_readme.html)
• Crack (coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack)
• Brutus (www.hoobie.net/brutus)
• Pandora (www.nmrc.org/project/pandora)
• NTFSDOS Professional (www.winternals.com)
Various other handy password tools exist, such as
• GetPass for decrypting login passwords for Cisco routers (www.
• Win Sniffer for capturing FTP, e-mail, and other types of passwords
off the network
• Cain and Abel for capturing, cracking, and even calculating various
types of passwords on a plethora of systems (www.oxid.it/
You may be wondering what value a password-cracking tool offers if you need
physical access to your systems to test them. Some would say that if a hacker
can obtain physical access to your systems and password files, you have
more than just basic information-security problems to worry about. But this
kind of access is entirely possible! What about a summer intern, a disgruntled
employee, or an outside consultant with malicious intent?
Password-cracking utilities take a set of known passwords and run them
through a password-hashing algorithm. The resulting hashes — or an
encrypted form of a data set — are then compared at lightning speed to the
password hashes extracted from the original password database. When a
match is found between the newly generated hash and the hash in the original
database, the password has been cracked. It’s that simple.
Other password-cracking programs simply attempt to logon using a predefined
set of user IDs and passwords. In fact, NAT can do just that. NAT takes
advantage of some known weaknesses in Microsoft’s Server Message Block
(SMB) protocol, which is used for file and print sharing.
Try running NAT in a real-world scenario. Simply download NAT from the preceding
address, and extract it to a temporary directory on your hard drive.
NAT comes with some predefined usernames and passwords in the userlist.
txt and passlist.txt files, but you can modify them or add your own.
For a quick test of a Windows NT or 2000 machine across the network, enter this
basic NAT command at a command prompt:
NAT used the default password list to crack the administrator password in just a
few seconds. If you don’t have any luck, consider using one of the dictionary
files listed in the next section. Just give the test some time. If you use one of
the larger lists, the process may take quite a while.
Passwords that are subjected to cracking tools eventually lose. You have
access to the same tools as the bad guys. These tools can be used for both
legitimate auditing and malicious attacks. You want to audit your passwords
before the bad guys do, and in this section, I show you some of my favorite
methods for auditing Windows and Linux/UNIX passwords.
When trying to crack passwords, the associated user accounts may be locked
out, which could interrupt your users. Be careful if you have intruder lockout
enabled — you may have to go back in and reenable locked accounts.