High-tech password cracking

High-tech password cracking involves using a program that tries to guess a

password by determining all possible password combinations. These hightech

methods are mostly automated after you access the computer and password

database files.

Password cracking software

You can try to crack your organization’s operating-system and Internetapplication

passwords with various password cracking tools:

  •  LC4 (previously called L0phtcrack) can sniff out password hashes fromthe wire. Go to www.atstake.com/research/lc

  •  NetBIOS Auditing Tool (NAT) specializes in network-based passwordattacks. Go to www.securityfocus.com/tools/543

  •  Chknull (www.phreak.org/archives/exploits/novell) for Novell NetWare password testing

  •  These tools require physical access on the tested computer:

• John the Ripper (www.openwall.com/john)

• pwdump2 (razor.bindview.com/tools/desc/pwdump2_readme.html)

• Crack (coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack)

• Brutus (www.hoobie.net/brutus)

• Pandora (www.nmrc.org/project/pandora)

• NTFSDOS Professional (www.winternals.com)

 Various other handy password tools exist, such as

• GetPass for decrypting login passwords for Cisco routers (www.


• Win Sniffer for capturing FTP, e-mail, and other types of passwords

off the network

• Cain and Abel for capturing, cracking, and even calculating various

types of passwords on a plethora of systems (www.oxid.it/


You may be wondering what value a password-cracking tool offers if you need

physical access to your systems to test them. Some would say that if a hacker

can obtain physical access to your systems and password files, you have

more than just basic information-security problems to worry about. But this

kind of access is entirely possible! What about a summer intern, a disgruntled

employee, or an outside consultant with malicious intent?

Password-cracking utilities take a set of known passwords and run them

through a password-hashing algorithm. The resulting hashes — or an

encrypted form of a data set — are then compared at lightning speed to the

password hashes extracted from the original password database. When a

match is found between the newly generated hash and the hash in the original

database, the password has been cracked. It’s that simple.

Other password-cracking programs simply attempt to logon using a predefined

set of user IDs and passwords. In fact, NAT can do just that. NAT takes

advantage of some known weaknesses in Microsoft’s Server Message Block

(SMB) protocol, which is used for file and print sharing.

Try running NAT in a real-world scenario. Simply download NAT from the preceding

address, and extract it to a temporary directory on your hard drive.

NAT comes with some predefined usernames and passwords in the userlist.

txt and passlist.txt files, but you can modify them or add your own.

For a quick test of a Windows NT or 2000 machine across the network, enter this

basic NAT command at a command prompt:

Output from the NetBIOS Auditing Tool

NAT used the default password list to crack the administrator password in just a

few seconds. If you don’t have any luck, consider using one of the dictionary

files listed in the next section. Just give the test some time. If you use one of

the larger lists, the process may take quite a while.

Passwords that are subjected to cracking tools eventually lose. You have

access to the same tools as the bad guys. These tools can be used for both

legitimate auditing and malicious attacks. You want to audit your passwords

before the bad guys do, and in this section, I show you some of my favorite

methods for auditing Windows and Linux/UNIX passwords.

When trying to crack passwords, the associated user accounts may be locked

out, which could interrupt your users. Be careful if you have intruder lockout

enabled — you may have to go back in and reenable locked accounts.

No comments: