Long, random and frequently changed passwords can help keep your corporate resources secure. Short, guessable ones that never change can not. That’s why it’s important for network administrators to be able to audit the user passwords in use on their networks to ensure that they are hard to crack, regularly changed, and never re-used. One […]
Long, random and frequently changed passwords can help keep your corporate resources secure. Short, guessable ones that never change can not. That’s why it’s important for network administrators to be able to audit the user passwords in use on their networks to ensure that they are hard to crack, regularly changed, and never re-used. One tool to help with that is L0phtcrack.
You may well be familiar with tools such as Ophcrack and John the Ripper, which allow administrators to see if a password on a given machine is easily crackable, but few have been designed to allow a network administrator to audit a large number of machines on a network automatically. Fortunately, L0phtcrack—a very old password auditing tool originally developed by a hacker collective and eventually bought by Symantec—is back on the market and addresses just that problem. Symantec withdrew the tool in 2005, but recently the company sold L0phtcrack back to the original developers, who have now released L0phtcrack 6 as a commercial product.
L0phtcrack attempts to crack LM and NTLM password hashes from Windows machines, MD5 and DES-encoded password files from UNIX/Linux machines, and LM and NTLM challenge responses from SMB authentication sessions.
To make it easy for administrators, L0phtcrack can get these directly from other machines on the network remotely. To do this, Linux machines must be running an SSH service and have an administrator level auditing account set up, and Windows machines need to be running the appropriate L0phtcrack remote agent software (either 32-bit or 64-bit) which encrypts the hash data and sends it back to the system running L0phtcrack.
L0phtcrack can also accept hash files acquired in other ways: for example SAM files copied from Windows machines that have been booted into an alternative operating system from a live CD, or acquired using a locally run utility like PWDump, or a remotely run utility like fgdump . This may be practical in small organizations, but unfeasible where hundred or even thousands of machines need auditing. It can also audit passwords on the machine on which it is running.
Where the network topology is appropriate, L0phtcrack can also sniff network traffic to capture password hashes from SMB authentication sessions.
Audits can be started manually, or can be scheduled to take place on a regular basis. Once L0phtcrack is in possession of groups of password hashes, it subjects them to a number of attacks. After checking that the password is not the same as the username, it carries out:
Auditing passwords is only one small part of addressing password security: Remediating problems is also important.
“What we have done is tried to look at what network administrators would want to do if they discover that passwords are easily crackable or have been reused on many different machines,” says Chris Wysopal, one of the creators of L0phtcrack. Once a machine or a group of machines has been audited in L0phtcrack the administrator is presented with a report, and information including the security rating and age of various passwords. This enables the administrator to very quickly select groups of accounts such as those with weak passwords, ones with passwords that have not been changed within a certain time, or ones which L0phtcrack was able to crack quickly, and either disable those accounts or force the user to change the password at the next login.
L0phtcrack is available in three versions: Pro, Administrator and Consultant. The Pro version is limited to 500 accounts, and does not include rainbow table support. The Administrator version adds rainbow tables and audit scheduling, and support for an unlimited number of user accounts. The consultant version also allows for unlimited client installation for one year. Pricing is currently $295 for the Pro version, $595 for the Administrator version, and $1195 for the Consultant version.
Is it worth it? The software is certainly fast, and much easier to use than a command line program like John the Ripper. It also provides far more cracking options than either John or Ophcrack, and its management functions (such as reporting and account disabling) could prove valuable in some organizations.
The main drawback for many potential buyers is that, like John and Ophcrack, the software comes from an unconventional group of coders rather than a large, established security company. But Wysopal insists that that should not put off potential purchasers. “L0phtcrack has been around for many years and has got a very good reputation. The fact that it comes from us and not Symantec should really not be a problem.”
Paul Rubens is a technology journalist specializing in enterprise networking, security, storage, and virtualization. He has worked for international publications including The Financial Times, BBC, and The Economist, and is now based near Oxford, U.K. When not writing about technology Paul can usually be found playing or restoring pinball machines.
Enterprise Networking Planet aims to educate and assist IT administrators in building strong network infrastructures for their enterprise companies. Enterprise Networking Planet contributors write about relevant and useful topics on the cutting edge of enterprise networking based on years of personal experience in the field.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
