Long, random and frequently changed passwords can help keep your corporate resources secure. Short, guessable ones that never change can not. That’s why it’s important for network administrators to be able to audit the user passwords in use on their networks to ensure that they are hard to crack, regularly changed, and never re-used. One tool to help with that is L0phtcrack.
You may well be familiar with tools such as Ophcrack and John the Ripper, which allow administrators to see if a password on a given machine is easily crackable, but few have been designed to allow a network administrator to audit a large number of machines on a network automatically. Fortunately, L0phtcrack—a very old password auditing tool originally developed by a hacker collective and eventually bought by Symantec—is back on the market and addresses just that problem. Symantec withdrew the tool in 2005, but recently the company sold L0phtcrack back to the original developers, who have now released L0phtcrack 6 as a commercial product.
L0phtcrack attempts to crack LM and NTLM password hashes from Windows machines, MD5 and DES-encoded password files from UNIX/Linux machines, and LM and NTLM challenge responses from SMB authentication sessions.
To make it easy for administrators, L0phtcrack can get these directly from other machines on the network remotely. To do this, Linux machines must be running an SSH service and have an administrator level auditing account set up, and Windows machines need to be running the appropriate L0phtcrack remote agent software (either 32-bit or 64-bit) which encrypts the hash data and sends it back to the system running L0phtcrack.
L0phtcrack can also accept hash files acquired in other ways: for example SAM files copied from Windows machines that have been booted into an alternative operating system from a live CD, or acquired using a locally run utility like PWDump, or a remotely run utility like fgdump . This may be practical in small organizations, but unfeasible where hundred or even thousands of machines need auditing. It can also audit passwords on the machine on which it is running.
Where the network topology is appropriate, L0phtcrack can also sniff network traffic to capture password hashes from SMB authentication sessions.
Audits can be started manually, or can be scheduled to take place on a regular basis. Once L0phtcrack is in possession of groups of password hashes, it subjects them to a number of attacks. After checking that the password is not the same as the username, it carries out:
- Dictionary attack: a straight forward attack which goes through a word list to find a match. This is very quick and finds simple passwords such as “monkey” or “password”. L0phtcrack comes with a reasonable word list, but more comprehensive ones can also be used.
- Hybrid attack: This is a more sophisticated dictionary attack, carrying out common letter and symbol substitutions such as 3 for E and $ for S. It can also add symbols or numbers to either the beginning or end of words. This can be useful because many users who are told to make passwords using letters and numbers simply add a digit or two to the end of a guessable word. A hybrid attack would find passwords such as “pa$$word”, “h3lp” or “monkey1”.
- Pre-computed attack: this attack makes use of rainbow tables, or sets of pre-computed hashes, for a huge number of passwords. L0phtcrack comes with a utility for generating rainbow tables, which is a lengthy process, or you can download suitable tables from Free Rainbow Tables . Once you have the tables stored on your system hashes can be looked up and if they are present in the rainbow tables each password can be recovered in a few minutes or seconds.
- Brute force attack: this tries every combination of various sets of characters methodically until a password is found. Passwords made up of letters and numbers could take about a day to crack, while more complex ones with special characters such as #, * and } could take months.
Remediating Problem Passwords
Auditing passwords is only one small part of addressing password security: Remediating problems is also important.
“What we have done is tried to look at what network administrators would want to do if they discover that passwords are easily crackable or have been reused on many different machines,” says Chris Wysopal, one of the creators of L0phtcrack. Once a machine or a group of machines has been audited in L0phtcrack the administrator is presented with a report, and information including the security rating and age of various passwords. This enables the administrator to very quickly select groups of accounts such as those with weak passwords, ones with passwords that have not been changed within a certain time, or ones which L0phtcrack was able to crack quickly, and either disable those accounts or force the user to change the password at the next login.
L0phtcrack is available in three versions: Pro, Administrator and Consultant. The Pro version is limited to 500 accounts, and does not include rainbow table support. The Administrator version adds rainbow tables and audit scheduling, and support for an unlimited number of user accounts. The consultant version also allows for unlimited client installation for one year. Pricing is currently $295 for the Pro version, $595 for the Administrator version, and $1195 for the Consultant version.
Is it worth it? The software is certainly fast, and much easier to use than a command line program like John the Ripper. It also provides far more cracking options than either John or Ophcrack, and its management functions (such as reporting and account disabling) could prove valuable in some organizations.
The main drawback for many potential buyers is that, like John and Ophcrack, the software comes from an unconventional group of coders rather than a large, established security company. But Wysopal insists that that should not put off potential purchasers. “L0phtcrack has been around for many years and has got a very good reputation. The fact that it comes from us and not Symantec should really not be a problem.”