Password-Cracking Tools

Now that you have learned how password encryption works, it is time to examine the types of tools available to perform password cracking. Password crackers work by using one of three methods:

• Dictionary attacks

• Brute force attacks

• Hybrid attacks

In a dictionary attack, a dictionary file is used, which contains all the possible passwords to try. You can download dictionary files off the Internet or create your own. Dictionary attacks are quick, and they are useful if you want to audit an organization to make sure it is not using common words as passwords.

Brute force attacks are another extreme. Here, every possible combination to crack the password is attempted. This type of attack takes the longest, but it eventually results in password determination.

Hybrid attacks are a combination of dictionary attacks and brute force attacks. With a hybrid attack, common dictionary words are combined with common numbers in an attempt to crack the password. Thus, passwords such as password123 and 123password are checked against.

If you are hired to perform password cracking to audit password policy enforcement, you might use any one of the three techniques. If you want to check only to make sure that common words are not being used as passwords, dictionary attacks are sufficient.

If, on the other hand, you are being hired to perform password recovery, you might start with a dictionary attack and then move on to a brute force attack.

Another alternative is to use rainbow tables. The concept of rainbow tables uses a time-memory trade-off technique, where hashes that you have already cracked are stored and checked against when you crack passwords. Using this method, you compare hash values with other hashes that have already been cracked. Rainbow tables store common hash combinations, which can save time when you are cracking passwords.

John the Ripper

John the Ripper (http://www.openwall.com/john) is a popular password cracker available on both Windows and UNIX platforms. The example in this section runs John the Ripper from a Linux command line and cracks the Linux /etc/shadow password file.

To begin with, execute the program to see what options you have available, as demonstrated in Example 9-1.

Example 9-1. Executing John the Ripper from Linux

linux:/usr/bin/john-1.6/run #  ./john John the Ripper Version  1.6 Copyright 1996-98 by Solar Designer Usage: ./john [OPTIONS] [PASSWORD-FILES] -single                   "single crack" mode -wordfile:FILE -stdin     wordlist mode, read words from FILE or stdin -rules                    enable rules for wordlist mode -incremental[:MODE]       incremental mode [using section MODE] -external:MODE            external mode or word filter -stdout[:LENGTH]          no cracking, just write words to stdout -restore[:FILE]           restore an interrupted session [from FILE] -session:FILE             set session file name to FILE -status[:FILE]            print status of a session [from FILE] -makechars:FILE           make a charset, FILE will be overwritten -show                     show cracked passwords -test                     perform a benchmark -users:[-]LOGIN|UID[,..]  load this (these) user(s) only -groups:[-]GID[,..]       load users of this (these) group(s) only -shells:[-]SHELL[,..]     load users with this (these) shell(s) only -salts:[-]COUNT           load salts with at least COUNT passwords only -format:NAME              force ciphertext format NAME (DES/BSDI/MD5/BF/AFS/LM) -savemem:LEVEL            enable memory saving, at LEVEL 1..3

Although several options are available, the easiest is to copy your password files to a new file. Linux password files are encrypted in the /etc/shadow file. You need to "unshadow" these files so that John the Ripper can read them. You can accomplish this with the unshadow program included with John the Ripper. The following command unshadows the password files /etc/passwd and /etc/shadow and copies the results into passwd.1.

unshadow /etc/passwd /etc/shadow > passwd.1

Next, run John the Ripper. By default, John uses the passwd.lst file as a dictionary file for its attack, as demonstrated in Example 9-2. You can edit this file or create your own password file.

Example 9-2. Running John the Ripper

linux:/usr/bin/john-1.6/run # ./john passwd.1 Loaded 6 passwords with 6 different salts (Standard DES [24/32 4K]) newuser          (user2) foobar           (user4) 123456           (user3) Mickey           (user1) guesses:  4 time: 0:00:00:02 (3) c/s: 135389 trying: sampida - chillier

Example 9-2 shows that passwords for four of the users on this host have been cracked. As a penetration tester, you should create a table of all passwords that you were able to crack, as done in Table 9-1.

You can view the cracked passwords by adding the show option in the command line, as done in Example 9-3.

Example 9-3. Displaying the Cracked Passwords with John the Ripper

linux:/usr/bin/john-1.6/run # ./john -show passwd.1 user1:Mickey:502:100::/home/user1:/bin/bash user2:newuser:503:100::/home/user2:/bin/bash user3:123456:504:100::/home/user3:/bin/bash user4:foobar:505:100::/home/user4:/bin/bash 4 passwords cracked, 2 left

If at any point you want to view the original encrypted password and the cracked password, you can look at the john.pot file, as demonstrated in Example 9-4.

Example 9-4. Displaying the Original Encrypted Password and the Cracked Password with John the Ripper

linux:/usr/bin/john-1.6/run # cat ./john.pot VYvDtYmDSCOPc:newuser G54NKwmDHXwRM:foobar t5zO9hJzkv7ZA:123456 Ae.SZDrP7fCPk:Mickey linux:/usr/bin/john-1.6/run #

Pwdump3

You can also run John the Ripper on a Windows machine and crack Windows passwords. However, to do this, you must first run a tool that extracts the Windows passwords for you because they are locked in the SAM file. Pwdump3 (ftp://samba.anu.edu.au/pub/samba/pwdump3/) is a free Windows utility that extracts the passwords on a Windows computer and stores them in a file of your choosing. You need an account on the computer with access to the /computer/admin$ share. The syntax for the command is as follows:

PWDUMP3 machineName [outputFile] [userName]

Example 9-5 accesses a computer named A152B with the andrew account and outputs the passwords to a file called passwd.1.

Example 9-5. Cracking Windows Passwords

C:\tools\pwdump3>pwdump3 A152B passwd.1 andrew pwdump3 by Phil Staubs, e-business technology Copyright 2001 e-business technology, Inc. This program is free software based on pwpump2 by Tony Sabin under the GNU General Public License Version 2 (GNU GPL), you can redistribute it and/or modify it under the terms of the GNU GPL, as published by the Free Software Foundation. NO WARRANTY, EXPRESSED OR IMPLIED, IS GRANTED WITH THIS PROGRAM. Please see the COPYING file included with this program (also available at www.ebiz-tech.com/pwdump3) and the GNU GPL for further details. Please enter the password >*************** Completed. C:\tools\pwdump3>dir passwd.1  Volume in drive C has no label.  Volume Serial Number is 8496-8025  Directory of C:\tools\pwdump3 02/02/2005         01:59 PM             859 passwd.1                       1 File(s)          859 bytes                       0 Dir(s) 3,143,385,088 bytes free

As demonstrated in Example 9-6, now you can run John the Ripper against the new passwd.1 file that you just created.

Example 9-6. Cracking Windows Passwords

C:\tools\john-16w\john-16\run>john c:\tools\pwdump3\passwd.1 Loaded 10 passwords with no different salts (NT LM DES [24/32 4K]) COMPUTE           (user1:1) R                 (user1:2)

Notice the way the password for user1 is broken down into two parts. This is the LANMAN password hashing, which only allows up to seven characters at a time. Because LANMAN password hashing converts all passwords to uppercase, John the Ripper presents all passwords in uppercase format.

Using the show switch, you can see the cracked password for user1, as demonstrated in Example 9-7.

Example 9-7. Displaying Cracked Windows Passwords

C:\tools\john-16w\john-16\run>john -show c:\tools\pwdump3\passwd.1 user1:COMPUTER:1009:2B2AC2D1C7C8FDA6CEA80B5FAD7563AA:::

The password of user1 is computer.

L0phtcrack

If command-line functionality is not your thing, you can use L0phtcrack, a GUI-based Windows tool for cracking Windows passwords. L0phtcrack is probably the most well-known Windows cracking tool in the market. It is developed by @Stake, Inc. (http://www.atstake.com), which was acquired by Symantec Corporation (http://www.symantec.com) in October 2004. With L0phtcrack, you can do the following:

• Crack passwords on your local machine

• Crack passwords from a remote machine

• Crack passwords by using an NT 4.0 ERD

• Crack passwords by sniffing the LAN

• L0phtcrack performs dictionary attacks, hybrid attacks, and brute force attacks. It even scores your passwords for level of difficulty, which is helpful when you are writing a penetration testing report.

• Upon starting L0phtcrack, you are presented with the screen in Figure 9-5.

  Figure 9-5. L0phtcrack Wizard

  
  
  

From this screen, you choose what type of password cracking you want to perform. If you have physical access to the server, you should choose Retrieve from the local machine. If you do not, choose Retrieve from a remote machine. Note that in both cases, you need administrator privileges.

Only use the third option, Retrieve from NT 4.0 emergency repair disk, if you are attempting to crack passwords on NT 4.0 servers.

The final option, Retrieve by sniffing the local network, is useful in penetration testing. Here, you sniff the network and wait until someone sends a password across the wire. When someone does, L0phtcrack intercepts the password hash and attempts to crack it. Because malicious hackers do not have administrative access to servers, this is a technique they use to crack passwords. The drawback to such a method is the time it takes; you have to wait until someone sends a password across the network. Also, you must be able to sniff the network. In a switched environment, sniffing the network is difficult without the use of port mirroring. (Cisco calls this SPAN, or Switched Port Analyzer).

If you want to simply assess the strength of a company passwords, you will most likely be granted administrator access. That way, you can choose one of the first two options.

On the next screen (shown in Figure 9-6), choose the type of password cracking you want to do. The best option is to use the Strong Password Audit option. This performs dictionary, hybrid, and brute force attacks against your passwords.

Figure 9-6. L0phtcrack: Choosing an Auditing Method

Another alternative is to choose the last option, Custom. As shown in Figure 9-7, this option enables you to choose what type of attack you want to do. Under the Perform a 'brute force attack' on the passwords option, you should select the character set, alphabet+ numbers + all symbols. This gives you the most thorough attack option, but it also takes the longest to run.

Figure 9-7. L0phtcrack Custom Attack

Next, you are prompted with the screen shown in Figure 9-8. Select all options to provide the most thorough results.

Figure 9-8. L0phtcrack Pick Reporting Style Dialog Box

Following the Pick Reporting Style dialog box, you are presented with the screen shown in Figure 9-9.

Figure 9-9. L0phtcrack Import Dialog Box

From the Import dialog box, you can choose whether you want to import your passwords from a local or remote machine, or if from a file, what type of password file you are importing from. Options include the following:

• A SAM file

• An LC4 file (from a previous version of L0phtcrack

• A PWDUMP file (as discussed earlier under the section "Pwdump3")

• A UNIX/etc/shadow file

For this example, select Remote machine and click Add. This pops up the screen shown in Figure 9-10, where you enter the name and operating system of the remote server and then click OK.

Figure 9-10. L0phtcrack Add Machine to Remote Import Dialog Box

As shown in Figure 9-11, you include the account name, password, and domain name to access the remote server. The account must have administrative access to the server.

At this point, L0phtcrack begins its attempt to crack passwords. It begins by attempting a dictionary attack, followed by a hybrid attack, and then a brute force attack. Figure 9-12 shows an example of L0phtcrack at work. Note that this screen shows you the account names, current decrypted passwords, and LAN Manager hash. L0phtcrack has highlighted two accounts backup and Guest that currently do not have a password.

Figure 9-12. L0phtcrack Results Screen

• As discussed earlier, LAN Manager hashes take your password and break it into two seven-character passwords. The passwords are padded to equal a total of 14 characters. If the password is seven characters or less, the second seven characters is always all zeros. When you run this through the hashing algorithm, you get a value of 0xAAD3B435B51404EE. Several passwords are less than eight characters, as shown in Figure 9-13.

  Figure 9-13. Short Passwords

  
  
  

As a penetration tester, you are responsible for assessing the strength of company passwords. Passwords like these that are less than eight characters are weak because you never have to worry about cracking the second set of seven characters. L0phtcrack also has a feature of grading your passwords. This feature is not turned on by default, so you have to enable it to view the password scores.

To view password scores, go to the View menu and choose Select Visible Columns. (See Figure 9-14.)

Figure 9-14. L0phtcrack: View > Select Visible Columns

Next, select the last option entitled Password Score as shown in Figure 9-15.

Figure 9-15. L0phtcrack Select Columns Dialog Box

Now when you return to the Results screen, you can see how L0phtcrack has assessed your passwords. This is useful information to put in a penetration testing report. Most managers do not care to know about the details of LAN Manager hashes; they just want to know how weak their passwords are. This feature provides that information. Figure 9-16 shows the score that L0phtcrack has assigned to these passwords.

Figure 9-16. L0phtcrack Password Scoring

If you want a more visual representation of what L0phtcrack was able to accomplish, you can click on the Report tab from the screen in Figure 9-16. It shows you the following:

• Password risk status

• Password character sets

• Password audit method

• Password length distribution

Figure 9-17 shows an example of a graphical password report.

Figure 9-17. L0phtcrack Password Report

One of the drawbacks of L0phtrack is its lack of printing functionality. In its current version, you cannot print this report. Still, you can use this report as a reference when creating your penetration testing analysis report.

• Another nice feature is the L0phtcrack capability to respond to weak passwords. You not only can detect weak passwords, but you can respond to fix them. Your options include the following:

• Disabling accounts

• Forcing a password change for that account

• Both options require the use of an account with administrator access. You can access these options under the Remediate window. (See Figure 9-18.)

  Figure 9-18. L0phtcrack Remediate Options

  
  
  

L0phtcrack is a powerful tool with many options. It should be included in every penetration tester toolbox.

Nutcracker

Linux and other UNIX variants use salts in their password encryption process to make the passwords harder to crack. Do not let that fool you into thinking that password cracking is slower on UNIX platforms. You can still perform fast dictionary attacks against the /etc/shadow file.

Probably the fastest UNIX/Linux password cracker is Nutcracker, made by Ryan Rhea. You can download Nutcracker at the following site:

http://www.antiserver.it/Password-Crackers/

Because Nutcracker is a dictionary-cracking program, it requires the use of a dictionary file. A sample dictionary file is included with the program that contains about 2400 dictionary words, but you should build your own. Running Nutcracker is easy. Simply execute the program with the name of your password file (typically /etc/shadow) followed by the name of the dictionary file, as demonstrated in Example 9-8. The name of the file included with Nutcracker is words.

Example 9-8. Running Nutcracker

linux:/usr/bin/nutcrack.1.0 # ./nutcrack /etc/shadow words Nutcracker version 1.0 Copyright 2000 by Ryan T. Rhea got dict file: words got passwd file: /etc/shadow cracking... user name        status           password ---------------- ---------------  ---------------- at               unable to crack  X bin              disabled         - daemon           disabled         - ftp              disabled         - games            disabled         - lp               disabled         - mail             disabled         - man              disabled         - news             disabled         - nobody           disabled         - ntp              unable to crack  X postfix          unable to crack  X root             unable to crack  X sshd             unable to crack  X uucp             disabled         - wwwrun           disabled         - andrew           unable to crack  X admin            unable to crack  X user1            CRACKED          Mickey user2            CRACKED          newuser user3            CRACKED          123456 user4            CRACKED          foobar linux:/usr/bin/nutcrack.1.0 #

Notice that several of the passwords were not cracked. That means that their password was not found in the included dictionary file. Note that user1, user2, user3, and user4 were cracked because their passwords were found in the included dictionary file.

If you want to send the result to a file, pipe it to a file of your choosing. As an example, you can send the results to a file called results.txt:

linux:/usr/bin/nutcrack.1.0 # ./nutcrack /etc/shadow words > results.txt

You can view the results in a text editor.

Hypnopædia

Hypnopædia is a Windows-based POP3 password cracker that is easy and fast to use. It only does dictionary attacks, so you need a dictionary file. The example in this section uses the one that came with John the Ripper.

To begin, enter the name of your password file, the mail server, and the username that you want to crack, as illustrated in Figure 9-19.

Press the Crack button. Then sit back and wait for the password to be cracked.

In Figure 9-20, you see that the password is 1n5rn66.

Snadboy Revelation

Many applications give you the option to save your password. This is risky, because anyone who has access to your computer can automatically log into that application without having to authenticate. What makes it more risky is that people often reuse passwords, which means that if someone can discover the password to an application that saves your password, he can potentially log into other applications that use the same password.

Revelation (http://www.snadboy.com/) is a tool that retrieves a password even if it is masked. This is often the case with stored passwords. The passwords are covered up with Xs or *s in an attempt to keep the password secret. Revelation can show the hidden password, as illustrated in Figure 9-21.

Figure 9-21. Snadboy Revelation

This application is using a username of andrew and a password of 1r66nbg. Even though the password is masked with Xs, Revelation reveals the password. Because people often reuse passwords, you could try this password on other applications that this user has access to, such as e-mail or accounting software.

Boson GetPass

Thus far, the chapter has been addressing passwords on UNIX and Windows systems. Other hosts on a network also have passwords, which, if breached, can be detrimental to network operation. Specifically, Cisco routers contain passwords that malicious hackers can crack and gain access to. To assess the likelihood of a successful malicious attack, a penetration tester must also attempt to crack the password.

Before delving into how to crack a Cisco password, you need to understand how Cisco passwords work.

Cisco has two modes of operation:

• User exec mode User exec mode is like the lobby of a hotel you can look inside, but you cannot do anything. In user exec mode, you can view the status of your interfaces and your routing table and perform other information-gathering tasks. You cannot, however, perform configuration.

• Privileged exec mode Privileged exec mode is like having a master key to all the hotel rooms. After you gain access to privileged exec mode, you have full configuration access to the router. You can include a password when you move from user exec to privileged exec mode. It is this password that you should be concerned about protecting.

You can provide a password to enter into privileged exec mode in two ways:

• clear-text enable password

• enable secret

Suppose that you choose a password containing letters and special characters: vB*hq0. You enter this clear-text enable password with the following command:

Router(config)#enable password vB*hq0

This password is shown when the configuration is viewed. Configurations are often stored offline, and anyone who gains access to view the configuration can see this password. To provide some protection of this password, you can use the enable secret password instead. You can do this through the following command:

Router(config)#enable secret vB*hq0

When the configuration is shown, the password is encrypted with a type 5 password:

enable secret 5 1401304104157A

Now anyone who views this password in an offline configuration file cannot decipher the password. That is, of course, unless that person has a tool such as Boson GetPass!, found at http://www.boson.com/promo/utilities/getpass/getpass_utility.htm.

GetPass! is a simple tool in which you enter any password encrypted with the service password-encryption command. Figure 9-22 shows the GetPass! utility.

This goes to show how crucial it is that all offline configuration files are kept in a secure place. If not, anyone with a tool such as Boson GetPass! could retrieve your passwords and log onto your routers.

RainbowCrack

RainbowCrack, available at http://www.antsight.com/zsl/rainbowcrack, is a password cracker that uses the time-memory trade-off technique to speed up the process of password cracking. RainbowCrack uses rainbow tables, which are precomputed plaintext and hashes. By taking the time to create these tables in advance, you can save time cracking passwords later.

RainbowCrack comes with the following utilities:

• rtgen.exe

• rtsort.exe

• rcrack.exe

To begin, use the Rainbow Table Generator (rtgen.exe) utility to generate your rainbow tables. The Rainbow Table Generator takes several parameters, as listed in Table 9-2.

Note

These are defined in the file charset.txt. Modify this file to create your own character sets.

Unless you are skilled in cryptanalysis and the time-memory trade-off technique, you should stick with the recommended values to create your tables. Example 9-9 demonstrates how to create a 128-MB rainbow table.

Example 9-9. Creating a 128-MB Rainbow Table

C:\rainbowcrack-1.2-win>rtgen lm alpha 1 7 0 21 00 8000000 all hash routine: lm hash length: 8 plain charset: ABCDEFGHIJKLMNOPQRSTUVWXYZ plain charset in hex: 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 5 4 55 56 57 58 59 5a plain length range: 1 - 7 plain charset name: alpha plain space total: 8353082582 rainbow table index: 0 reduce offset: 0 generating... 100000 of 8000000 rainbow chains generated (8 m 5 s) done.

Creating your rainbow table might take several hours. After you finish generating a rainbow table, you will find a file named lm_alpha#1-7_0_2100x8000000_all.rt in the current directory.

The next step is to use the Rainbow Table Sorting Utility (rtsort.exe), which speeds up the search of your rainbow table. The syntax of this command is simple; just execute the command followed by the name of the rainbow table you created:

C:\rainbowcrack-1.2-win>rtsort lm_alpha#1-7_0_2100x8000000_all.rt

This command might take several minutes to complete.

Finally, use the Rainbow Crack (rcrack.exe) utility to crack the hashes. For Windows password cracking, you need to extract the hashes from the SAM database. You can use the Pwdump utility from BindView (http://www.bindview.com/Services/razor/Utilities/Windows/pwdump2_readme.cfm) to extract these hashes. The following syntax extracts your hashes into a file called hashes.txt:

C:\rainbowcrack-1.2-win>pwdump2.exe > hashes.txt

Now that you have your hashes, you can attempt to crack them with the rcrack.exe utility and your sorted rainbow tables using the following command:

C:\rainbowcrack-1.2-win>rcrack alpha#1-7_0_2100x8000000_all.rt -f hashes.txt

Although it does take longer to initially create your rainbow tables, after it is done, the process of cracking passwords is quicker. What would normally take hours takes only seconds with precomputed rainbow tables.