Testing Password Security
Testing the security of a password is a simple exercise ”just see if you can guess it. The only difficulty is that if you're guessing, and you're guessing randomly , you're just as likely to guess any one string as another, and just as likely (or unlikely ) to guess any given password, no matter whether it's a dictionary word or a completely random string. With one guess, then, it's difficult ( impossible , actually) to produce any statistic regarding whether a password is secure or not. To usefully test a password's security, you've got to try the sort of guessing that a cracker might apply, and see whether the password succumbs.
Ok, so testing passwords is easy to describe, but not so easy to implement from the keyboard. Trying seven million billion combinations by hand isn't practical. Even trying enough to check against likely dictionary words and personally significant data, such as phone numbers and birth dates, isn't something that any sane person would spend time on manually. Crackers download their software to break into your system from helpful sites around the Internet, so why not use their own tools to see whether they're going to be successful?
Because any password is guessable, and will eventually fall to a sufficiently devoted attack, it's useless to question whether a password can be cracked. Instead you need to ask how long it's likely to take a cracker to guess it. Unfortunately, because many people pick similar passwords (poor ones), and because crackers know this, they can focus their attempts into a very small region of the password space and be relatively certain of guessing at least some passwords on almost any system. Fortunately, knowing this, you can level the playing field a bit. If you test your passwords to see whether they will easily fall to the techniques of a cracker going after poor passwords, and then eliminate those that do, the average cracker won't be able to crack your passwords easily, and may well go on to bother someone else instead. Of course, if they're dedicated to the task of breaking your passwords, it's certain that they can succeed, and likely that they will succeed eventually. Your only real security lies in making certain ”by using their tools ”that breaking your password takes a long time, and then in changing your passwords frequently enough that it's unlikely that they've been guessed.
CAUTIONOne caution while considering increasing your system security by checking the strength of your passwords: If you're not specifically empowered to check that facet of your system's security, make very sure you have permission while taking this approach. Randal Schwartz, Internet-famous co-author of The Perl Programming Language and author of Learning Perl , found out the hard way that employers quite often have neither any idea of what computer system administration and security actually entail, nor any sense of reasonable behavior or level of response to a perceived error. In 1993, while he was working for Intel, he attempted to increase system security by requiring users to use strong passwords. To do this, he checked the password strength on Intel machines he was administrating by running a commonly available password cracking package named Crack. To be sure, Randal made some mistakes in how he went about this, and in how he presented himself regarding the experiments he was running, but in thanks for him doing his job, Intel managed to get him indicted on three felony counts, sentenced to time in jail and community service, and required to pay thousands of dollars of restitution (http://www.swiss.ai.mit.edu/6805/articles/computer-crime/schwartz-matrix-news.txt). Make no mistake ”this sucks. System administrators are called upon to maintain security, and then often blamed when their security precautions fail, usually because they've yielded to a user who has begged for leniency on some policy issue. Management, however, rarely knows what maintaining security entails, and will turn on you in an instant if the suits and the government think that you'd make a good example if they crucify you. The only way to protect yourself from this is to help set policy when you can, including legal policy at the government level. As a system administrator, the rights you enjoy will be only those that you're willing to fight alongside other system administrators to maintain. |
Dumping Your Password File
Fortunately for you, the designers of the standard Unix login procedure were smart enough to design the process so that it takes a long time to check each login attempt. This makes attacking your passwords from remote systems impractical (but not impossible). To avoid this impediment, crackers will try to get a copy of your passwords off your system and onto one where they can throw as much processor power at it as is available. Usually this requires them to have some access to your system already, but this is a matter of careful system design. There have been poorly thought-out systems that allowed random visitors from the Internet to download their password files through their Web servers.
Unfortunately, if crackers have access to your system and want to steal other passwords, it's usually not too difficult to get at your stored passwords. The NetInfo system will typically be happy to give a listing in exactly the format that a cracker needs to run though a password cracking program:
% nidump passwd . nobody:*:-2:-2::0:0:Unprivileged User:/dev/null:/dev/null root:NDdqVoM4ttK4o:0:0::0:0:System Administrator:/var/root:/bin/tcsh daemon:*:1:1::0:0:System Services:/var/root:/dev/null unknown:*:99:99::0:0:Unknown User:/dev/null:/dev/null smmsp:*:25:25::0:0:Sendmail User:/private/etc/mail:/dev/null www:*:70:70::0:0:World Wide Web Server:/Library/WebServer:/dev/null mysql:*:74:74::0:0:MySQL Server:/dev/null:/dev/null sshd:*:75:75::0:0:sshd Privilege separation:/var/empty:/dev/null ray:8qC3acDsl1xFQ:501:20::0:0:Will Ray:/Volumes/Wills_Data/ray:/bin/tcsh software:xwNc7eG6/lR4.:503:100::0:0:Skuld:/Users/software:/bin/tcsh skel:AtCAqzHurP27A:5002:99::0:0:skeleton account:/Users/skel:/bin/tcsh jim:NFf1oqq0ePYTk:505:99::0:0:Jim Emrick:/Users/jim:/bin/tcsh james:apqpjRMfGyA3U:600:70::0:0:Sweet Baby James:/Users/james:/bin/tcsh bar:OOHAcg8QniCS.:5003:20::0:0:foo:/Users/bar:/bin/tcsh One of the recommended protections against this is to chmod 700 your nidump command. Normal users don't typically have a need to look at your NetInfo database, anyway. This change does put perhaps the slightest of impediments in the way of a malicious individual who's after your passwords, but making this permission change is no more than a rumble strip on the information highway to anyone intent on getting to this data, and should not be taken as a serious protective measure. niutil lists individual users' entries from the NetInfo database. The NetInfo Manager GUI interface in Applications/Utilites also provides access to this information. Trying to block access by setting each possible interface so that it can't be used by normal users is the most naive variety of stupidity in implementing security. It's an altogether too-frequently used method, but that doesn't make it any less a practice of idiocy. If the source of the data is not protected from the users, the data is not protected. In the case of the system passwords, all that a user would need to do is install her own copy of a utility such as nidump , and she'd again have complete access. If she didn't have convenient access to a copy of OS X from which she could grab another copy, she could always download something like Malevolence (http://www.securemac.com/file-library/Malevolence.sit, or http://www.msec.net/), and use it to read the password information instead.
Because the NetInfo database is so fundamentally integrated into the OS X user experience, completely blocking access to this resource is not a solution that's likely to be practical. The result is that so long as there are users who can log in to your machine, you should assume that they can access your encrypted passwords.
Cracking the Passwords: John the Ripper
After a cracker has access to your password file, the next thing he needs is some software with which to run a large number of potential guesses against the encrypted passwords contained in it.
Over the years a number of password-cracking tools have been designed, with the primary differences being the evolution of more efficient versions of the encryption algorithms used. In one form or another, they all make sequential guesses at the encrypted passwords. Some use dictionaries of likely password words (such as dictionaries of the English language). Others use any personal information that can be gleaned about the users from readable material in their accounts. Some can be configured to make essentially random guesses at the password, modified by a collection of rules derived from real passwords regarding letter frequency patterns and other statistical measures based on observed usage. Yet others take the completely brute-force approach of trying every possible string as a guess until they manage to find a match.
Although a variety of tools are available to crack passwords today, one of the most powerful and configurable is John the Ripper, available from http://www.openwall.com/john/. John is a combined dictionary- and rules-based brute-force cracker, and one of the fastest to use against normal password files.
To demonstrate the facility with which passwords can be guessed, we've added a user with a relatively poor password to the user list. User Ralph has the password asdzxc . This isn't a dictionary word, but it's all lower case, so if a cracker is going at the easy passwords first, it's likely to fail quickly. Running John the Ripper on the password file results in output similar to the following:
% /usr/local/john/john passwords Loaded 8 passwords with 8 different salts (Traditional DES [32/32 BS]) guesses: 0 time: 0:00:11:39 (3) c/s: 46859 trying: cobwsy - cobwhy guesses: 0 time: 0:00:17:21 (3) c/s: 39483 trying: speamble - speamcre guesses: 0 time: 0:00:23:49 (3) c/s: 36787 trying: dmv479 - dmv412 guesses: 0 time: 0:00:40:21 (3) c/s: 31506 trying: snke91 - snkean guesses: 0 time: 0:00:57:18 (3) c/s: 29473 trying: tttcy5 - tttc99 guesses: 0 time: 0:01:55:29 (3) c/s: 26610 trying: Maiko5 - Maik.s guesses: 0 time: 0:04:08:44 (3) c/s: 25018 trying: g1by26 - g1byst guesses: 0 time: 0:20:00:13 (3) c/s: 37012 trying: cu87co - cu87d4 guesses: 0 time: 0:21:56:54 (3) c/s: 38124 trying: coondprs - coondpon guesses: 0 time: 0:22:16:03 (3) c/s: 37996 trying: drotty39 - drottyph guesses: 0 time: 0:23:18:05 (3) c/s: 37148 trying: Rjry6d - Rjryca guesses: 0 time: 1:00:20:07 (3) c/s: 36877 trying: tspaniqV - tspanete guesses: 0 time: 1:01:53:19 (3) c/s: 37101 trying: Bfrbrer - BfrbriS asdzxc (ralph) guesses: 1 time: 2:20:26:11 (3) c/s: 28608 trying: coy202x - coy269y guesses: 1 time: 3:19:04:38 (3) c/s: 27282 trying: STohlso - STohl15 guesses: 1 time: 4:02:17:18 (3) c/s: 26991 trying: logbma5 - logbmic guesses: 1 time: 4:23:14:38 (3) c/s: 26389 trying: JA2c03 - JA2cED guesses: 1 time: 5:17:59:33 (3) c/s: 26000 trying: romfjook - romfjoy5 guesses: 1 time: 5:17:59:34 (3) c/s: 26000 trying: romfdra1 - romfdrd9 guesses: 1 time: 6:06:42:54 (3) c/s: 25781 trying: btmphfg - btmpbI1 guesses: 1 time: 6:19:22:28 (3) c/s: 25579 trying: hintgns1 - hintgnnl guesses: 1 time: 6:19:22:52 (3) c/s: 25579 trying: hinsube_ - hinsubly Session aborted % /usr/local/john/john -show passwords ralph:asdzxc:5005:32::0:0:ralph:/Users/guests/ralph:/etc/ftponly 1 password cracked, 7 left
While running on a file of passwords, hitting the spacebar will give you a brief status message from John, so in this output we've hit the space bar several times over the course of a few days to see how John's doing at cracking the 8-line password file. John managed to guess Ralph 's password at somewhere between 1 day, 1 hour out, and 2 days, 20 hours out, and after 6 days and almost 20 hours total, had not managed to guess any of our more complex passwords.
To demonstrate how much more quickly dictionary word-based passwords can be guessed, we added Ralph's password to the end of a 234,937 word dictionary. In processing this dictionary John can be configured to use only the words in it directly, or to do things such as adding numbers after the words, capitalizing them, trying l33t-speak-like transmutations (the letter-shape/ phonetic transformation code that "elite crackers" and warez-dudes (script kiddies and their ilk) converse in), and making other variations on the words in the list. When run using this dictionary against our password database, the results return much more quickly.
% /usr/local/john/john -w:/usr/share/dict/words passwords Loaded 8 passwords with 8 different salts (Traditional DES [32/32 BS]) asdzxc (ralph) guesses: 1 time: 0:00:01:17 100% c/s: 18019 trying: Zyryan - asdzxc One minute, 17 seconds to crack Ralph's password. Of course, Ralph's password was in the dictionary with no variations in capitalization or other modifications, so let's see how quick the guesses go when it needs to check word-variants as well. John the Ripper's -rules option enables checking variants based on common password patterns.
% /usr/local/john/john -w:/usr/share/dict/words -rules passwords Loaded 8 passwords with 8 different salts (Traditional DES [32/32 BS]) asdzxc (ralph) guesses: 1 time: 0:00:21:05 100% c/s: 24973 trying: Zymining - Asdzxcin The time has gone up to slightly over 21 minutes, but this is still a much shorter time than the period within which you'd probably like to change your password.
John has quite a number of options that we don't have the room to demonstrate here, including the ability to use other password encryption schemes than the normal one used in Unix, making it a very flexible program for password guessing in many applications. The command-line options are shown in Table 5.1.
Table 5.1. The Command-Line Options for John the Ripper
| Option | Function |
|---|---|
| -external[:<mode>] | Enables an external mode, using external functions defined in the [List.External:MODE] section of ~/john.ini . |
| -format:< name > | Forces ciphertext format <name> . Allows you to override the ciphertext format detection. Currently, valid format names are DES , BSDI , MD5 , BF , AFS , and LM . You can use this option when cracking or with -test . Note that John can't crack password files with different ciphertext formats at the same time. |
| -groups:[-]<gid>[,..] | Loads the specified group (s) only. A dash before the list can be used to invert the check. |
| -incremental[:<mode>] | Enables the incremental mode, using the specified ~/john.ini definition (section [Incremental:MODE] , or [Incremental:All] by default). |
| -makechars:<file> | Makes a charset, overwriting <file> . Generates a charset file, based on character frequencies from ~/john.pot , for use with the incremental mode. The entire ~/john.pot is used for the charset file unless you specify some password files. You can also use an external filter() routine with this option. |
| -restore[:<file>] | Continues an interrupted cracking session, reading point information from the specified file ( ~/restore by default). |
| -rules | Enables rules for wordlist mode. |
| -salts:[-]<count> | Sets a password per salt limit. This feature sometimes enables you to achieve better performance. For example, you can crack only some salts by using -salts:2 faster, and then crack the rest using -salts:-2 . Total cracking time will be about the same, but you will get some passwords cracked earlier. |
| -savemem:<level> | Enables memory saving, at <level> 1..3 . You might need this option if you don't have enough memory, or don't want John to affect other processes too much. Level 1 tells John not to waste memory on login names, so you won't see them while cracking. Higher levels have a performance impact: You should probably avoid using them unless John doesn't work or gets into swap otherwise . |
| -session:<file> | Sets session filename to <file> . Allows you to specify another point information file's name to use for this cracking session. This is useful for running multiple instances of John in parallel, or just to be able to recover an older session later, not always continue the latest one. |
| - shells :[-]<shell>[,..] | Loads the specified shell(s) only. This option is useful to load accounts with a valid shell only, or not to load accounts with a bad shell. You can omit the path before a shell name. |
| -show <password_file> | Shows the cracked passwords in a convenient form. You should also specify the password files. You can use this option while another John is cracking, to see what it did so far. |
| -single | Enables the single crack mode, using rules from the [List.Rules:Single] section of ~/john.ini . |
| -status:[<file>] | Prints status of an interrupted or running session. To get up-to-date status information for a detached running session, send that copy of John a SIGHUP before using this option. |
| -stdin | Reads words from stdin to use as wordlist. |
| - stdout [:<length>] | No cracking; writes words to stdout . |
| -test | Benchmarks all the enabled ciphertext format crackers, and tests them for correct operation at the same time. |
| -users:[-]<login><uid>[,..] | Loads specified user(s) only. Allows you to filter a few accounts for cracking and so on. A dash before the list can be used to invert the check (that is, loads all the users that aren't listed). |
| -wordfile:<wordlist> | Uses the specified word list for wordlist mode. |
John the Ripper also includes a number of utility programs that work with it to put data into it, get data out of it, or otherwise massage or act upon your input and output. Table 5.2 lists these additional utilities. (Note that unafs , unique , and unshadow are actually links to the John program itself.)
Table 5.2. Utilities in the John the Ripper _ Suite
| Utility | Function |
|---|---|
| unshadow <password-file> <shadow-file> | Combines the passwd and shadow files (when you already have access to both) for use with John. You might need this because if you used only your shadow file, the GECOS information wouldn't be used by the single crack mode, and also you wouldn't be able to use the -shells option. You'll usually want to redirect the output of unshadow to a file. |
| unafs <database-file> < cell -name> | Gets password hashes out of the binary AFS database, and produces a file usable by John (again, you should redirect the output yourself). |
| unique <output-file> | Removes duplicates from a wordlist (read from stdin ), without changing the order. You might want to use this with John's -stdout option, if you got a lot of disk space to trade for the reduced cracking time. |
| mailer <password-file> | A shell script to send mail to all the users who have weak passwords. You should edit the message inside before using. |
Cracking Nonsystem Passwords
Security for your computing environment doesn't stop at using a reasonably strong password for your login prompt. Other computers that yours interacts with, and systems that you and your computer's users use are likely to require passwords as well. If you're like most people, there's a very high probability that you or your users have used the same password you've used for your system login on another, less secure system, with less safeguards to protect it from crackers. For example, in a moment of lax thinking, you might have chosen to use your login password to also password-protect a FileMaker Pro database, which you subsequently have given to other people. Now, they don't need to get into your system to get a copy of your encrypted password and crack it; with the appropriate software, they can directly attack the password in your FileMaker document, and from it, learn your system password. Table 5.3 lists a number of password-cracking programs for a range of nonsystem passwords, as well as some that can be used for system passwords. Be careful when using any of the applications that these programs can crack, and understand that almost any other application might be on this list in the next edition of this book. Disclosing your password by leaking it through reuse in a weak, crackable application would be embarrassing.
Table 5.3. Password-Cracking Programs for Nonsystem Passwords
| Cracking Software | Description |
|---|---|
| 55hb.sh | An SSH account brute-force auditing tool. |
| accp.exe | Recovers lost passwords on MS Access 97 mdb files. |
| aimpw.zip | AOL Instant Messenger decoder. |
| aimr2.zip | Aim Recover 2.0 decrypts AIM passwords when they are stored locally. Can also import Buddy Lists. |
| alpr.zip | Advanced Lotus Password Recovery recovers lost or forgotten passwords created in IBM/Lotus applications (all versions): Organizer, Word Pro, 1-2-3, and Approach. Passwords are recovered instantly; multilingual passwords are supported. |
| ao20pr_p.zip | Recovers lost passwords for Microsoft Word, Excel, Access, PowerPoint 97, Project, Money, Outlook, Backup, Schedule+, Mail, IE 3,4, and 5, Visio 4 and 5, and others. |
| apc.c | Another Password Cracker is designed to brute-force Unix passwords with a standard dictionary-based attack. |
| apoc-crack.c | Simple brute-force Unix password cracker. Tries all combinations of every printable 7-bit ASCII character. |
| apoc-crack.pl | Simple brute-force Unix password cracker. Tries all combinations of every printable 7-bit ASCII character. |
| archpr.zip | Advanced Archive Password Recovery can be used to recover lost or forgotten passwords to ZIP (PKZip, WinZip), ARJ/WinARJ, RAR/WinRAR, and ACE/WinACE archives. |
| asmcrk256.zip | ASMCrack is a Unix password security tool. It supports five cracking modes. |
| authforce-0.9.6.tar | Brute-force HTTP authentication cracker. |
| azpr244.zip | Advanced Zip Password Recovery supports PKZip 1.0 through modern WinZip, all compression methods . Can work with a single file; self-extracting archives are supported. Includes a number of brute-force options. |
| b4b0-cr4g.c | Password cracker. |
| bios | Various BIOS crackers. |
| brutesh.sh | Brute-force Linux-PAM password cracker. |
| Brutus-aet2.zip | Obtains the usernames/passwords through a simple dictionary attack. |
| brutus.pl | Tries to break in remotely using password brute-forcing for Telnet, FTP, and POP3 protocols. |
| cain10b.zip | A GUI multithreaded application that can be used to recover various passwords on Windows 95/98. |
| CLT_Beta.zip | Coherent Light Bruteforce Toolkit contains IRCrack, a tool that connects directly to an IRC server and uses a word list to brute-force a channel key, and Boomcrack, a brute-force FTP account cracker. |
| crack5.0.tar.gz | Unix password cracker. |
| CrackerNcftp.c | Decrypts the safe passwords of NcFtp. |
| crypto.zip | Text file that explains how to decrypt Windows 9x passwords that are stored in the Registry. |
| cssetup.zip | Cisco scanner for Windows, which scans a range of IP addresses for Cisco routers that haven't changed their password from the default value of Cisco . |
| cuteftp -012000.txt | Exploits the weak encryption scheme utilized in CuteFTP. |
| dad.txt | Default password list, last updated July 10, 2000. Contains more than 820 passwords, including default passwords for BIOSes, network devices, appliances, applications, Unix, VMS, HP2000/3000, OS/400, CMS, PBX systems, Windows NT, Novell, Oracle, and many more. |
| defaultpasswords.txt | List of default passwords for many network switches and devices. Last updated July 7, 2000. |
| dehash-sawmill.c | Exploit script for the Sawmill File Access and Weak Encryption vulnerability. |
| dhb.zip | Tool that tries to guess Lotus Domino HTTP passwords. |
| Dicgen.zip | Dictionary file creator (DOS). |
| Disengage | Tool for decrypting passwords. |
| dkbf-0.1.1b.tar.gz | Distributed, Keyboard, Brute-Force program, for Linux clusters. Attacks Windows NT Lanman and NT hashes by using the Message Passing Interface (MPI) to distribute the L0phtCrack program. |
| dumprazorpassword.c | Exploit script for the Visible Systems Razar Password File vulnerability. |
| ecrack-0.1.tgz | IRC (bot) brute-force password cracker. |
| eggh.tgz | Password cracker for eggdrop ( blowfish ) passwords; uses a word list. |
| enbabler.c | Attempts to find the enable password on a Cisco system via brute force. |
| entryle.zip | EliteSys Entry v2.05 is a remote brute-force security auditing utility, designed to crack passwords for FTP, HTTP, and POP3 protocols. |
| e-pwdcache.zip | Program that weeds out all the cahsed passwords, such as domain, mail, MAPI, Windows network, dial-ups, ie-passwords, and so on, on local Windows 95/98 machines. |
| fcrackzip-0.2.1.tar | Brute-force Zip cracker. |
| fhb-1.2.2.tar.gz | FTP brute-forcer. |
| force.exe | Brute-force Hotmail hints cracker. Requires FSProgressiveDL.ocx . |
| forcesql.zip | A SQL Server password auditing tool that runs brute force and dictionary attacks to guess passwords. |
| fpw.tgz | Password cracker similar to Crack. |
| ftp_crack.tar.gz | FTP_crack.pl brute-forces FTP servers. |
| gammalnk.zip | Front end for Gammaprog. |
| gammaprog-config.tgz | Config files for Gammaprog. |
| gammaprog.tgz | Gammaprog, a brute-force password cracker for Web-based email addresses (hotmail.com, usa.net, and yahoo.com) and regular POP3 email accounts. Requires JRE. |
| gh-plus.c | Script that exploits PowerScripts PlusMail password vulnerability. |
| hintcrack.zip | Tool to crack Hotmail hints through a dictionary attack. |
| HotmailHack.zip | Attempts to brute-force Hotmail accounts from a dictionary file. |
| hv-pop3crack.pl | Perl script that executes dictionary file-based brute-force attacks on POP3 account passwords. |
| hypno.zip | Hypnopaedia, a brute-force POP3 password cracker that uses a dictionary file. With GUI, for Windows. |
| icadecrypt.c.txt | Cracks the weak hash encryption on stored Citrix ICA passwords. |
| icqrinfo-1.1.zip | A Windows program that reads information, including the password, out of ICQ.DAT (versions 99a and 99b). |
| jcon.zip | JCon is a security and brute-force password breaking tool. It can scan ports, FTP daemons, and mailer daemons and check for CGI vulnerabilities. |
| john-1.6.32-dev.tar.gz | John the Ripper, a very fast password cracker that is available for Unix, DOS, Win32, and BeOS. |
| k2vl017.zip | Password cracker for Windows. |
| kaufcrk.pl | Perl script that decrypts passwords found in the Kaufman Mail Warrior accounts file (MW35_Accounts.ini). |
| lc3setup.exe | An NT password auditing tool that computes NT user passwords from the cryptographic hashes that are stored by the NT operating system. |
| LC4 | Latest version of L0phtCrack. Password auditing and recovery application for Windows. |
| lcrack-1.0.1.tar.gz | Lepton crack, a password cracker that works on Cygwin and Linux and cracks MD4 hashes, MD5 hashes, NTLM, and HTTP password hashes from Domino R4. |
| LDAP_Brute.pl | An OpenLDAP brute-force auditing application that brute-forces Manager passwords. |
| libcodict-0.4.tar.gz | User-friendly dictionary C API that eases dictionary handling for the development of open source security audit tools. |
| lincrack.c | Flexible, easy-to-use password cracker for Linux/Unix that uses a dictionary file. |
| lodowep-src-1.2.1.zip | Tool for analyzing password strength of user accounts on a Lotus Domino Web server system by using dictionary attacks. |
| MacPork1.5b.sit | A CGI scanner for the Macintosh that scans for 130 vulnerabilities and can use 45 of them to retrieve a password file. |
| Malevolence2.0.sit | An exploit that allows users to view an unshadowed version of the password file on Mac OS X. |
| mdcrack-0.6.tar.gz | A brute-forcer for MD5 hashes, which is capable of breaking up to 6-character passwords within hours, and 8-character passwords within two days. |
| mio-star.gz | Distributed multihosted Unix password cracker that runs on all platforms where Perl is installed. |
| mincrack.zip | University of Minnesota POPMail password cracker. |
| MK3.sit.bin | A program that attempts to crack a user's account on an AppleTalk network. |
| msnmsgpasswd.zip | Windows ActivePerl source to a script that proves that the encryption being used by MSN Messenger 4.6 is weak. Does a Base64 decode of the Registry. |
| msnmsgpwd.exe.zip | Windows ActivePerl executable that proves that the encryption being used by MSN Messenger 4.6 is weak. Does a Base64 decode of the Registry. |
| mssqlpasswd.zip | MS SQL 6.5/7.0 brute-force password-cracking tool. |
| mysqlfuck.c | Script that exploits the MySQL Null Root Password & Bind-Address Configuration vulnerability. |
| mysqlpassword.c | MySQL brute-force password cracker that uses a dictionary attack. |
| nbrute.tar.gz | Program to brute-force valid Newspro logins/passwords. |
| nirvana.tgz | Perl-based brute-force attack on Telnet. |
| ntsweep.zip | NTSweep brute-forces NT passwords. |
| nutcrack.1.9.tar.gz | A simple, fast, and effective password cracker for Unix systems. |
| og-brute101.tgz | Og-Brute is a Perl package to brute-force POP3 and FTP account passwords and probe SMTP for valid logins with Wingate support. |
| passhack.mrc | Brute-force password cracker for mIRC. |
| passthief.exe | Password cracker. |
| passwd_rz.pl | Exploit script for the Sawmill File Access and Weak Encryption vulnerability. |
| pbrute.tar.gz | Simple password generator for generating uppercase and lowercase numbers and letters . |
| pc-1.1-dist.zip | PalmCrack, password-testing tool for the Palm computing platform. Can check Unix and NT passwords against a dictionary, and decrypt certain Cisco router passwords. |
| pcax.c | Exploit script for PCAnywhere Weak Password Encryption vulnerability. |
| pent.pl | Uses smbclient to brute-force NT shares and passwords. |
| pgppass.zip | PGPPass is a dictionary attack program for use against PGP secret key rings. |
| php-ssl-brute.zip | PHP script that uses curl to brute-force SSL-protected Web site login screens. |
| pop3hack.c | POP3 password cracker. |
| Pop_crack.tar.gz | Pop3 Crack is a POP3 account brute-forcer written in Perl. |
| pqwak2.zip | Exploits a flaw in the share-level password authentication of Windows 95/98/ME in its CIFS protocol to find the password of a given share on one of these machines. |
| pwd-gen.c | Password generator. |
| pwl9x-0.4-dev.tar.gz | A program that allows passwords contained in the Windows PWL database to be viewed under Unix. |
| qrack-1.0.tgz | Unix password brute-forcer written in Perl. |
| revelation.1.1.exe | Revelation password cracker. |
| RiPFTPServer.zip | RiP FTP Server, a Win32 program that extracts plaintext passwords from FTP server client software, such as .ini or Registry settings. |
| RLRPAconv1.0.tar.gz | Remote Password Assassin is a network password cracker using brute-force attacks. |
| rm-brutal.tar.gz | Brutal.pl, a Perl program that tries to get valid accounts on a remote server by using a POP3 brute-force method through wordlists. |
| saltine-cracker-1.0.5 | TCP/IP distributed network password auditing tool for NTHASH (MD4) and POSIX LibDES Crypt(3) passwords. |
| scooplm003.zip | Searches out the password from LM/NTLM authentication information (LanManager and Windows NT challenge/response). |
| scp | Snap Cracks POP, a POP3 and FTP cracker written in Java. |
| scrack15.zip | TCP/IP distributed network password auditing tool for NTHASH (MD4) and POSIX LibDES Crypt(3) passwords. DOS version. |
| scx-sa-21.txt | Globalscape's CuteFTP, a popular FTP client, uses a weak encryption scheme, allowing plaintext login and password recovery from the address book. Includes cuteftpd.c, which calculates the plaintext. |
| shadow.c | Recontructs a password file from the shadow file. |
| ShadowScan.zip | Windows 95/98/NT/2000 program intended for the analysis of IP networks. Program includes attacks and password-guessing for POP3 and FTP. |
| smbbf-0.9.1.tar.gz | A password auditing tool for Windows and the SMB platform that makes it possible to exploit the timeout architecture vulnerability in Windows 2000/XP. |
| snmpbrute-fixedup.c | Fast SNMP brute-forcer. |
| spc001.zip | Share Password Cracker acquires the list of shared folders of a Windows 95/98/ME machine on the network and shows those folders' passwords. This tool acquires the list of the shared folders also for Windows NT/2000 machines, but it distinguishes only folders that have no password. Shared Password Cracker exploits the Share Level Password vulnerability. |
| spq.tar.gz | Unix Sequence Password Generator creates password files and allows on-the-fly cracking when used with other tools. |
| sqlbf-all-src.1.0.1 | Source for auditing the strength of Microsoft SQL Server passwords offline. Can be used either in Brute Force mode or Dictionary Attack mode. |
| sqlbf.zip | MSSQL server brute-force tool. |
| ssh-brute.sh | A brute-forcer that guesses root's password without being logged. |
| STC3.zip | A multipurpose tool for Windows that does the work of 30 separate programs. Includes an .htaccess brute-forcer, anonymous FTP scanner, list of Bios master passwords, country codes list, dictionary generator, FTP brute-force service scanner, cached ISP password retriever, and more. |
| strip-crack.c | Script that exploits the Strip Password Generator Limited Password-Space vulnerability. |
| SUPassConvert.tgz | Converts Unix-style passwords in a Serv-U.ini file to standard Unix password style for cracking. |
| Telnet_crack.tar.gz | Perl script that brute-forces Telnet. |
| thermoprog.zip | Brute-force password cracker for Angelfire password reminder. Requires JRE or JDK. |
| thetaprog.tgz | Brute-force password cracker for Hotmail password reminder. Requires JRE. |
| thomas.zip | Tool to crack the secret passwords on Cisco routers. |
| ultraprog.zip | Brute-force cracker for MailCity.com password reminder. Requires JRE. |
| umncrack.zip | University of Minnesota SLIP Password Cracker. |
| unfburninhell1.0.tar.gz | A burneye cryptographic layer 1 and 2 cracker than can work together with John the Ripper for password generation. |
| unsecurev1.2.zip | Unsecure is an HTTP auth brute-force cracker. |
| user14nd.v1.tar.gz | Brute-forces accounts via FTPD . Works best against Linux systems with traffic on a fair bandwidth. |
| vcrack.tar.gz | V-Crack Zero++ (Unix), a poly-alphabetic XOR cipher cracker. |
| vcrack.zip | V-Crack Zero++ (DOS), a poly-alphabetic XOR cipher cracker. |
| vcu10.exe | Velocity Cracking Utilities, a suite of utilities for cracking Unix password files. |
| viper13.tar.gz | Unix password cracker. It generates password combinations for the character sets and lengths you specify. |
| vnc-crack.patch | Patch to VNC that allows a brute-force dictionary attack. |
| vncdec.c | Decrypts the password for VNS, a PCAnywhere-like program. |
| vnx4.c | A VNC attack program ported to Windows. It features cracking of the password in the Registry, online brute force against a VNC server, or cracking a sniffed challenge/response handshake. |
| wbrute.tar.gz | HTML brute-force attacker. |
| wc30b2.zip | Password cracker designed to brute-force login/password combinations for Web sites that use HTTP-based password authentication. |
| wgdecode.c | Extracts WinGate administrator passwords from Windows 9x/NT machine Registries and decodes them. |
| wordex.exe | Windows program designed to generate wordlists recursively from all files in a directory. |
| wordmake0.1.pl | WordMake, a dictionary file creator. |
| wwwhack.zip | Automates the process of trying to crack logins/passwords for WWW sites that use basic HTTP authentication. |
| xcrack.pl | Unix/Linux password cracker coded in Perl. |
| xdeep.pl | Perl script that exploits the Xpede Password Exposure vulnerability. |
| xpass10.zip | Password cracker. |
| xpert.c | Decodes the password from FTP Expert, which are stored in sites.ini . |
| xyprog.tgz | Brute-force password cracker for ICQ. Requires JRE. |
| zipcracker-0.1.1.tar.gz | Cracks Linux password-protected Zip archives with brute force. |
A large number of password cracking tools are available around the Internet, and can compromise your passwords in ways that you might not have thought. Use Sherlock to search for these by name and find the most recent source.
| |
| Top |
EAN: 2147483647
Pages: 158