Tài liệu L0phtCrack docx

Trang 1

plain text password.

Thank you, and welcome to SANS LevelOne We will be covering L0phtCrack Hello, my name is

Eric Cole and I will be explaining L0phtCrack to you If you have any questions or comments

regarding L0phtCrack please contact me at eric7095@aol.com

Trang 2

Password Cracker Details

• Name: L0pht Crack

• Operating System: Microsoft NT

• Methods: dictionary attack, brute

force attack and hybrid attack.

• Brief Description: A password

cracker that will take encrypted NT

passwords and compute the plain

text password.

L0phtCrack (zero, not the letter O) is an NT password auditing tool It will compute NT user

passwords from the cryptographic hashes that are stored by the NT operating system The operating

system does not store the user passwords in their original clear-text form for security reasons The

actual user passwords are encrypted because they are sensitive information that can be used to

impersonate any user, including the Administrator of the operating system L0phtCrack computes

the password from a variety of sources using a variety of methods The end result is a

state-of-the-art tool for recovering the passwords that users use

L0phtCrack operates in three attack modes to crack a user’s password They are a dictionary

attack, a brute force attack, and a hybrid attack Each of these will be covered in detail in later

slides

Trang 3

Checklist

• The following are the objectives for this course After

completion a user should understand the following:

– what password cracking is

– why it is important

– methods of password cracking

– weaknesses in Windows NT’s implementation of encryption

– what L0phtCrack is

– how to install and run L0phtCrack

– how L0phtCrack works

– how to protect against password cracking on Windows NT

– password security features in Windows NT

– features of a strong password

This page intentionally left blank

Trang 4

How are passwords stored on

In most companies, passwords are the first and only line of defense to protecting their information

and servers Since most user IDs consist of the first initial / last name of an employee or some

combination, it is fairly easy to find out valid user IDs for individuals at a company Based on this,

the only other piece of information you need to gain access is a user password Therefore, they need

to be protected and very hard to guess

The key things passwords need to be protected against are: unauthorized disclosure, unauthorized

modification, and unauthorized removal If users write down their passwords or share them with

other people, then the user’s password is compromised and can be used as an entry point into the

system Being able to modify a password is just as risky because as long as an attacker knows what

password is associated with a user ID, they can use it to gain access It does not matter if the real

user knows it or not This is potentially dangerous [for the attacker] because if the user tries to get in

and cannot, they might be suspicious of foul play

In order to protect passwords, operating systems use encryption, which basically hides the originally

content so if someone gets the encrypted password they will not be able to determine what the

original password was

Trang 5

Encryption 101

• Encryption is the process of converting

plain text into cipher text.

• The goal is the make the original text

unreadable.

• Three basic methods:

– symmetric - single key – asymmetric - two keys (public and private) – hash - one way algorithm, no key

This section will cover a brief overview of encryption so that you can understand why and how password

cracking works For additional details, there are several good cryptography books on the market (Editor’s

Note: Applied Cryptography by Bruce Schneier is generally considered one of the best references on

cryptography - JEK)

In its most basic form, cryptography is the process of converting plaintext into ciphertext with the goal of

making the original [plain] text unreadable Basically, plaintext is the original, “human readable” message

and ciphertext is the unreadable message in its encrypted form

Therefore, since the goal of passwords is to make them unreadable, they are stored in encrypted form

There are three basic type of encryption Symmetric encryption uses a single key to encrypt and decrypt the

message If two people wanted to communicate, they would both have to have the same key and one person

would use it to encrypt the message and the other person would use the same key to decrypt it (Editor’s note:

Symmetric encryption is also known as private key cryptography because a single, private key is used for

encryption and decryption – JEK)

Asymmetric encryption uses two keys, a public and a private key The public key is given to everyone and is

used to only encrypt The private key is known by only the owner and is used to decrypt messages (Editor’s

note: Asymmetric encryption is also known as public key cryptography because it uses both a private key and

a public key to encrypt and decrypt information – JEK)

Hash functions are considered one-way functions because they perform a one-way transformation of

information that is irreversible Basically, given an input string, the hash function would produce a

fixed-length output string, and from the output string there is no way to determine the original input string NT uses

hashing to store its passwords Basically, it would take a user’s password, run it through a hash algorithm, and

store the hash of the password When someone tries to log on to the system, it takes the passwords the user

enters, runs it through the hash, and if there is a match then it is the same password

Trang 6

What is password cracking?

• Guessing someone's plain text

password when you only have the

encrypted password.

• General method one:

• find valid user ID

• create list of possible passwords

• try typing in each password

• if system allows you in - success

• if not try again

Password cracking is the process of trying to guess or determine someone’s plaintext password

when you only have there encrypted password

The general method for this is the following:

• find a valid user ID

• try typing in each password

• if the system allows you in – success!!

• if not – try again

(Editor’s note: A distinction is sometimes drawn between password guessing, where the attacker

actually tries to log in with various passwords; and password cracking (discussed in the next slide),

where the attacker obtains a copy of the encrypted password file or database and attempts to derive

passwords from their encrypted form (i.e., “crack” the encryption, generally by taking a group of

passwords, generating the hash values, and comparing the generated hashes to those in the

password database to see if there is a match) – JEK)

Trang 7

What is password cracking? (cont)

• General method two:

• find valid user ID

• find encryption algorithm used

• obtain encrypted password

• encrypt each password

• see if there is a match

• Tips

• pre-compute dictionary

• pre-compute encrypted passwords

• automate

Another method is to:

• find a valid user ID

• find encryption algorithm used

• obtain encrypted password

• create a list of possible passwords

• encrypt each password

• see if there is a match

So, tips for speeding this process up include:

• pre-compute a password dictionary

• pre-compute a list of encrypted passwords

• automate the process

Trang 8

Methods of Password Cracking

• Dictionary attack

• Hybrid attack

• Brute force attack

The fastest method for cracking passwords is a dictionary attack This is done by testing all the

words in a dictionary or word file against the password hashes When it finds the correct password,

it displays the result There are lots of sites that have downloadable dictionaries you can use

The second method to crack passwords is called a hybrid attack This builds upon the dictionary

method by adding numeric and symbol characters to dictionary words Many users choose

passwords such as "bogus11" or ”he11o!!” (where the letter “l”s are replaced by numeric ones)

These passwords are just dictionary words slightly modified with additional numbers and symbols

The hybrid crack rapidly computes these passwords These are the types of passwords that will pass

through many password filters and policies, yet still are easily crackable

The final and most powerful cracking method is the brute force method This method will always

recover the password, no matter how complex It is just a matter of time Really complex passwords

that use characters that are not directly available on the keyboard may take so much time that is not

feasible to crack them on a single machine using today's hardware But most complex passwords

can be cracked in a matter of days This is usually much shorter than the time most administrators

set their password policy expiration time to Using a real-world cracking tool is the only good way

to know what time one should set for password expirations

Trang 9

Why is password cracking useful?

• Audit strength of passwords

• Recover forgotten password

• Recover unknown password

• Migrate users

• Checks and balances

There are many uses for computing user passwords First and for most is for a system administrator

to audit the strength of the passwords that their users are using There are password filters for NT,

but how do you know how well you have chosen a filter? Without testing the passwords generated

by users against a real-world password cracker, you are guessing at the time it will take an external

attacker or malicious insider to uncover the passwords Other uses include recovering a forgotten

password, retrieving the password of a user in order to impersonate them, or migrating NT users to

another platform such as Unix

Trang 10

NT Password Cracking

• All passwords are crackable

• NT’s design just makes it easier

– passwords broken into two character pieces

seven-– no salt (or randomness): two identical passwords will be encrypted the same way

All passwords are crackable from a brute force perspective The question is, how long does it take? The goal

with encryption is to make the time needed to perform a brute force attack so long that it is unfeasible for

someone to do – or make the time long enough that by the time they crack it the usefulness of the information

has expired

NT has two major design flaws in how they implement their encryption that allows someone to crack

passwords quicker than would normally take The first thing is that since they make there operating systems

downward-compatible with previous versions of Windows, they use the LAN Manager storage scheme which

breaks a password down into two seven-character words This incredibly weakens the strength of a password

Now, instead of trying to crack someone's password that is 10 or 12 characters long, you only have to crack

two seven-character [or less] passwords, which is much easier Also, cracking passwords with just letters is

much easier than cracking passwords with numbers and special symbols Therefore, a single password with

numbers and special characters is very hard to crack But because NT breaks up the password and because

most people put number or special characters at the end, it makes it easier to crack For example, to crack

password#7, you have to crack passwor (which is fairly easy) and you have to crack d#7 (which is harder,

but since it is so short it is still easy to do)

The second issue is when you encrypt a password there is something used called a salt which is meant to make

passwords a little harder to guess A salt is a random string that is combined with a password before it is

encrypted This is meant to randomize the password This way, if two people have the same password, they

would have different salts and there passwords would be stored differently Microsoft does not use a salt, so if

two users have the same passwords they will be encrypted the same way This is a tremendous cost savings

because now you only have to encrypt each word once, and if a user has that password there will be a match

If salts were used, I would have to find out the salt for the user; and then encrypt all possible passwords with

that salt to see if there was a match; and once there was, I would have to move on to the next user and do the

same thing As you can see, this would take a much longer time to perform

Trang 11

L0phtCrack

• Available from www.l0pht.com

(number zero after the letter l)

• 15 day free trial - $100 full version

• Features

– Password cracking

– Dump passwords from Registry

– Sniff passwords off of the network

L0phtCrack (letter o is replaced by number zero) is one of the best NT password cracking programs

on the market for several reasons First, it is easy to use and has a nice GUI Second, it takes

advantage of the two design flaws in Microsoft and can crack passwords extremely quickly

It has a 15 day trial version which lets you “try before you buy,” and then requires a registration fee

of $100

Some of the key features are:

• password cracking;

• capable of dumping passwords from the Registry;

• sniffs passwords off of the network

Trang 12

L0phtCrack 2.5 New Features

• Speed increase

• Hybrid cracking

• Added SMB packet capture

• SMB packet capture works on

Windows 9x

• Custom character set

• Accurate cracking status

The latest version of L0phtCrack is version 2.5 and they have added some new features that make it

run faster and make it easier to use Some of the features are the following:

From the L0pht’s web site (http://www.l0pht.com/l0phtcrack/):

• Major speed increase The DES routines have been highly optimized in assembler for Pentium,

Pentium MMX, Pentium Pro, and Pentium II specific processors This results in a 450% speed

increase All alphanumeric passwords can be found in under 24 hours on a Pentium II/450

• A new hybrid cracking method combines the best qualities of dictionary cracking with that of

brute force cracking Passwords that are dictionary words which have numbers and symbols

appended to them are found in minutes

• SMB Packet Capture is built into the L0phtCrack graphical interface Choose a menu item and

start collecting LANMAN password hashes as they travel over the network

• The SMB Packet Capture now works on Win95/98 machines

• Custom character sets for brute forcing are supported with an easy UI to set them

• More accurate cracking status is displayed This includes the number and percentage of cracked

passwords and the key rate of the crack attempts

Trang 13

• Most domain admin accounts cracked

• Password policy require min of 8 characters with one numeric or special character.

The above results are from the L0pht’s web site, http://www.l0pht.com/l0phtcrack/

Trang 14

hours

The above results are from the L0pht’s web site

Trang 15

– pull password file

– load dictionary file

Trang 16

– select location of install

– read instructions and follow the defaults

• Double-click on L0phtCrack icon to start

the program

To install L0phtCrack, go to http://www.l0pht.com and download the zip file that contains the

executable Once you download the zip file, use pkunzip or any other compression program to

uncompress the files into a directory Once the files are uncompressed, run the setup program The

install program is very straightforward and will walk you through the installation Once the

installation is complete, you just double click the L0phtCrack program to run it

The version you download is a 15-day trial version In order to continue using L0phtCrack after 15

days and to get additional features, you should register the program If you look at what you are

getting for $100 it is an unbelievable deal

L0phtCrack is licensed per machine Each machine will have a unique L0phtCrack serial number

The L0pht offers online, telephone and fax registration When you register you will receive the

unique unlock code for your machine You enter this code in the L0phtCrack Registration dialog to

unlock the product In the event you need to move your license to a new machine or OS, you need to

contact l0phtcrack@l0pht.com and they will send a new unlock code Therefore if you run

L0phtCrack on multiple machines, you need to get multiple unlocking codes

Trang 17

Start L0phtCrack

When L0phtCrack starts, the main window appears The menu bar contains five main menu options

The following slides will briefly cover each menu item Since the Edit menu is not used, it will not

be covered

Tiêu đề	L0phtCrack Documentation
Tác giả	Eric Cole
Trường học	Sans Institute
Chuyên ngành	Cybersecurity
Thể loại	Thesis
Năm xuất bản	2001
Thành phố	Unknown

Định dạng
Số trang	34
Dung lượng	644,32 KB