Using L0phtCrack 6

For security reasons, operating systems do not store passwords in their original clear-text format. The actual passwords are encrypted into a hashed form, because they are sensitive information that can be used to impersonate users, including the operating system administrator. The original password cannot be derived directly from a hashed password, and L0phtCrack 6 operates similar to a hacker to discover the password by automated guessing. L0phtCrack 6's automated guessing process illustrates the difficulty in password cracking.

L0phtCrack 6 obtains password hashes from the operating system, and then begins hashing possible password values. The password is discovered when there is a match between a target hash and a computed hash. L0phtCrack 6 must first obtain password hashes from the target system, and then uses various cracking methods to retrieve the passwords.

Obtaining the Password Hashes

Approaches to obtaining password hashes differ, depending on where the password resides on the computer, and your ability to access them. L0phtCrack 6 can obtain password hashes directly from remote machines, from the local file system, from backup tapes and repair disks, from Active Directory, or by recovering them as they traverse the network. Obtaining passwords over the network requires network and administrator privileges, as detailed below.

·         Import From Local Machine
To import passwords from a local machine, obtain administrator rights to the machine you intend to audit. From the Session menu, select Import and click the Local Machine option in the dialog box to retrieve the hashes. This approach works regardless of whether passwords are stored in a SAM file or in an Active Directory.

NOTE: L0phtCrack 6 is limited to dumping and opening 65,000 users. Audits with more than 10,000 users require longer audit sessions.

·         Import from Remote Machine
L0phtCrack 6 incorporates remote password retrieval into the product, simplifying the process of obtaining password hashes, and reducing the need to use a third-party retrieval tool because of SYSKEY issues.

To import remote machines to the audit list, use the Import dialog box from the Session menu, and click on Remote Machine. Use the Add and Browse buttons to add the remote machines. Retrieving password files from remote machines requires administrative access.

To save the audited group of remote machines, click Save As in the Import dialog box. Click Open from within the Import dialog box to retrieve a stored group.

L0phtCrack 6 audits Unix password files from within the same interface. You are required to have an account on the remote Unix machine with access to the shadow file to perform this type of audit. L0phtCrack recommends creating an auditing account on the remote machine to be used only by L0phtCrack 6. The Unix system must have the SSH (secure shell) service running for L0phtCrack 6 to be able to retrieve the password hashes.

Passwords can be obtained remotely from both Windows and Unix machines, and contained in a single session. If they are both in a single session, auditing order is as follows:

    • Windows Dictionary
    • Unix Dictionary
    • Windows Hybrid
    • Unix Hybrid
    • Windows Pre-computed
    • Unix Pre-computed
    • Windows Brute Force
    • Unix Brute Force

 

  • SAM File
    On systems that do not use Active Directory, or SYSKEY, you may obtain password hashes directly from a password database file stored on the system, the SAM file.

 

Note: This approach does not obtain password hashes from most Windows 2000 and Windows XP systems, as Windows 2000 and XP use SYSKEY by default. SYSKEY hashes cannot be found using a password cracker, due to the strong encryption Windows 2000 and XP use.

 

Windows NT Service Pack 3 introduced SYSKEY, which is turned off by default. SAM access works on Windows NT systems, unless SYSKEY is explicitly turned on. SYSKEY provides an additional layer of encryption to stored password hashes, however, you cannot tell by looking at the SAM or at password hashes it contains whether they have been encrypted with SYSKEY or not. L0phtCrack 6 cannot crack SYSKEY-encrypted password hashes. If you do not have access to at least one administrator account on a Windows 2000 machine, you cannot obtain the password hashes required to run L0phtCrack 6. In such cases, you may benefit from a password reset utility.

 

Password hashes cannot be read from the file system while the operating system is running, since the operating system holds a lock on the SAM file where the password hashes are stored. Copy the SAM file by booting another operating system such as DOS (running NTFSDOS), or Linux (with NTFS file system support) and retrieving it from the target system, where it is typically stored in C:\WinNT\system32\config . This is especially useful if you have physical access to the machine and it has a floppy drive.

You may also retrieve a SAM from a Windows NT Emergency Repair Disk, a repair directory on the system hard drive, or from a backup tape. Windows 2000 does not normally store a SAM file on the repair disks it generates.

Load the password hashes from a "SAM" or "SAM._" file into L0phtCrack 6 using the Import dialog. Select to Import from file, From SAM File and specify the filename. L0phtCrack 6 will automatically expand compressed "SAM._" files on NT.

  • Import LC4 Files
    L0phtCrack 6 can import previously saved sessions from LC4, allowing for a smooth upgrade to L0phtCrack 6, as all of your LC4 session files can be used. L0phtCrack 6 also has improved reporting capabilities to open previously completed sessions.
  • PWDUMP3
    L0phtCrack 6 dumps password hashes from the SAM database (and from Active Directory) of a system with Administrator privileges, regardless if SYSKEY is enabled or disabled on the system.
  • From Unix shadow file
    L0phtCrack 6 can extract the Unix password hashes from a Unix shadow file usually found on a Unix system as the /etc/shadow file. The shadow file must be in the format that Linux and Solaris systems use.
  • Packet Capture via Sniffing
    Packet capture, or "Sniffing," is an advanced approach to obtaining password hashes that benefits from a good understanding of Ethernet networks. L0phtCrack 6 supports sniffing via WinPcap packet capture software built by the Microsoft-sponsored Politecnico di Torino.

L0phtCrack 6 can capture the encrypted hashes from the challenge/response exchanged when one machine authenticates to another over the network. Your machine must have one or more Ethernet devices to access the network. From the Session menu, select Import From Sniffer. If more than one network interface is detected, the Select Network Interface dialog box allows you to choose the interface to sniff on.

After choosing your interface, the SMB Packet Capture Output dialog box appears to capture any SMB authentication sessions that your network device can capture. Switched network connections only allow you to see sessions originating from your machine or connecting to your machine.

NOTE: If you have a previous version of LC installed on your machine, you must remove the NDIS packet driver from the Protocols tab in the Network Control Panel. Other low level packet drivers that are known to cause problems are the Asmodeus and ISS packet drivers. These need to be removed as well.

As SMB session authentications are captured, they are displayed in the SMB Packet Capture Output window. The display shows:

    • Source and Destination IP addresses
    • The user name
    • The challenge
    • The encrypted LANMAN hash
    • The encrypted NTLM hash

The capture can be imported at any time using the Import button. You can capture and crack other passwords at the same time; however, password hashes captured after initiating an audit are not attempted in the running audit.

Note: L0phtCrack 6's packet capture works on Ethernet adapters only, and may fail if a firewall is running on the same machine as L0phtCrack 6. It will not function reliably on a PPP connection.

Cracking the Password Hashes

The cracking processes that generates password values provides several options that balance audit rigor against the time required to crack. Effective auditing, therefore, requires an understanding the underlying business goals, and the security thresholds necessary to meet them.

To configure the cracking methods for your session, choose Session Options under the Session menu or click the Session Options button on the toolbar to open the Auditing Options For This Session dialog box. The options for this dialog box are detailed below.

The UserName Crack

L0phtCrack 6 first checks to see if any accounts have used the username as a password. These are weak passwords that you need to know about right away. This crack is performed first in every audit, because it is very quick.

Dictionary Crack

The fastest method for retrieving simple passwords is a dictionary crack. L0phtCrack 6 tests all the words in a dictionary or word file against the password hashes. Once L0phtCrack 6 finds a correct password, the result is displayed. The dictionary crack tries words up to the 14 character length limit (set by Windows NT, but not Windows 2000).

L0phtCrack 6 uses the 25,000-word dictionary file, words-english.dic, which contains the most common English words. L0phtCrack 6 also ships a 250,000 dictionary, words-english-big.dic, which can be used for more comprehensive dictionary audits. L0phtCrack 6 loads this file or any other word file you select based on settings in the Session Options dialog.

L0phtCrack 6 displays the result of passwords of any length located in the dictionary. The cracking process for non-dictionary words analyzes the first and last seven characters of a possible password, independently. For example, if the first seven characters of a password match those of a word in the dictionary, L0phtCrack 6 reports these, even if subsequent characters do not match those in the dictionary word. Likewise, if the eighth character through the end of the word matches the corresponding characters in any dictionary word, L0phtCrack 6 identifies those. When one half of a password is cracked, but the other is not, question marks (i.e. ???????) fill the un-cracked half. If neither half is cracked, the results in L0phtCrack 6 are left blank.

The table below illustrates partial results L0phtCrack 6 returns when one part of a password matches a dictionary word and the other does not. Consider the following passwords and their results in a Dictionary crack:
 

Password

Dictionary Crack Result

Comments

biochemistry

biochemistry

Standard word, found in L0phtCrack 6's words-english dictionary, and cracked in full.

biochemist7y

biochem???????

The first 7 characters match those in 'biochemistry.'

b#^chemistry

???????istry

The 8th character, through the end of the password matches the corresponding characters in 'biochemistry,' but the first seven do not.

accomplistry

accomplistry

The password is not a dictionary word. Because both the first seven characters and characters 8-12 happen to match dictionary words, L0phtCrack 6's Dictionary crack finds the whole password, even though different dictionary words matched each part.

severecrimp

[L0phtCrack 6's Dictionary crack will not recover this password]

Although the password is formed from two dictionary words, neither the first 7 characters nor the 8-11th characters match words in the dictionary, thus the dictionary crack does not find this password. You must use the brute force crack to recover this type of password.

 

Hybrid Crack

A Hybrid Crack builds upon the dictionary method (and its results display in the Dictionary Status area) by modifying existing dictionary words to generate additional password attempts. Many users choose passwords such as "bogus1!", or "1!bogus" in an attempt to create a memorable, yet harder to crack password, based on dictionary words slightly modified with additional numbers and symbols. Another common password substitutes numbers and symbols for letters, such as 3 for E, or $ for S. These types of passwords pass through many password filters and policies, yet still pose organizational vulnerability because they can easily be cracked.

L0phtCrack 6 cracks these passwords in much less time than it takes for a brute force attack. L0phtCrack 6's Hybrid mode checks for number or symbol characters prepended/appended to each word in the dictionary file you have selected. The default setting is 0 prepend and 2 append. Character substitutions are also turned off by default.

Note: Selecting 3 or more characters to either setting requires a longer audit for the Hybrid crack. Using a dictionary larger than the one L0phtCrack 6 uses by default, or if too many characters are set, the audit may take longer to complete. These features may require significantly longer audits, however, it may still be faster than a full brute force audit. If audit time is a priority, run the hybrid mode twice: once with append/prepend characters turned on and character substitutions turned off, and again with append/prepend turned off and character substitutions turned on. This does not check as many possibilities, but audits are faster.

Pre-Computed Password Audits

The use of pre-computed password hashes allows password audits to be completed within a few minutes, instead of hours or days. And because hashes only have to be computed once, this allows the use of more complex character sets. Versions of L0phtCrack 6 that include precomputed hashes come with a set of hash tables for the Alphanumeric character set.

Select the Precomputed Enabled checkbox to turn on pre-computed mode. Click the Hash File List button to select the desired precomputed files from the dialog box. Precomputed mode is now enabled, and will be used against all Windows user accounts.

When Should I Use A Pre-Computed Audit?

Pre-computed password tables include trillions of password hashes that have been computed in advance of the password auditing and recovery process. The key advantage of these tables is the reduction in time required to recover an individual password.

During audit and recovery, each account hash is looked up against the hashes in the pre-computed table. A matching hash means the password has been recovered. This process can reduce recovery time by a significant amount; a single account can take hours in a brute force attack, but only seconds using the pre-computed password tables. However, the time savings using pre-computed tables is reduced as the number of accounts audited or recovered increases. It is recommended that the pre-computed tables be used for recovery of fewer than 2,500 accounts. For larger numbers of accounts, brute force analysis is preferable.

Brute Force Crack

The most comprehensive cracking method is the brute force method, which recovers passwords up to 14 characters (Windows NT's password length limit).

The brute force crack attempts every combination of characters it is configured to use. Your choice of character sets determines how long the brute force crack takes. Common passwords, based on letters and numbers can typically be recovered in about a day using the default character set A-Z and 0-9. Complex passwords, on the other hand, that use characters such as #_}* could take up to hundreds of days to crack on the same machine.

NTLM, DES, and MD5 passwords are case-sensitive, and L0phtCrack 6 tries both upper and lower case characters.

The difference between the strengths of weak versus strong passwords demonstrates the value of strong passwords in protecting your organization or machine. Using a real-world password auditing tool helps discover the strength of passwords in your organization, and gauge policy decisions such as:

  • Whether users are following password policies,
  • The compliance rate or non-compliance instances with such policies,
  • The effectiveness of a password filter, or
  • Password expiration times.

Audit Method and Performance

L0phtCrack 6 can audit six different types of password hashes to recover a password:


  1. The LM hash,
  2. The NTLM hash,
  3. The LM challenge response, or
  4. The NTLM challenge response.
  5. Unix MD5-encoded password files
  6. Unix DES-encoded password files


The auditing options are determined by the on the hashes a user imports. Performance varies between these different approaches.

If you retrieve user account passwords from a registry, SAM, or Active Directory, you can audit either the LM or the NTLM password hashes. Audit performance in these cases degrades only slightly as the number of hashes increases.

Because of its structural weaknesses, the LM hash is the easiest and fastest to audit. L0phtCrack 6 defaults to auditing the LM hash unless the user accounts you import lack LM hashes or have LM hashes that correspond to an empty password. Since the LM audit only retrieves passwords in case-insensitive form, a very brief NTLM analysis is performed on any password found with the LM audit in order to determine the proper upper or lower case status of its characters. However, this is much less time consuming than the full NTLM audit described below.

The NTLM audit requires more time, because the NTLM hash is based on a stronger algorithm and is case sensitive, expanding the possibilities that must be attempted to recover a password.

Where do accounts with empty passwords come from? Machine accounts that cannot be used for login have dollar signs in their user names. User accounts that last had their password changed under MacOS, Novell, or WinFrame (which do not support NTLM hashes) will have empty NTLM passwords. Others are simply accounts that were created, but never assigned a password.

Note: Windows 2000 passwords longer than 14 characters have *empty* LM passwords, because the LM hash does not support passwords of this length.

Auditing the challenge/response pairs captured from network sniffing can take longer because each password hash is encrypted with a unique challenge. As a result, work performed cracking one password cannot be used again to crack another. In addition to the considerations mentioned above, the time-to-completion increases as you add sniffed password hashes to crack. Ten network challenge/response hashes take 10 times longer to crack than just one. Therefore, this type of cracking should be targeted toward particular passwords to be effective.

The DES operations that L0phtCrack 6 uses are CPU-intensive, not memory-intensive. Increasing the quantity and processor speed has the greatest impact on improving L0phtCrack 6's performance. Extra memory has very little impact.

You can boost the performance of an L0phtCrack 6 audit by increasing the priority of the process if the local machine is not performing other applications. To increase process priority:

  1. Launch L0phtCrack 6
  2. Open the Windows Task Manager by pressing Ctrl-Shift-Esc, or press Ctrl-Alt-Del and choose Task Manager.
  3. Go to the Process tab, right click the process labeled L0phtCrack 6.exe
  4. Choose Set Priority.

Raising the priority boosts L0phtCrack 6's performance at the expense of other running applications. Choosing the highest priority (Realtime) is not advised with L0phtCrack 6, as this can effectively lock up the operating system.

Beginning Your Audit

Once your audit is configured in the Session Options, L0phtCrack 6 is ready to perform the audit. Click the Begin Audit button  on the toolbar to start your audit. During the audit, status information on the right hand size of the L0phtCrack 6 interface shows the progress of the audit. During dictionary and hybrid audits, the number of dictionary words tried is displayed along with the percentage complete. During the brute force attack, the number of passwords attempted each second under is shown as keyrate.

Session Options

You can modify your Session Options for each Audit from the by clicking Session Options under the Session menu. The following options are available:

·         Dictionary Crack
Enable the Dictionary Crack Method and location the desired Dictionary List.

·         Dictionary/Brute Hybrid Crack
Enable the Dictionary/Brute Hybrid Crack Method, chose the number of characters to prepend and append.

·         Precomputed
Enable the Precomputed Crack, and chose the Hash File List.

·         Brute Force Crack
Enable the Brute Force Crack, and chose the desired character sets.

Scheduling Password Audits

Administrators can schedule audits scans daily, weekly, monthly, or just once.

To schedule an audit, select Schedule Audit from the Schedule menu. A dialog box displays a number of options, including the location of hashes, and the frequency of the audits. Click OK when done. The scheduled audit uses the current session options. Double-check the options before scheduling audits.

Choose a descriptive Schedule Name, if there are multiple scheduled audits. The recommended naming scheme includes where the hashes come from, the audit type, and frequency. For example, an audit that pulls the password hashes from a local machine called ABC and performs a daily dictionary audit might be named:

ABC_Local_Daily_Dictionary

Select View Scheduled Tasks from the Schedule menu to view all of the scheduled events. To remove events from the scheduler, click them and press delete.

Scheduled audits are only supported on Windows 2000 and later.

Remediating Poor Passwords

L0phtCrack 6 adds the ability to take action on audited accounts. User accounts can be disabled within L0phtCrack 6, or forced to change their password on the next login.

Click on the user account you wish to remediate. Select Disable Account(s) or Force Password Change from the Remediate menu to take the appropriate action. Multiple accounts can be selected by holding down the shift or control keys while clicking.

After an audit is completed, the following options are available in the Remediate menu:

  • Select All Expired Accounts
  • Select All Cracked Accounts
  • Select All Accounts with Weak Passwords

Use the Disable Account or Force Password Change options on the selected actions for appropriate action.

Reporting

L0phtCrack 6 reports include:

  • Realtime audit snapshot
  • Export results

While the audit is taking place, the reporting tab offers a snapshot of the audit results in realtime. The reporting tab contains charts and graphs that help quickly identify the security profile of the user accounts. Reports include:

  • Audit Method. Shows the percentage of passwords cracked by dictionary, hybrid, pre-computed, and brute force auditing methods.
  • Risk Severity. Profiles the high risk, medium risk, and low risk passwords, as well as the number of empty passwords.
  • Password character sets. Shows the breakdown of audited passwords by alphanumeric, alphanumeric + special characters, and alphanumeric + special characters + international characters.
  • Audit Summary. Shows the number of accounts and domains audited.
  • Password Statistics. Shows the number of locked, disabled, expired, and old passwords.
  • Password Length Distribution. Shows the breakdown of passwords by length.

Upon completion of the audit, results can be exported by selecting Export->Session, from the File menu. Results are exported in tab-delimited format to load into a spreadsheet format. L0phtCrack 6 exports columns that are visible for the current session.

Previous: Quick Start with the L0phtCrack 6 Wizard                                        Next: L0phtCrack 6 Command Reference