The Zen of Password Cracking - The Cisco Learning Network


: 9

That whole secret stuff really appeals to me. Movies like National Treasure, Indy Jones (except Indy 4 that sucked) coupled with books like Da Vinci Code, By Way of Deception or a great book; A Matter of Risk really hook me. Who out there today doesn’t day dream about having privileged access to some big secret that folks are chasing you down to get. Can I get a witness! If you really want to get someone’s attention start your statement with; "Let me tell you a secret…" I used to start many secure presentations with the phrase; Let me tell you a secret...It's called the Birthday Paradox...


Cracking passwords is typically what most folks think of when they think about hacking. In reality, that is a last ditch act of desperation. When security folks today conduct pen testing, they are looking to piggy back on someone else’s access level to get into a system. But I tell you what, I feel like Jimmy Ray Bond when I do have to crack a password and actually do it. It is euphoric! At many hacker shows, they have contest to see who can crack a WEP key the fastest. The fastest I have seen was 8 seconds. The fastest I have done was 18 seconds. That is with a ton of luck hitting the IV’s just right and at the right time. I brag on that time more then my collection of limited edition Burger King Star Wars watches.


But when it comes to the rubber hittin’ the road, how do you actually crack a password on a system? There are really four solid methods to crack a password, not counting just plain ole dumb luck and password recovery methods designed by the vendor. Psst!...come here.. Let me tell you a secret...put on your secret Ovaltine decoder ring and let’s take a look at these four methods and tools used to accomplish this. Keep in mind that other then the tool Hydra another great tool from the twisted and demented minds at THC, these tools do not try to log in and crack a password. Your password file/hashes are grabbed and cracked off line. Understand that your hash file is the critical step one to password cracking. It must be loaded into the cracker, so it has something to crack.


Footprinting. This is the Ellery Queen part of password cracking. Time for a little bit of deductive reasoning (calabash pipe optional) to spot a place that someone actually wrote down that obnoxiously long password required by the Corporate IT security team. Under keyboards, monitor arms, under pencil trays, beneath picture frames, under telephones, etc are great places to store passwords. Heck one time I logged into a web cam at a users desk and could actually see their FTP username/password on a yellow sticky! Many times the password is wrote on a piece of paper in a locked drawer and the key to that drawer is in an overhead cabinet or hook under the desk. Administrative Assistants are the best targets here. They tend to be very service minded so they not only have their own passwords but the keys to the kingdom of other team members as well. As a member of an IT security team, sweeping cubicles after hours is critical to your physical security. If your password scheme is so complex that folks have to write it down, then listen to your users! If not, you have a bigger security issue. Consider some form of two factor authentication. Bio-metrics will be a cool option one day, but for now the software sucks. Remember, ALL accounts are important not just the root/administrator or power user. No self respecting hacker is going to direct assault the root/administrator account; they are going to target a smaller user/service account and then escalate the privileges. For example; I was looking for a user account to compromise for a security audit, I searched a cubical and came up dry. Then I noticed how the cubical was decorated; Brett Favre posters, jersey, cheesehead hat, helmet, etc...hmmm... I knew the username from an email tacked on the wall congratulating the user of a job well done. Could it be this easy?


Username: robbboyd

Password: Favre

Nope… lets try:

Username: robbboyd

Password: 4Favre

Welcome to the Wide World of unrestricted data access. Bond, Jimmy Ray Bond….


Dictionary. Common use passwords and default passwords can bite you like a starving Pitbull on steak bone. Many websites list all default passwords for gear. I like this one: Dictionary attacks are ultra popular now and for a very long time to come. A dictionary attack is basically a program that using a dictionary file to try and guess your password from a predefine list. The critical piece of this attack is the actual dictionary file. Folks trade these online all the time. The file is not restricted to what it can contain. I have seen some excellent dictionary files out there with number and letter combinations, Star Trek references, backwards words, etc. I use the dictionary files from as a base and then I just edit them to fit my needs. I like to use the dictionary cracker John the Ripper It is very fast, free and cracks both Windows and Unix passwords. It works on the command line but out of the box it will only crack LANMAN passwords, however, a quick little security tip here; if you use Linux as your cracking machine, then you can add on a NTLM package to support that algorithm from the same site. To run John the Ripper in dictionary mode, I just edit the config file and change the WORDLIST= option to be the actual dictionary file I want to use for that crack. The launch the program with the command:


which looks like this:

john hashfile.txt

John has three modes to crack passwords. Dictionary is the default mode. Many brute force crackers by nature also support dictionary cracking, although, I have found it a bit slower. If you like using a Windows machine for cracking, then I really like the tool GUI tool Cain from Oxid. This tool is packed with tons of features other just plain ole password cracking. In just the dictionary cracking alone you can also use your same dictionary file to run variants of each word. For example:

- Reverse: The reverse form of the password is tried (password, drowssap, etc…).

- Lowercase: The lowercase form of the password is tried (Password, password, etc...).

- Uppercase: The uppercase password is tried (Password, PASSWORD).

- Case Perms: All case permutation of the password are checked (password, Password, pAssword, PAssword, PASSWORD, etc…).

- Two numbers Hybrid-Brute: appends a maximum of two digit after each word (Password0, Password1,...Password9, Password00, Password01, .... Password99).

Just like Bass fishing on a low pressure day, I give this tool my absolute highest endorsement for any security professional.


Brute Force. This is the method most folks thing of when they think of true password cracking. Bruce Force cracking is simply trying every single letter upper and lower case with every number and character and every possible combination. This can take many years to crack. It will certainly work 100% of the time, the problem is by the time it is cracked, they most likely changed the password and here we go again… The tool that got all the press for accomplishing a fairly speedy brute attack was LoPHT Crack. That tool was purchased by @stake. Overnight it went from free to 800 bucks! The product has been retired from service and no longer available. Many excellent replacements for a much better cost…like free! LCP from LCPsoft is an easy to use and truthfully supports more features then the fee based LoPHT version 5. I like LCP, the only thing I noticed is that you can really speed up the password recovery process by using the output of pwdump3 however, to make pwdump3 work you have to replace the lsaext.dll file with the one that comes with LCP and then it really cooks!


I absolutely the tool Cain It is so flexible and truly approaching NMAP type of greatness. Cain is an excellent brute forcer for a ton more password hashes. It is also one of the best documented tools I have seen in a long time from the developer. Understand this critical step; to crack a password, you must FIRST grab the hashes with a tool like pwdump3, redirect the output to a text file so:

Pwdump3 looks like this:

Pwdump3 passwd.pwd

Then feed the file created (passwd.pwd) into Cain or LCP so it can crack the hash.


Rainbow Tables. This is the best way to crack passwords today. It is based upon the work done by Phillipe Oechslin This is a very cool method sometimes referred to as Time Memory Trade off, that is a cross between a dictionary attack and a brute force attack. What if I could tell you that you could crack every single possible combination of letters, numbers and characters up to 18 characters long in less then 13 seconds? In walks the Rainbow Table. These tables are every possible pre computed password hash. As you can imagine, these tables are huge in size and not easily downloadable. The current size for all hashes is around 92GB and this changes monthly. Normally you either pay a monthly fee to use the tables online or just order the DVD sets. The cost is between 30-150 bucks average. If you bulk at the cost and would like to build your own tables, this can be easily accomplished with the program rtgen for Linux or Winrtgen for Windows. Use a powerful server PIII or better, add some time, disk space and there you go. I build my own tables and when I leave for the weekend, I start up rtgen and keep building. Using the tables is a real piece of cake. When doing tables I always use Cain. I just load the hash file I captured with Pwdump3, select Rainbow tables instead of dictionary or brute force and it is done super fast. The longest I have ever seen this process take was 12 minutes. If you do demos to "wow" folks, this is a super impressive demo to show the power of tables. Just invite anyone to enter any password they want and crack it before they sit down. Bond, Jimmy Ray Bond.


Password cracking is really a lot of fun and should be something as IT folks we should do often as part of a security audit. The real weakness to passwords is Windows continued support for LANMAN hashes, which is enabled by default. This can be disabled in XP and Server 2003 under Security Policy/Security Options/Network Security: Do Not Store LAN Manager Hash Value On Next Password Change. It is important to understand a couple things. LM Hashes are stored until the passwords are changed for every single account. Secondly, many application programs use the LANMAN subsystem for security because it is easier to code up. If you turn this off, check it out in your lab first before doing this on a production server. It's about time for me to work on the Newcastle Paradox, out of 120 cable channels>Star Trek will be on one of them->Out of thousands of temperature ranges the Newcastle is just right at 52 degrees....


Jimmy Ray Purser


Trivia File Transfer Protocol

The definition of hope: "Weird" Al Yankovic received a Bachelor's degree in Architecture in 1981. He was also the high school valedictorian at the age of 16. Looks like my kids have a chance...