June 7th, 2005, 10:00 PM
Suggestions for a PW cracking toolkit
We have an opportunity to do some on-site password integrity testing for a few days at a medium sized client site. The service group who normally does this thinks it is too small of a job to bother with, so we're handling it through a consulting contract.
So, we don't have any licensed software or anything yet to work with. Just a laptop and access. What are your suggestions for tools to go about this?
I am planning on a dual boot system so we can run tools under both Windows and *NIX. The bulk of the testing will be 500+ Active Directory accounts, but we'll have a handful of /etc/passwd and /etc/shadow files, plus some accounts from routers and other devices on the network.
What would *your* wishlist be, and why?
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
June 7th, 2005, 10:36 PM
pwdump (latest version) & johnTR would be obvious choices
as far as software goes I had some experience w/ SAMInside
It was in a fashion design company (about 100 accounts) and SI found pwd's faster then pwdump. I don't remmember if I did dictionary or brute, though.
But since you say "wishlist" ... a nice dual Opteron/Xeon w/ 4gigs of ram would be nice.
June 7th, 2005, 11:53 PM
I'd put ophcrack with the bigger of the tables on the list -- http://ophcrack.sourceforge.net/
I'd also include rainbow crack -- http://www.antsight.com/zsl/rainbowcrack/... Solely because the only other software that I know for sure works with the Shmoo Rainbow Tables is LC5 and it's pay software.... I'm not sure if ophcrack will use the Shmoo tables or not, you may have to "binarize" them first with the software from ophcrack 1 (link on the ophcrack 2 page) and speaking of the Shmoo Rainbow Tables, they're nice to have -- http://rainbowtables.shmoo.com/
Since it's an AD implementation, if you can get access to any of their workstations, might be fun Cachedump -- http://www.cr0.net:8040/misc/cachedump.html and the patched version of JtR with you.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
June 8th, 2005, 06:22 PM
If I were you, I would boot up the machines that are already onsite with a live linux cluster distro and attack the password list with cisillia. ClusterKnoppix or the new version of CHAOS would do the trick.
June 9th, 2005, 11:07 AM
Why does this sound so scary, yet so plausible?
... service group who normally does this thinks it is too small of a job to bother with, so we're handling it through a consulting contract.
I am no password security guru, nor Active Directory, but I have a few questions here.
The bulk of the testing will be 500+ Active Directory accounts, but we'll have a handful of /etc/passwd and /etc/shadow files, plus some accounts from routers and other devices on the network.
Were you informed of the current password policies and checking procedures?
If so, how are they implemented?
At work ( again, at work I am a user and not in IT ) I have numerous passwords. Some are required to be changed every 30 days, some every 3 months, some never. Some can not contain any form of a previous password used within the last year, some donít care.
How is this relevant to the thread? Before you can begin to assess the password integrity of the site, you must first know the current policies and integrity checking that is in place. No sense in checking passwords with johnTR if those passwords are already checked using it ( unless there is some cause to believe the server doing the checks has been hacked. )
FWIW, why have a password to a system that requires complex, 12+ digit passwords to a system that is accessed by a system with little or no security to it? What I mean here is, why insist on a complex password for a system, from a system that is easily hacked? If someone can hack one system ( like those connected to the Internet, or through the Internet) can they not then introduce a key logger and then obtain logon and password combinations ?
Just thoughts, which are known but I believe are sometimes overlooked.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
June 9th, 2005, 02:32 PM
Cain from www.oxid.it is one of the best pieces of software out there.
It supports Rainbow tables...I don't think they even have to be sorted, but it's faster if they are anyways.
Best of all its **free**.
Geek isn't just a four-letter word; it's a six-figure income.