“ Hackers Beware “ New Riders Publishing 407 System: SunOS 5.6 Generic sun4u sparc SUNW,Ultra-2 Home: /home/ Invoked: Crack npasswd Stamp: sunos-5-sparc Crack: making utilities in run/bin/sunos-5-sparc find . -name "*~" -print | xargs -n50 rm -f ( cd src; for dir in * ; do ( cd $dir ; make clean ) ; done ) rm -f dawglib.o debug.o rules.o stringlib.o *~ /bin/rm -f *.o tags core rpw destest des speed libdes.a .nfs* .old \ *.bak destest rpw des speed rm -f *.o *~ ` / /run/bin/sunos-5-sparc/libc5.a' is up to date. all made in util Crack: The dictionaries seem up to date Crack: Sorting out and merging feedback, please be patient Crack: Merging password files Crack: Creating gecos-derived dictionaries mkgecosd: making non-permuted words dictionary mkgecosd: making permuted words dictionary Crack: launching: cracker -kill run/sun.16095 Done It is important to note that this is not the output showing which passwords were cracked, but the output of the program explaining what the system is doing. The key things you are looking for is that no error messages were generated and that the last line says Done. If both of these occur, you are in good shape. To make sure Crack is running properly, create an account named eric with a password of eric. Then, run the program and make sure it successfully cracks the password. I recommend always creating a test account, just to make sure the program is working properly. After you verify that Crack is working properly, make sure that you delete the account. I went to one company, and the administrators kept telling me how secure their users were and they were not sure why management wanted a security audit performed. In this case, management wanted me to keep the administrators involved, so I explained to them that I was going to extract and crack the passwords. They assured me that this was a waste of time, because they had already run Crack and did not find any weak passwords. I told them that I needed to run Crack even if it merely validated the results they already found. Sure enough, after running Crack for 30 minutes, it cracked over 90 percent of the passwords. The company was shocked and amazed. As it turned out, they had configured Crack with the wrong parameters and therefore it was unable to crack anyone’s password. Checking the Output of Crack—Reporter “ Hackers Beware “ New Riders Publishing 408 To check the results of the Crack program to see which passwords have been cracked, you need to run the Reporter script. This script outputs the results of which passwords were cracked. This can also be piped to a file. If you used an earlier version of Crack, it no longer generates human- readable output directly; instead, to see the results of a Crack run, the user should type the following command: ./Reporter [-quiet] [-html] Guesses are listed chronologically, so users who want to see incremental changes in the output as Crack continues to run over the course of days or weeks are encouraged to wrap invocations of Reporter in a script with diff. The -quiet option suppresses the reporting of errors in the password file (corrupt entries and so on), whereas -html produces output in a fairly basic HTML-readable format. In most cases, I do not recommend the HTML option because I personally would not want to post the results of cracked passwords to a web site, but that option is there. Some companies use it to create a program that parses the HTML and keeps a database of cracked passwords or sends management an email. The following example illustrates the reasoning behind my apprehension to post cracked passwords to a web site. I was performing an assessment for a client and noticed a vulnerability in their web site. I was able to view all of the files in the parent directory, one of which was called badusers.html. When I opened it up, it was an HTML file of the results of Crack. By posting weak passwords to a Web site where the entire company could view it, the administrators hoped to not only embarrass users with their weak passwords but also force them to change their passwords, because the entire company could see their passwords. Unfortunately, this creative idea for enforcing strong passwords failed because 10 of the 15 passwords were not changed. The users were so furious with IT for creating the page that they refused to change their passwords; however, the administrators decided to make their point by refusing to remove the page. In the long run, anyone, through access to those ten active accounts could have gained access to the network. Embarrassing and threatening users does no good—in most cases, it makes matters worse. Remember that having users as your allies goes a long way toward securing a system. I have found that by combining user awareness with strict enforcement helps maintain a high number of users as allies, while increasing the overall security of your network. Not all users will listen, but if you clearly explain and help them understand security, most users will adhere to the guidelines. Even though programs have all sorts of options, use some common sense when utilizing their features. The preceding example might seem fictitious, “ Hackers Beware “ New Riders Publishing 409 but actually happened. I included it to show you how easy it is for a company to lose sight of what is important when securing its systems. Crack Options Crack has several options that can be used. The following are the most popular ones: • debug. Lets you see what the Crack script is doing. After you get comfortable with Crack, you can turn this off, but I highly recommend that you turn this option on the first several times you run it. • recover. Used when restarting an abnormally terminated session. For whatever reason, sometimes programs do not always run properly or finish execution. In this case, you can try to gracefully recover. • fgnd. Runs the password cracker in the foreground while stdin, stdout, and stderr are sent to the display so that users can better monitor what is occurring. • fmt. Allows the user to specify the input file format that should be used. • n. Allows the user to jump to a specific spot in the rule base and start password cracking from a specific rule number “n.” • keep. Prevents deletion of the temporary file used to store the password cracker’s input. This is helpful for determining what the user did or troubleshooting problems. • mail. Emails a warning message to anyone whose password is cracked. Be cautious of using this because often the people in an organization who have weak passwords are the ones who sign the checks. • network. Runs the password cracker in network mode. • nice. Runs the password cracker at a reduced priority for other jobs to take priority over the CPU. I recommend using this option. Normally when Crack is run, it uses whatever resources are available. By running it in nice mode, you enable other people to still use the system. Crack Accuracy To see how well Crack performs, I ran the program with an out-of-the-box install against a password file with various types of passwords. Following is the sample file that was used: User Eric password eric User John password john1234 User Mike password 5369421 “ Hackers Beware “ New Riders Publishing 410 User Mary password #57adm7# User Sue password sue User Lucy password 12345 User Pat no password User Tim password password User Cathy password 55555 User Frank abcde User Tom password mnopqr User Karen password bbbbbbbb Crack was run against this file on a 500Mhz Pentium with 128MB of RAM with the default options. It ran for approximately 150 seconds and cracked the following passwords: passwords cracked as of Tue Aug 17 10:41:00 EDT 1999 0:Guessed pat [<no-ciphertext>] [npasswd /bin/sh] 934899050:Guessed eric [eric] [npasswd /bin/sh] 934899050:Guessed lucy [12345] [npasswd /bin/sh] 934899050:Guessed sue [sue] [npasswd /bin/sh] 934899259:Guessed tim [password] [npasswd /bin/sh] 934899274:Guessed frank [abcde] [npasswd /bin/sh] 934899304:Guessed karen [bbbbbbbb] [npasswd /bin/sh] 934899342:Guessed cathy [55555] [npasswd /bin/sh] done To see how well Crack performed, here is a summary listing of which passwords it found and which ones it did not: User Eric password eric - CRACKED User John password john1234 User Mike password 5369421 User Mary password #57adm7# User Sue password sue - CRACKED User Lucy password 12345 - CRACKED User Pat no password - CRACKED User Tim password password - CRACKED User Cathy password 55555 - CRACKED User Frank abcde - CRACKED User Tom password mnopqr User Karen password bbbbbbbb – CRACKED As you can see, Crack guessed eight of the passwords. All of the passwords that were guessed were simple words, repetitive characters, or strings of characters or numbers. It is interesting that abcde was cracked but mnopqr was not. Both are strings, but one started in the beginning of the alphabet and the other started in the middle. Also, john1234 was not cracked, which is a simple combination of two strings. “ Hackers Beware “ New Riders Publishing 411 This is not a negative aspect of Crack, however it is important to understand the limitations of a program whenever you use it. Just because Crack didn’t guess a password does not mean that an attacker might not or that a given password is strong. Also, it is important to note that these results are based on the standard configuration of Crack. Crack can be configured to guess additional passwords. One key characteristic of password crackers that use dictionary attacks is the quality of the dictionary they use. The old saying, “Garbage in, garbage out,” holds true, and a dictionary cracker is only as good as the dictionary that it uses. There are several sites on the Internet that contain dictionaries and you also can create your own. Also, depending on where your company is located, there are dictionaries that contain foreign words. John the Ripper (John) John the Ripper (John) is a UNIX password cracker, but can be run from either a UNIX or a Windows platform. It is available from http://www.openwall.com/john/. There are different versions that can be downloaded for each operating system. Both versions come with the source code, which is a nice feature. On the UNIX machine, the source code has to be compiled; but on Windows systems, John gives both the source files and the compiled binary. John is powerful and fast and has a lot of built-in features that are easy to use. These include dictionary and brute force attacks, which were covered in detail in Chapter 8, “Password Security.” Latest Version of John According to the documentation that came with John, the following are some of the new features included in the latest version, 1.6: • Everything is re-coded to be more extendable, more portable (no GNU C extensions used, unless __GNUC__ is defined), and more readable. • Support for running two hashes simultaneously. • Bit slice DES routines: Up to three times faster on RISC. • Initial attempt at vectorization support for bit slicing. • BSDI’s extended DES-based ciphertext format support. • OpenBSD’s Blowfish-based ciphertext format support. • Special assembly DES routines for x86 with MMX: more than 30 percent on a Pentium II. • Improved MD5 routines (both C and x86 assembly), 10 to 50 percent faster. • Smarter length switching in incremental mode. • Wordlist rules are now expanded while cracking, not at startup. “ Hackers Beware “ New Riders Publishing 412 • New options -session and -groups. • Simplified the syntax of -users, -shells, and -salts. • Replaced -noname and -nohash with -savemem. • Replaced -des and -md5 with -format. • Removed some obsolete options to keep the thing simple. • Added continue, break, return to the built-in compiler. • Allows C comments in external mode definitions. • Better default rule sets: variable length limit, less redundancy. • System support for BSD and Linux distributions. • Tested and make files for more versions of UNIX like Linux/PowerPC, FreeBSD/Alpha, and SCO. • Many internal algorithm improvements. • Fixed most of the bugs and portability issues. John Requirements John has versions that can run on either a UNIX or Windows platform, so each will be covered separately. Using John with UNIX The latest version has been tested on the following versions of UNIX: • Linux x86/Alpha/Sparc • FreeBSD x86 • OpenBSD x86 • Solaris 2.x Sparc/x86 • Digital UNIX With UNIX, you only download the source code, so the following are the requirements that are needed to get it up and running: • UNIX-like operating system. • C compiler. • Moderate amount of disk space (10MB). • Lots of CPU time. • Permission from the system administrator. You should always get permission and authorization before running these programs. • Root privileges (if using shadow files). • Uncompression program like gzip and tar. John is not as large and computation intensive as Crack, but because it is cracking passwords, it can still use up a considerable amount of resources, depending on the size and difficulty of the passwords and the options that are used when running the program. Therefore, before you install John, make sure you have enough resources to compile and run it. If other departments are using the UNIX machine, please check with them prior to “ Hackers Beware “ New Riders Publishing 413 running it. Otherwise, it could cause unnecessary issues if they are running critical applications. Always get permission from the administrator and your supervisor before running this tool or any similar tool. I know I am repeating myself, but this point cannot be overemphasized. Especially if you do not own the machine, always make sure you check with the appropriate people prior to running it. With UNIX, you download a compressed tar file. To do so, follow these steps: 1. Download the John file. 2. Unzip the file using gzip: 3. gunzip john-1_5_tar.gz 4. Untar the file: 5. tar -xvf john-1_5_tar 6. Read the README and INSTALL documents. 7. If necessary, edit the source code. 8. Compile the program: 9. 10. cd src make SYSTEM (where SYSTEM is the system type you will be compiling it on) If everything works, the executable version will appear in the run directory. Windows The latest version of John can run on Windows NT/95/98 and DOS. With the Windows version, you download a zip file that contains the source code and the precompiled binaries. Based on this, the only system requirements are an uncompression program and enough disk space. Also, because this program is used to crack UNIX passwords, there must be some way that you can acquire the UNIX password file and transfer it to the Windows machine. With Windows, after the program is downloaded and uncompressed, you cd to the run directory and you are ready to go, because the Windows version comes with a precompiled binary. If the user chooses to recompile or make any changes, the source code is in the src directory. To do this, the user needs a C compiler for the operating system he is working on. “ Hackers Beware “ New Riders Publishing 414 Running John Running John is straightforward. You just type john, followed by any options, followed by the password file. The following are some of the options that can be used with John: • single. Cracks a single password file. This is the simplest and most straightforward method. • wordlist:file. Enables John to use a dictionary file to crack the passwords. • rules. Enables rules to be used that allow John to make changes in the dictionary words it uses to crack the passwords. • incremental. Enables the incremental or brute force mode based on the parameters that are specified in the john.ini file. • restore:file. Continues an interrupted session. • session:file. Allows you to specify a filename where the session information is saved to. • show. Shows the cracked passwords for the last session that was run. • test. Performs some benchmark tests to make sure the system is working properly. • users:[-]LOGIN|UID[, ]. Loads only a specific group of users or accounts. This allows you to filter out and only crack a few accounts. This is helpful if you have a couple of very sensitive accounts that you want to check more frequently. • groups:[-]GID[, ]. Loads only specified groups into the system. • salts:[-] count. Allows you to set a password per salt limit, which will achieve better performance. John also comes with the following two utilities that are useful in some environments: • unshadow PASSWORD-FILE SHADOW-FILE >output file. Used to combine the passwd and shadow files together for systems that use the shadow file. These files must be combined prior to running John. • Mailer password-file. A script that sends email to all users who have weak passwords. I recommend running John in the following order. First, run the following to see what passwords you crack: john –single password-file john –show Next, run a dictionary attack: “ Hackers Beware “ New Riders Publishing 415 john –w:wordfile password-file john –show If the passwords have still not been cracked, run a brute force attack: edit john.ini file john –i password-file john –show There are several other parameters you can use, but these are the most basic. Results from Running John When you run John, the results are displayed on the screen, but you can also type john –show to see the results again or save them to a file. To compare the accuracy of the results, let’s use the same password file we used for Crack. These results are based on running on a 500Mhz Pentium with 128MB of RAM. After running john –single passfile, it completed in 10 seconds and cracked 2 passwords. The following is the output: John the Ripper Version 1.5 Copyright (c) 1996-98 by Solar Designer eric:eric:1001:10::/usr/eric:/bin/sh sue:sue:1005:10::/usr/sue:/bin/sh 2 passwords cracked, 10 left When running John with a dictionary file, by issuing the command john w:wordlist passfile, it ran in 120 seconds and cracked 5 passwords. The following is the output: John the Ripper Version 1.5 Copyright (c) 1996-98 by Solar Designer eric:eric:1001:10::/usr/eric:/bin/sh sue:sue:1005:10::/usr/sue:/bin/sh lucy:12345:1006:10::/usr/lucy:/bin/sh tim:password:1009:10::/usr/tim:/bin/sh frank:abcde:1011:10::/usr/frank:/bin/sh 5 passwords cracked, 7 left “ Hackers Beware “ New Riders Publishing 416 With the -i option, which causes John to perform a brute force attack, John ran for several weeks and of course cracked all of the passwords, because that is what a brute force attack does. XIT XIT is a password cracker for UNIX that performs a dictionary attack and is available from http://neworder.box.sk/. It is a small but fast program. It does have limited functionality because it only can perform a dictionary attack, but in some environments you need a quick program that can check passwords. It runs in a DOS window on most Window platforms. It comes with the C source code, so if you want a better understanding of how cracking works or if you want to build your own password-cracking tool, this might be a good start. The source code is very well commented and fairly easy to port and recompile. I was able to get it compiled in a short period of time. Latest Version of XIT In this version, there are a couple of new enhancements: • New SPACEBAR option to display status line. When the program is running, you can press the spacebar and it displays status information of how far along the program is. • Can optimize the code for better performance. • Full C documented source code of the main executable file. As I stated earlier, this is not meant as a replacement for Crack, but I know in some environments, where a company wants to periodically check to make sure users are not using certain words as their passwords, this program is a good solution. If that is the case, this might be the right tool because it has less features and therefore is easier to use and uses less resources to run. XIT Requirements The requirements to run this program are very simple—all you need is a Windows machine and enough hard drive space to run the program. When the program runs, it expands some files, so it could have some difficulty running on a floppy, but if you have at least 5MB of disk space you should be fine. The only requirements you need are a dictionary file and a UNIX password file (with the encrypted passwords if you are using a shadow file). It does not have a utility to merge the passwd and shadow files together, so you either have to write one or use the one from John the Ripper or Crack. Configuring XIT [...]... if there is a problem, you can restore the settings at a later time To save the values of a subtree, select Save Subtree as from the Registry menu To restore the values, you select Restore from the Registry menu In either case, you get a dialog box similar to the one shown in Figure 11.7, which allows you to select either the filename you want to save the Registry data to or the file you want to restore... Computer from the Registry menu Figure 11 .6 shows a connection to a remote machine called NTServer1 Figure 11 .6 Connecting to a remote machine and accessing the Registry Now the Registry can be accessed on the remote machine Pay attention to the titles in the window to tell whether you are accessing the Registry “ Hackers Beware “ New Riders Publishing 440 values on the local or remote machine To allow... using these tools is that they can be used to protect your site and should be embraced if they are used properly If an administrator runs cracking programs on a consistent basis and uses them to increase the security on his site, the usefulness of these tools to an attacker decreases tremendously Therefore, it is imperative that you not only understand what tools are available, but also use them, especially... programmers use to allow them to make calls to the subsystem, which in turn makes calls to the Kernel Because these APIs were well thought out and carefully tested, they give the programmer the access he needs, while limiting the potential damage they can cause Now let’s briefly look at each piece of the kernel mode The hardware abstraction layer (HAL) is the piece that directly interacts with the hardware... the files together To merge the files, if you are very careful and good with a text editor, you can do it manually Or for the less insane, Crack comes with a shadmrg.sv script that enables the user to combine the two files The shadmrg script does not use arguments and must be edited for it to work properly For example, you would go into the file and find the first non-commented lines that contain the. .. basic measures, an administrator can assure that unwanted users do not have access to the console of the servers Remember, if an attacker can get access to the physical server, he can always boot into another operating system (like Linux) off of a floppy and have full control of the system The Registry The Registry is basically the brains of NT and therefore is critical to the security of an NT system... company’s security, because now authentication is based on something you have and something that you know Instead of time, some devices use what is known as a challenge response The user presents his user ID to the system and the system responds with a challenge The user then types the challenge into the device and the device displays a response, which the user then types as the password Another form,... across the computers and have the power of a quad processor machine To do this, you set up a daemon on each of the machines and tell the main Slurpie program what machines they are on It then connects to those machines and distributes the work between all of the machines to crack the passwords Slurpie can also run on just one machine, but then you lose some of the benefits of the program Running the daemon... code, whenever data is passed into a program, it should be validated to make sure it adheres to what the program is expecting If you were writing a program that prompts the user for two numbers and adds the numbers together, you would want to check the input and make sure it is two numbers If the user enters a letter, the program should discard the data and print a message to the user saying, Please enter... attacker has to download the code, install a compiler on the system, customize the code for the target system, make sure the proper libraries are installed, and compile the code Some programs come with make files, which makes this easier to do, but the bottom line is it requires more work and expertise Let’s take a look at the source code versus executable problem The following is the source code for the WinNuke . page that they refused to change their passwords; however, the administrators decided to make their point by refusing to remove the page. In the long run, anyone, through access to those ten. shadow files together, so you either have to write one or use the one from John the Ripper or Crack. Configuring XIT “ Hackers Beware “ New Riders Publishing 417 To configure the program,. are going to run this program on, you have to go to each machine and start the slurp daemon, which causes the program to listen on the port you specified. To start up the daemon, type the command./slurp