|
|
What
Is a Password Cracker?
A password
cracker is any program that can decrypt passwords or otherwise disable password
protection. A password cracker need not decrypt anything. In fact, most of them
don't. Real encrypted passwords cannot be reverse-decrypted. A more precise way
to explain this is as follows: encrypted passwords cannot be decrypted. Most
modern, technical encryption processes are now one-way (that is, there is no
process to be executed in reverse that will reveal the password in plain text).
Instead,
simulation tools are used, utilizing the same algorithm as the original password
program. Through a comparative analysis, these tools try to match encrypted
versions of the password to the original. Many so-called password crackers are
nothing but brute-force engines--programs that try word after word, often at
high speeds. These rely on the theory that eventually, it will encounter the
right word or phrase.
To
understand how password crackers work, we need only understand how password
generators work. Most password generators use some form of cryptography. Cryptography
is the practice of writing in some form of code.
Cryptography
can be defined as "the science and study of secret writing," concerns
the ways in which communications and data can be encoded to prevent disclosure
of their contents through message interception, using codes, and other methods,
so that only certain people can see the real message.
Most
passwords are subjected to some form of cryptography. That is, passwords are encrypted.
To illustrate this process, let us reduce it to its most fundamental. Imagine
that you created your own code, where each letter of the alphabet corresponded
to a number. Refer the diagram below
|
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z |
|
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
There
is a table, or legend, above. Below each letter is a corresponding number. Thus,
A = 1, B
= 2, and so forth. This is a code of some sorts.
Instead
of alphabets, the code is used to depict the alphabets in numbers. Unfortunately
such a code can easily be broken. If the numbers are interchanged, then too
there are programs that can decrypt the code very easily.
Many different operating
systems are on the Internet. The majority of servers, however, run some form of
UNIX. On the UNIX platform, all user login IDs and passwords are stored in a
central location. That location, for many years, was in the directory /etc within a file passwd (/etc/passwd). The format of this file contains various
fields. Of those, we are concerned with two: the login ID and the password.
The
login ID is stored plain text, or in perfectly readable English. (This is used
as a key for encryption.) The password is stored in an encrypted form. The
encryption process is performed using Crypt(3), a program based on the data
encryption standard (DES). IBM developed the earliest version of DES; today, it
is used on all UNIX platforms for password encryption. DES is endorsed jointly
by the National Bureau of Standards and the National Security Agency. In fact,
since 1977, DES has been the generally accepted method for safeguarding
sensitive data.
Certain
implementations of Crypt work differently. In general, however, the process is
as follows:
1.
Your
password is taken in plain text (or, in cryptographic jargon, clear text).
2. Your
password is then utilized as a key to encrypt a series of zeros (64 in all). The
resulting encoded text is thereafter referred to as cipher text, the unreadable
material that results after plain text has been encrypted.
Certain
versions of Crypt, notably Crypt (3), take additional steps. For example, after
going through this process, it encrypts the already encrypted text, again using
your password as a key. This is a fairly strong method of encryption; it is
extremely difficult to break.
In
brief, DES takes submitted data and encodes it using a one-way operation
sometimes referred to as a hash. This operation is special from a
mathematical point of view for one reason: While it is relatively simple to
encode data this way, decoding it is computationally complex and resource
intensive. It is estimated, for example, that the same password can be encoded
in 4,096 different ways. The average user, without any knowledge of the system,
could probably spend his or her entire life attempting to crack DES and never be
successful. To get that in proper perspective, examine an estimate from the
National Institute of Standards and Technology:
The
cryptographic algorithm [DES] transforms a 64-bit binary value into a unique
64-bit binary value based on a 56-bit variable. If the complete 64-bit input is
used (i.e., none of the input bits should be predetermined from block to block)
and if the 56-bit variable is randomly chosen, no technique other than trying
all possible keys using known input and output for the DES will guarantee
finding the chosen key. As there are over 70,000,000,000,000,000 (seventy
quadrillion) possible keys of 56 bits, the feasibility of deriving a particular
key in this way is extremely unlikely in typical threat environments.
One
would think that DES is entirely infallible. It isn't. Although the information
cannot be reverse-encoded, passwords encrypted via DES can be revealed through a
comparative process. The process works as follows:
1.
You
obtain a dictionary file, which is really no more than a flat file
(plain text) list of words (these are commonly referred to as wordlists).
2. These words are fed through any number of programs that encrypt each
word. Such encryption conforms to the DES standard.
3. Each resulting encrypted word is compared with the target password. If
a match occurs, there is better than a 90 percent chance that the password was
cracked.
This
in itself is amazing; nevertheless, password-cracking programs made for this
purpose are even more amazing than they initially appear.
The
emergence of such programs has greatly altered the security of the Internet. The
reasons can be easily understood by anyone. One reason is because such tools are
effective:
Crypt
uses the resistance of DES to known plain text attack and make it
computationally unfeasible to determine the original password that produced a
given encrypted password by exhaustive search. The only publicly known technique
that may reveal certain passwords is password guessing: passing large wordlists
through the crypt function to see if any match the encrypted password entries in
an /etc/passwd
file. Our experience is that this type of attack is successful unless explicit
steps are taken to thwart it. Generally we find 30 percent of the passwords on
previously unsecured systems.
Another
reason is that the passwords on many systems remain available. In other words,
for many years, the task of the cracker was nearly over if he or she could
obtain that /etc/passwd file. When in possession of
the encrypted passwords, a suitably powerful machine, and a cracking program,
the cracker was ready to crack (provided, of course, that he or she had good
wordlists).
Wordlists
are generally constructed with one word per line, in plain text, and using no
carriage returns. They average at about 1MB each (although one could feasibly
create a wordlist some 20MB in size). Many wordlists are available on the
Internet; these come in a wide variety of languages (thus, an Indian cracker can
crack an Pakistan’s machine and vice versa).
The
wordlist is sent through the encryption process, generally one word at a time.
Rules are applied to the word and, after each such application, the word is
again compared to the target password (which is also encrypted). If no match
occurs, the next word is sent through the process.
Some
password crackers perform this task differently. Some take the entire list of
words, apply a rule, and from this derive their next list. This list is then
encrypted and matched against the target password. The difference is not
academic. The second technique is probably much faster.
In
the final stage, if a match occurs, the password is then deemed cracked.
The plain-text word is then piped to a file (recorded in a plain-text file for
later examination).
download the password
cracker written in
‘C code’ which is used in order to crack the passwd file
located in the /etc/passwd.
Crackerjack is a renowned UNIX password cracker designed expressly for the DOS platform. Contrary to popular notions, CrackerJack is not a straight port of Crack (not even close). Nevertheless, CrackerJack is an extremely fast and easy-to-use cracking utility. For several years, CrackerJack has been the choice for DOS users; although many other cracker utilities have cropped up, CrackerJack remains quite popular (it's a cult thing). Later versions were reportedly compiled using GNU C and C++. Crackerjack’s author reports that through this recompiling process, the program gained noticeable speed.
The are
some noticeable drawbacks to CrackerJack, including
Ø
Users
can specify one dictionary at a time.
Ø
Memory
allocation conventions prevent crackerjack from running under Windows.
Despite
these snags, CrackerJack is reliable and, for moderate tasks, requires only
limited resources. It takes sparse processor power, doesn't require a windowed
environment, and can run from a floppy.
PaceCrack95
is designed to work on the Windows platform
in console mode, in a shell window. Its author reports that PaceCrack95 was
prompted by deficiencies in other DOS-based crackers.
Qcrack
was originally designed for use on the Linux platform. It has recently been
ported to the MS-DOS/Windows platform.Qcrack is therefore among the newest wave
of password crackers that have cropped in the
year 1996. This has increased the number of choices in the void. This
utility is extremely fast, but there are some major drawbacks.
John
the Ripper is relatively a new UNIX password cracker that runs on the
DOS/Windows platform. The binary distribution suggests that the coding was
finished in December 1996. Early distributions of this program were buggy.
Hades is yet another cracking
utility that reveals UNIX /etc/passwd passwords. Or is it? Hades
is very fast, faster than CrackerJack.
The
distribution comes with some source code and manual pages, as well as an
advisory, which says :
We
created the Hades Password Cracker to show that world-readable encrypted
passwords in /etc/passwd
are a major
vulnerability of the UNIX operating system and its derivatives. This program can
be used by system operators to discover weak passwords and disable them, in
order to make the system more secure.
Star
Cracker
Star
Cracker was designed to work under the DOS4GW environment. Okay...this
particular utility is a bit of a curiosity. The author was extremely
thorough, and although the features he or she added are of great value and
interest, one wonders when the author takes out time to have fun. In any event,
here are some of the more curious features:
Ø
Fail-safe
power outage provision--if the computer goes down, the work is not lost. Upon
reboot, Star Cracker recovers all the work previously done (up until the point
of the power outage) and keeps right on going.
Ø
Time-release
operation--We can establish time windows when the program is to do its work.
That means we could specify, "Crack this file for 11 hours. When the 11
hours are up, wait 3 hours more. After the 3 hours more, start again."
Killer
Cracker is another fairly famous cracking engine. It is distributed almost
always as source code. The package compiles without event on a number of
different operating systems, although it
works best under UNIX.
Killer
Cracker has many command-line
options. This program is quite complete. Perhaps that is
why it remains so popular. It has been ported to the Macintosh operating system,
it works on a DOS system, and it was designed under UNIX. It is portable and
easily compiled.
Hellfire
Cracker is a utility for cracking UNIX password files using the DOS platform. It
was developed using the GNU compiler. This utility is quite fast, although not
by virtue of the encryption engine. Its major drawback is that user-friendly
functions are practically nonexistent. Nevertheless, it makes up for this in
speed and efficiency.
Golden Eye
Golden
Eye is a brute-force hacking program and was written for web-masters to test the
of their own sites.
Password NT
The
Password NT utility recovers, or cracks, administrator password files on the
Microsoft Windows NT platform. In this respect, it is the NT equivalent of any
program that cracks the root account in UNIX. Note that some hacking is required
to use this utility, if the original drive on which the target password is
located is NTFS (and therefore access-control options are enabled), we need to
move the password to a drive that is not access-control protected. To do this,
you must move the password to a drive also running workstation or server.
Therefore, this isn't really an instant solution. Nevertheless, after everything
is properly set, it will take no time at all.
L0phtCrack
L0phtCrack
is an NT password-auditing tool. It will compute NT user passwords from the cryptographic
hashes that are stored by the NT operation system. The operating system does
not store the user passwords in their original clear-text form for security
reasons. The actual user passwords
are encrypted into hashes because they are sensitive information that can be
used to impersonate any user, including the administrator of the operating
system. L0phtCrack computes the
password from a variety of sources using a variety of methods.
Password
security, when implemented correctly, is fairly reliable. The problem is that
people pick weak passwords. Unfortunately, because UNIX/Linux/Windows NT is a
multi-user system, every user with a weak password represents a risk to the
remaining users. This is a problem that must be addressed.
It is of
utmost importance that all users on a system choose a password that is not easy
to guess. The security of each individual user is important to the security of
the whole system. Users often have no idea how a multi-user system works and
don't realize that they, by choosing an easy-to-remember password, indirectly
make it possible for an outsider to manipulate the entire system.
What are
weak passwords? Characteristically, they are anything that might occur in a
dictionary. Moreover, proper names are poor choices for passwords. However,
there is no need to theorize on what passwords are easily cracked. Safe to say,
if the password appears in a password cracking wordlist available on the
Internet, the password is no good. So it is better to get some of the wordlist
from the Net and find if the password given by the user exists in the wordlist.
If it exists than it is really a poor password.
By
regularly checking the strength of the passwords on the network, the system
administrator can ensure that crackers cannot penetrate it (at least not through
exploiting bad password choices). Such a routine can greatly improve the system
security. In fact, many ISPs and other sites are now employing tools that check
a user's password when it is first created.
One
point can be made clear that password crackers are growing in number. Because
these tools often take significant processing power, it is not unusual for
crackers to crack a large and powerful site just so they can use the processor
power available there, by distributing the workload on different machines.
Many
people argue that there is no legitimate reason persuasive enough to warrant the
creation of such tools. That view is untenable. Password crackers provide a
valuable service to system administrators by alerting them of weak passwords on
the network. The problem is not that password crackers exist, the problem is
that they aren't used frequently enough by the good guys.