Although it may not seem very intuitive at first glance, this password-cracking section was consciously placed in this chapter because an administrator should be able to evaluate the security of its user's passwords, and what better method than using a hacker's techniques and cracking them?
Simply known as john, this program is the reference in password cracking. Contrary to other tools, the crypto routines are assembly optimized for a number of processors (Intel Pentium, x86 with MMX, generic x86, Alpha EV4, Sparc V8) and the hashes implemented cover a large spectrum of algorithms. It works in one of four modes:
Uses a flat text file with one word per line to try as passwords on a target list of hashes. A mangle option has john mangle words from the list to produce additional likely passwords.
Uses the clear text fields of the password file to generate password candidates (Gecos and full name). It applies a large set of mangling rules and is usually much faster than other modes.
Single crack mode may guess more passwords when run simultaneously on multiple password files (if those files are somewhat related) than when it is run on each file separately.
Also known as brute force. It tries all character combinations from a set defined in the configuration file. This mode can be extremely expensive both in CPU and overall time to achieve. It will find the shortest password first. For long passwords, read the upcoming section "Rainbow Cracking."
Extends john to new and proprietary hash algorithms. In other words, you can come up with your own hash function and still use john to try breaking it.
In general, I like to do a first pass in single mode, as it usually finds the low-hanging fruit in a really short time. Second best is the wordlist mode, but you will have to add your own password dictionary because the default john installation does not provide any dictionary file. You can buy such files directly from the john home page at http://www.openwall.com/wordlists.
The first step to start using john is to obtain a dump of the password file containing the hashes to be cracked. Unix users can use the unshadow utility provided with john, and Windows users should use utilities dumping the same information out from the registry in Jeremy Allison's PWDUMP format.
[emoret@fc6 ˜]$umask 077[emoret@fc6 ˜]$sudo unshadow /etc/passwd /etc/shadow > ˜/tmp/passwd
The next step is to obtain a decent wordlist. You can get one from the official john home page at http://www.openwall.com/wordlists.
And now to start the cracker. By default, john will run all three cracking modes in the following order:
Single crack
Wordlist
Incremental
[emoret@simca-1000 ˜]$ john ˜/tmp/passwd
Loaded 3 password hashes with 3 different salts (FreeBSD MD5 [32/32])
abc123 (test)
guesses: 1 time: 0:00:11:01 (3) c/s: 4550 trying: 32466097If you stop the program and start it again later, it will continue searching where it left off. To list all discovered passwords, issue the following:
[emoret@simca-1000 ˜]$ john —show ˜/tmp/passwd
test:abc123:501:501::/home/test:/bin/bash
1 password hash cracked, 2 leftBrute-force password cracking can be extremely time-consuming and CPU-intensive; on the other hand, it does not waste memory. Since you need to run the same tool again to brute force every new password you are trying to crack, it would be faster to precompute hashes of all possible passwords and store the results (hash and corresponding passwords) once and for all. This way we would just have to look up a hash to obtain its matching password. The issue with this approach is the huge amount of memory necessary to store all passwords. The idea behind rainbow cracking is to find the right balance between memory and CPU consumption—also known as time–memory trade–off. This is achieved by organizing the hashes in chains such as to minimize the required storage space while maintaining a decent cracking time. The order of magnitude we are talking about with rainbow cracking is 1 hash stored for every 10,000 computed. For each hash chain, the first and last hashes are kept only.
Cracking a password using rainbow tables is a two-step process in which you first have to identify the chain your hash is part of. Do this by computing a hash chain starting from the hash to be cracked and stopping when a locally stored "end of chain hash" matches. The second step is to recreate that chain starting from the locally stored "start of chain hash" until you find the matching password.
The only kind of passwords that cannot be cracked with rainbow tables are those including salt:
hash = MD5(password . salt)
Most *nix-based systems implement salt. Fortunately, Microsoft LanManager hashes do not, making rainbow cracking successful in recovering Windows passwords.
The trick with rainbow cracking is to generate the huge tables. The process is as CPU-intensive as a regular brute-force. I recommend that you not waste CPU cycles in generating rainbow tables but instead download freely accessible tables from the Shmoo group's web site (http://rainbowtables.shmoo.com/)—they are 38 GB compressed and 65 GB uncompressed for the most complete sets.
The following paragraphs describe the steps involved in cracking an entire collection of windows passwords.
The first step is to obtain a dump of the SAM database. I use the excellent fgdump tool for that task. The Windows sources contain an executable binary located in the Release subdirectory.
$ ./fgdump.exe -h peugeot-104z -u emoret -p abc123
fgDump 1.4.0 - fizzgig and the mighty group at foofus.net
Written to make j0m0kun's life just a bit easier
Copyright(C) 2006 fizzgig and foofus.net
fgdump comes with ABSOLUTELY NO WARRANTY!
This is free software, and you are welcome to redistribute it
under certain conditions; see the COPYING and README files for
more information.
Could not connect to service manager: this may be a Win95, 98,
SNAP or other non-NT-based system.
[...]
** Beginning dump on server peugeot-104z **
OS (peugeot-104z): Microsoft Windows XP Professional Service Pack 2
(Build 2600)
Passwords dumped successfully
-----Summary-----
Failed servers:
NONE
Successful servers:
peugeot-104z
Total failed: 0
Total successful: 1This should result in a file containing the hash of your system's passwords:
$ cat peugeot-104z.pwdump
ASPNET:1003:0FAEC89078A7D363CC35441493006CE5:
9CE8138670C9F70813C198F2E0A78FC7:::
HelpAssistant:1000:975DECEE246A76CCFCFB988E7F0E0891:
F743D3DA3D11A32BC9C1408A6C2D8EB8:::Using the rcrack tool provided by the Rainbow Crack project, you can now crack the Windows passwords from the above file in a matter of seconds, but first you have to add the charset configuration matching the tables downloaded from the Shmoo group's web site:
[emoret@renault-5 ˜]$cd /tmp/rainbowcrack-1.2-src/src[emoret@renault-5 src]$cat >> charset.txtalpha-numeric-symbol32-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*( )-_+=˜'[]{}|\:;"'<>,.?/ ]
Then to launch the actual cracker:
[emoret@renault-5 src]$./rcrack/usr/share/shmoogroup-rainbowcrack/alpha_num_sym32_space/*.rt -f/tmp/peugeot-104z.pwdump[...] searching for 4 hashes... plaintext of 975decee246a76cc is NB^2SOO cryptanalysis time: 3.85 s [...] searching for 3 hashes... plaintext of fcfb988e7f0e0891 is UJ1BKKQ cryptanalysis time: 1.62 s [...] searching for 2 hashes... plaintext of 0faec89078a7d363 is G3$˜YTB cryptanalysis time: 1.41 s [...] searching for 1 hash... plaintext of cc35441493006ce5 is HA464,A cryptanalysis time: 0.64 s statistics ------------------------------------------------------- plaintext found: 4 of 4 (100.00%) total disk access time: 11.73 s total cryptanalysis time: 694.63 s total chain walk step: 461988804 total false alarm: 24063 total chain walk step due to false alarm: 122445301 result ------------------------------------------------------- ASPNET G3$˜ytbHa464,a hex:4733247e79746248613436342c61 HelpAssistant nB^2SoOUJ1bKKq hex:6e425e32536f4f554a31624b4b71