The “best password ever” is cracked!
December 17th, 2006 5:21 pm

Dear Reader,

A few years ago, when I started to work at a new company, I asked for a certain password I needed to access some systems I had to work with. One of my new colleagues told me it was "enirstuda4711" and that it apparently was the best password ever! The reason why it was so incredibly good was that the containing letters were statistically distributed in some kind of perfect way.

“So we have a very hard to crack password here”, I said, “why not put in online and suggest for everyone to use it?” :-)

Yesterday I decided to setup a user on my windows machine and see if I could crack this password. I called the user Jabberwocky. From my laptop, my second computer in the local network, I first looked up the standard gatway to find out which subnet I was using:

ipconfig

password1.gif

My subnet mask is 192.168.1.*, as can be seen on the picture. The next step is to find out what machines live on the internal network. I ran the NMap port scanner with the ping scan option to search all IP’s between 192.168.1.1 and 192.168.1.255:

nmap -sP 192.168.1.1-255

password2.gif

So there are three machines on my network: one on port 1, this is my router and one on port 101, the laptop I was working from and a third on port 102, this is the machine I needed to grab the password file from.

On linux machines there is the passwd file in the /etc directory. It contains the information about all the users that have an account on the machine. Usually it also contains the hashed passwords. These password hashes are computed out of the plain text passwords by a one way function. Each time a user logs in, the provided password is put through the hash function and the result is then compared to the stored hash. If they match, the original passwords must match as well.

The hashed password could look like this:

02196B74B249B1C7B3CA94183F9EEE53

On linux systems, the password hashes are sometimes not stored in the passwd file itself, but in a file called shadow. This file has limited reading permissions, 640 instead of 644 which is the permission on the passwd file.

On Windows NT, 2000 and XP systems, these hashes are stored in the Registry and/or the SAM file. The SAM file is located under C:\WINDOWS\system32\config. If rdisk has ever been run, an old version will also be located under C:\WINDOWS\repair. The problem is, that you cannot access the SAM file on a running system. Some process has it under strict control and it would not let you access it.

So how can you access the hashes from Windows? There is no neat way.

  • Boot the system with Knoppix and just copy paste the SAM file away. This however requires you to have physical access to the machine. Quite often not an option.
  • Run PwDump. This handy little programm does a DLL injection and copies the hashes to a file. The first problem is, it will not suceed if a program like ProcessGuard is installed on the system. Second, and more of a problem, you have to have administrators access to the machine you want to get the SAM file of.
  • Sniff the hashes from the network as they fly by. Probably the best choice.

Because all these methods are a bit akward, the normal hacker would probably try to find out more about the system. For example by running another NMap command, like this one:

nmap -sS -sV 192.168.1.102

password3.gif

This command does a port scan on the specified machine. We can see that some ports are open along with what programs are running on those ports and a “best guess” version information. From this information, the attacker can try to find vulnerabilities of a certain program that is connected to a port and eventually get root access to the system and retrieve the password hashes. This however is the “art” that makes a good hacker and I am not one of them.

Therefore I used PwDump to log in to the machine and get the SAM file out:

PwDump.exe 192.168.1.102 encryptedpasswords.txt raoul

password4.gif

This did the trick and, after removing accounts of no interest, the retrieved SAM file looked like this:

Jabberwocky:1011:02196B74B249B1C7B3CA94183F9EEE53:
1BE5C84F89A07C0F6BF47E37127ABDDC:::

No I am finally ready to decrypt the “best password ever” with John the Ripper or L0phtcrack (L0phtcrack has been bought from @stake by Symantec and it looks as if the product is not anymore available on the usual channels. Another way to do “security by obscurity“).

John the Ripper is a dictionary tool, trying out different words and their combination whereas L0phtcrack does a brute force attack, basically trying out every possiblity.

Both cracking tools eventually cracked the password enirstuda4711. However it took a few hours. Here are the results:

John:

password5.gif

L0phtcrack:

password6.gif

(Note: Both programs were actually run from the local machine, not the laptop, for performance reasons)

The only way to prevent L0phtcrack to eventually, in the far future, crack your super-duper password, is by using non-printable characters (as part of your password). They can be entered by using such non-printable ASCII characters on the numeric keypad. NUMLOCK has to be on and then you hit ALT-a-b-c. Where a, b and c each stand for a digit from the ASCII table, as in ALT-2-5-5.

So this is it. And by the way, the “best password ever”, enirstuda4711, is not in use anymore :-)

Thank you.

Posted in Tech by raoul
RSS 2.0
Leave Your Comment

Name
Mail
Website
Comment