Exposición de los datos obtenidos

To see whether Crackhas correctly guessed any of your passwords, use the Reportertool in /c50a, like this:

$./Reporter

Here’s the output from the sample cracking session:

Guessed marty [marty] Marty Rush [passwords.txt /bin/bash]

Guessed Nicole [alexalex] Caldera OpenLinux User [passwords.txt /bin/bash] Guessed manny [willow] Caldera OpenLinux User [passwords.txt /bin/bash] Guessed moe [solace] Caldera OpenLinux User [passwords.txt /bin/bash]

As you can see from the output,Crackgot four passwords. This took only about two minutes, and you can probably deduce why: The passwords were poorly chosen. Later in this chapter, we’ll discuss password choices.

CrackCommand-Line Options

Crack supports several command-line options. The more commonly used options are summa- rized in Table 5.2.

TABLE5.2 CommonCrackCommand-Line Options

Option Purpose

-debug The-debugoption provides statistical information and real-time progress reports.

-fgnd Use the -fgndoption to run Crackin the foreground so that you can watch the process as it happens. (Be prepared for some hectic STDOUT.)

-from N Use the -fromoption to start Crackfrom a particular rule number, represented by numberN.

-mail Use-mailto force Crackto e-mail users whose passwords are cracked. That way, they’re immediately notified when their password is found to be weak. You can cus- tomize the warning message by editing c50a/scripts/nastygram. Note that there are reasonable arguments against mailing a user when his password fails muster (if your mail gets exposed, for example).

-network Use the -networkoption to run Crackin network mode, where you can audit pass- words using several machines at once. To customize network operation, see the net- work configuration file (c50a/conf/network.conf).

Linux User Security

PARTII

152

To examine Crack’s basic ruleset, check the file c50a/conf/rules.basic.

N

-nice Use the -niceoption to designate Crackas a low-priority process. This will allow higher-priority processes to consume CPU power whenever needed. (This is a good choice when you’re auditing a large password database on a single machine.) -recover Use the -recover option when you’re restarting a failed or abnormally terminated

Crack process. This preserves library builds that are already available.

Accessories for Crack: Wordlists

Finally, your Cracktoolbox wouldn’t be complete without a copious collection of wordlists (or dictionaries). Wordlists are simply lists of words, typically one word per line, in ASCII format. You can incorporate these wordlists into Crack’s dictionary system to expand your dictionary attack’s scope. Note that the larger the wordlist, the longer Crackwill take to complete a full pass. However, a larger wordlist also increases your chances of matching a password. Crackcomes with prefabricated wordlists suitable for most lightweight password auditing. However, if you intend to do industrial-strength password auditing, visit these sites:

• You can find dictionaries and other extensive English wordlists from http://wordlist. sourceforge.net. This is a good starting point if you’re looking for generalized lists that can be used for testing average user accounts.

• If you’re doing extensive password auditing, try the Wordlist Archive at Phreak. The Phreak archive has lists covering sports, actors, names, literature, several English dictio- naries, and a variety of different languages including Russian, Australian, Swedish, and German. Even your astronomer and biologist users won’t be safe—wordlists are avail- able on science topics ranging from asteroids to microalgae. Find it at http://www. phreak.org/html/wordlists.html. Password Attacks CHAPTER5 153

5

To add dictionaries, see the c50s/conf/dictgrps.conffile, which contains pointers to all currently used dictionaries. You can add your own entry. Entry format is priority:

directory, like this: 1:/usr/dict/*words*. Here, the directory is given a high priority (1) and the wordlists are any filenames with the string wordin/usr/dict. The priority indicates which lists (or dictionary groups) should be used first, or which ones are most likely to con- tain passwords. For example, you might start with common words and proper names and then progress to less likely lists, like those that contain scientific terms. For more information, see the Crackmanual and the conf/dictgrps.conffile for examples.

N

Some quick notes on performance:Crackis quite fast, but much depends on your hardware. Certainly, the ideal configuration is a 1GHz box with 512MB of RAM. Unfortunately, not everyone has this kind of horsepower. However, on systems in which users choose their pass- words poorly, you’ll probably see most user passwords cracked within an hour. (When you’re testing many passwords in an enterprise environment, consider erecting a box specifically for this purpose. You’ll reap better performance and avoid worries about CPU usage and priority.) Alternatives to Crack

Crack is well established and quite effective, but it’s not your only choice. Table 5.3 lists a few other UNIX/Linux-based DES password auditing tools.

TABLE5.3 Other Linux-Compatible Password Auditing Tools

Tool Description and Location

Apoc-Crack When dictionary-based cracking utilities fail, there’s still a possibility that you can find the password using a brute-force approach. Apoc-Crack tries every print- able character to test every possible password. Be warned: The release notes clearly state, “This program may take thousands of years to finish one run.” Download Apoc-Crack at http://www.evilhackr.com/files/cracking/ apoc-crack.c.

John the Ripper An all-purpose password-auditing tool for DOS, Windows, and UNIX. Although John handles DES-style passwords, it does not use the crypt(3)approach. Instead, it uses homegrown algorithms. Nonetheless, John is fast, it supports many rules and options, and it’s well documented. Get it at http://www. openwall.com/john/.

Killer Cracker A lightweight password-auditing tool from Doctor Dissector, written in C++. Although Killer Cracker lacks some of the extended functionality available with

Crack, it’s still fast. Get it at http://www.univweb.com/passcrack/ kc95.zip.

Lard A password-auditing tool for Linux and other UNIX versions. Lard is small enough to fit on a floppy diskette, which is good for auditing on non-networked boxes in different departments and such. Get it at http://www.univweb.com/ passcrack/lard20.zip.

Xcrack A Perl script for cracking Linux passwords. It does not exercise complex rules. Instead, it performs straight-ahead encryption of words in your dictionary file. Good for environments where you expect that users have made exceptionally bad password choices. Get it at http://www.evilhackr.com/files/scripts/ xcrack.perl.

L0phtCrack Last, but not least is L0phtCrack. This package actually has nothing to do with cracking Linux password files. Instead, it will help you demonstrate to your NT friends (wink, wink) how insecure their passwords are! Download the application fromhttp://www.securitysoftwaretech.com/l0phtcrack/.

Linux User Security

PARTII

154

Such tools are becoming more common now and offer widely varied attack options. For exam- ple, some tools offer not simply dictionary attacks butbrute force attacksthat try every possi- ble combination. This is a seemingly indiscriminate process, and in some cases it truly is. However, good brute force routines are designed to try the most likely combinations first. The major difference between these two approaches, though, is that a brute force attack will always eventually prevail. (“Eventually” here could mean months. As you might expect, brute force attacks take a while.) Conversely, a dictionary attack is only as good as your wordlist and your rules.