Hackers Beware

Crack is also beneficial in that you download the source code and not an executable. The benefits of downloading source code and the differences between NT and UNIX will be explained in the following sidebar.

Source Code versus Executable

I must mention the trend among operating systems on how programs are distributed across the Internet. This trend refers to shareware and freeware security scripts that can be downloaded to test and run exploits.

In most cases, when it comes to Microsoft Windows programs, a user can download an executable program, which can be compressed. But the underlying program is an executable that you execute to run the program or run a setup program to install it on your system. The good news is that the executable is fairly easy to run with minimal effort. The bad news is because you only get the executable, you do not have the source code, which means it is difficult to understand what is going on or make changes to the code.

On the other hand, for UNIX programs, a user can download the source code, which then has to be compiled on the version of UNIX that he is running. The main reason for this is that there are so many versions of UNIX that it is easier to distribute the source code than the binary code for every single version. The advantage is that the user has total control of the program. He can go through the source code and make sure there are no backdoors and even make changes or enhancements to the program, giving him maximum flexibility. The disadvantage is that, because the user has to compile the program, it is more work; and if the program does not compile properly, the user must be able to modify the code so that it works properly. In other words, UNIX gives the user more flexibility but usually requires a higher level of expertise to run the associated programs. Also, because Microsoft code is distributed by default as an executable, the operating system does not include a compiler, as with most versions of UNIX where a compiler is installed by default. Having a compiler increases administrators’ flexibility, but it can also increase the risk. If an attacker breaks into a machine and has a compiler available, it gives him more flexibility to create new executables.

Latest Version of Crack

The latest version of Crack has new features that make it more flexible and easier to use. According to Alec Muffet’s web site, following are some of this version’s features:

•Uses less memory, which makes it more user friendly. Previous versions used up a lot of system resources. In some cases, this was beneficial, because if an unauthorized person was running Crack, an administrator would discover it fairly quickly because all of the system resources would be exhausted.

•Uses API for easy integration. Not only is Crack a useful tool in and of itself, but it can easily be integrated into other systems or used as a building block for other applications.

•Uses more powerful rule sets. If you have passwords that are not trivial to guess but are still fairly weak, Crack has more powerful rule sets integrated into the engine to help crack these passwords.

•Is easy to control. The new interface gives the user more control and flexibility in running the program. For example, the program can be put to sleep during busy times and only run in the evenings or when there are few people using the system.

•Has been tested on various UNIX operating systems. I have compiled it on various versions of Solaris and Linux with minimal configuration issues or changes.

•Is bundled with a minimalist password cracker and a brute force password cracker.

Crack Requirements

The following is a high-level overview of the requirements needed to run Crack:

•UNIX-like operating system.

•C compiler.

•Moderate amount of disk space (10MB).

•Lots of CPU time.

•Permission from the system administrator. You should always get permission and authorization before running these programs.

•Root-privileges (if using shadow files).

•Uncompression program like gzip or tar.

First, to run Crack, you need to be running a UNIX operating system. I highly recommend that you use a more common version such as Solaris or Linux, because Crack and most of the scripts have been tested on these operating systems. Currently, Crack has been tested on the following operating systems:

•Solaris

•Linux

•FreeBSD

•NetBSD

•OSF

•Ultrix

Using an untested version of UNIX requires more configuration and expertise to get Crack running. Newer versions of operating systems, like RedHat Linux 6.x, might require some additional configuration to get Crack compiled and running correctly. There is an important distinction between running and functioning properly. You can have it compiled and running, but if you selected the wrong options, Crack will not work properly. For example, if you choose the wrong encryption scheme, it will run properly but it will not guess the passwords because the encryption scheme that Crack is using to try to guess the passwords is different than the encryption scheme that the operating system used to secure the passwords. If the schemes are different, your chances of success are slim.

Another requirement for the operating system is that there must be a way to get the Crack program onto your system. The simplest way to do this is to FTP or download it from the web. This might seem obvious, but I have seen examples where administrators have set up secure systems with limited access to crack passwords, but forgot to download a copy of Crack.

Crack is a fairly large and computational-intensive program by nature of what it does. Therefore, before you install and run Crack, make sure you have enough resources to compile and run it. If other departments are using the UNIX machine, check with them prior to running Crack. Otherwise, it could cause unnecessary issues if they are running critical applications.

Legal Considerations

There is a good chance that if you are running Crack on a system and you do not have permission, you could be breaking the law. These tools might seem like fun and worth trying, but you can get yourself in a lot of trouble very quickly if you are not careful. I have known really smart people that have done something stupid that caused them to get fired. Make sure you know the legal implications, and if you are not sure, get written permission from someone authorized to make this decision prior to running any of these tools. An employee might have the company’s best intentions in mind when running password crackers, but without permission, this could easily be perceived in a different fashion by senior management, and that employee could be in a lot of trouble.

Another important item to remember is, depending on how your system is configured, you might need root access to configure, run, and get the encrypted passwords. In most cases, you can download, configure, and compile Crack without root access— you would just need root access if you were using shadow files. Because most systems should be using shadow files, having root access is probably a requirement. If your systems are not using shadow files, you have much bigger concerns than someone trying to crack your passwords.

Because Crack is compressed, make sure you have an uncompression program, such as gzip, on your system to uncompress the Crack source code. You also have to untar it before you compile it. You can also use tar with either the –Z option to uncompress the tar archive or use the –z option to call gunzip. Most systems have these programs, but it is always good to check prior to starting.

Configuring Crack

Now that Crack has been downloaded and all of the necessary requirements verified, you can start configuring and compiling Crack on the system. The following is a high-level breakdown of the necessary steps that need to be performed to configure Crack:

1.Download the Crack file.

2.Unzip the file using gzip:

gunzip crack5.0.tar.Z

4. Untar the file:

5.

tar -xvf crack5.0.tar

6.Read manual.txt.

7.Edit the script file.

8.Compile the program:

10. Crack -makeonly

Crack –makedict

If you are using a tested version of UNIX, these are the basic steps that need to be performed. In certain environments, additional configuration steps might need to be performed.

After you download Crack, there are several steps that must be performed prior to running it. This is because you do not download an executable like you do in NT; you download the source files, which need to be compiled and configured to run the program. This might seem like a headache if you cannot get Crack to compile; however, in my opinion, the benefits of having the source code outweigh the negative aspects. It also helps guarantee that you have some knowledge of UNIX before running these programs, which can help minimize the chances of an accident.

After you successfully download Crack, first unzip the file crack5.0.tar.z by typing the following:

gunzip crack5.0.tar.Z

This process creates a file called crack5.0.tar. Now you need to untar the file by typing the following:

tar -xvf crack5.0.tar

Tar

For those not familiar with tar, it is a program that archives and extracts files to and from a single file. The following outlines the preceding operations:

•x . Extracts or restores a file. This option extracts the files and writes them to the directories specified in the tar file.

•f . Specifies that the argument following the options is the name of the tar file.

•v . Puts the program in verbose mode, which means it outputs to the screen what is being done and which files are being extracted where.

For additional information, please see the man pages for tar. Man is a help facility that comes with UNIX. If you are having problems or need the syntax of a command, you type man followed by the command and UNIX brings up a help file on that topic.

After the tar files are extracted, a directory called c50a is generated with subdirectories holding configuration files, documents, scripts, source codes, and so on. Some of these files are script files that can be read to either configure the system or better understand what is going on. Some of the key files are Makefile, Reporter, and Crack. A manual.txt file is also created that is the same as the readme file. I highly recommend that you read through the file to make sure you understand what is going on and to increase your chance of success. Most people will try the steps listed and if they work, move on; if they do not, most people will read the file. Either way is fine, as long as you know the file is there if you get stuck. The file is meant to give you an overview and more detailed information on how to use the program. Next, we will cover the basic information you need to run the program. This will help you get started on cracking passwords on your UNIX systems.

You need to edit the Crack script file and reconfigure the values of CRACK_PATH, C5FLAGS, CC, CFLAGS, and LIBS to suit the operating system. You do this by editing the file named Crack, using your favorite text editor. My personal favorite is vi, but you can use whatever text editor you want. (Just remember: real geeks use vi!) If you are running a supported operating system like Solaris, you should not have to make any changes to the script files. You only need to make changes if you are running Crack on a version of UNIX that has not been tested, or are using a different encryption algorithm. I recommend that you look at these files, but you could also try compiling with the standard scripts just to see what happens. Last, issue the commands Crack -makeonly and then Crack -

makedict. After these two steps, a binary executable Crack file is created if no errors are generated during the compilation process. You should view the output of these commands to make sure no errors are generated. If errors are generated, you have to go back and configure the Crack script files for your specific environment. If there are no errors generated, you are ready to start using Crack. Remember, just because crack compiled successfully does not mean that it will run correctly. If you picked the wrong options, Crack might not crack any passwords.

Running Crack

After Crack is compiled and installed on your system, to run the program, type./Crack. The following is the format for running Crack:

./Crack [options] [-fmt format] [file ….]

For example, in most cases, you type Crack /etc/passwd to crack the password file on the system you are running. You can also run Crack against any password file. I usually have one machine that is running Crack, and once a week, I extract a copy of the passwd file from each UNIX machine and copy it to the Crack machine. I then run Crack locally against each file. Actually, I have a script that systematically goes through each file. It is very important to note that, if you do this, the machine that contains the unencrypted passwords must be kept very secure, because if an attacker can compromise the machine, he can get full access to your network. I disconnect the machine from the network and only connect it when I need to gather the passwords.

Because a weak password represents an avenue that an attacker could use to get into your company’s system, it is critical that system administrators find these holes before attackers do. From a password standpoint, the best way to do this is with password cracker programs. Many fail to realize is that hacker tools are not just for the bad guys; they also can be used by the good guys to strengthen their systems. My philosophy is if the bad guys use these tools to break into systems, shouldn’t the good guys use them to protect their systems?

While the Crack program is running, it continues to display messages on the screen, indicating the status of the program. This information can be captured by redirecting the output of Crack to a file—for example, >output. Sometimes users overlook this ability, but it is important to verify that Crack is working properly. The following is sample output from a successful crack:

Crack 5.0a: The Password Cracker.

(c) Alec Muffett, 1991, 1992, 1993, 1994, 1995, 1996

System: SunOS 5.6 Generic sun4u sparc SUNW,Ultra-2 Home: /home/

Invoked: Crack npasswd Stamp: sunos-5-sparc

Crack: making utilities in run/bin/sunos-5-sparc find . -name "*~" -print | xargs -n50 rm -f

( cd src; for dir in * ; do ( cd $dir ; make clean ) ; done ) rm -f dawglib.o debug.o rules.o stringlib.o *~

/bin/rm -f *.o tags core rpw destest des speed libdes.a .nfs*

.old \

*.bak destest rpw des speed rm -f *.o *~

`../../run/bin/sunos-5-sparc/libc5.a' is up to date. all made in util

Crack: The dictionaries seem up to date...

Crack: Sorting out and merging feedback, please be patient...

Crack: Merging password files...

Crack: Creating gecos-derived dictionaries mkgecosd: making non-permuted words dictionary mkgecosd: making permuted words dictionary Crack: launching: cracker -kill run/sun.16095 Done

It is important to note that this is not the output showing which passwords were cracked, but the output of the program explaining what the system is doing. The key things you are looking for is that no error messages were generated and that the last line says Done. If both of these occur, you are in good shape. To make sure Crack is running properly, create an account named eric with a password of eric. Then, run the program and make sure it successfully cracks the password. I recommend always creating a test account, just to make sure the program is working properly. After you verify that Crack is working properly, make sure that you delete the account.

I went to one company, and the administrators kept telling me how secure their users were and they were not sure why management wanted a security audit performed. In this case, management wanted me to keep the administrators involved, so I explained to them that I was going to extract and crack the passwords. They assured me that this was a waste of time, because they had already run Crack and did not find any weak passwords. I told them that I needed to run Crack even if it merely validated the results they already found. Sure enough, after running Crack for 30 minutes, it cracked over 90 percent of the passwords. The company was shocked and amazed. As it turned out, they had configured Crack with the wrong parameters and therefore it was unable to crack anyone’s password.

Checking the Output of Crack—Reporter

To check the results of the Crack program to see which passwords have been cracked, you need to run the Reporter script. This script outputs the results of which passwords were cracked. This can also be piped to a file. If you used an earlier version of Crack, it no longer generates humanreadable output directly; instead, to see the results of a Crack run, the user should type the following command:

./Reporter [-quiet] [-html]

Guesses are listed chronologically, so users who want to see incremental changes in the output as Crack continues to run over the course of days or weeks are encouraged to wrap invocations of Reporter in a script with diff. The -quiet option suppresses the reporting of errors in the password file (corrupt entries and so on), whereas -html produces output in a fairly basic HTML-readable format. In most cases, I do not recommend the HTML option because I personally would not want to post the results of cracked passwords to a web site, but that option is there. Some companies use it to create a program that parses the HTML and keeps a database of cracked passwords or sends management an email.

The following example illustrates the reasoning behind my apprehension to post cracked passwords to a web site. I was performing an assessment for a client and noticed a vulnerability in their web site. I was able to view all of the files in the parent directory, one of which was called badusers.html. When I opened it up, it was an HTML file of the results of Crack. By posting weak passwords to a Web site where the entire company could view it, the administrators hoped to not only embarrass users with their weak passwords but also force them to change their passwords, because the entire company could see their passwords. Unfortunately, this creative idea for enforcing strong passwords failed because 10 of the 15 passwords were not changed. The users were so furious with IT for creating the page that they refused to change their passwords; however, the administrators decided to make their point by refusing to remove the page. In the long run, anyone, through access to those ten active accounts could have gained access to the network.

Embarrassing and threatening users does no good—in most cases, it makes matters worse. Remember that having users as your allies goes a long way toward securing a system. I have found that by combining user awareness with strict enforcement helps maintain a high number of users as allies, while increasing the overall security of your network. Not all users will listen, but if you clearly explain and help them understand security, most users will adhere to the guidelines.

Even though programs have all sorts of options, use some common sense when utilizing their features. The preceding example might seem fictitious,

but actually happened. I included it to show you how easy it is for a company to lose sight of what is important when securing its systems.

Crack Options

Crack has several options that can be used. The following are the most popular ones:

•debug. Lets you see what the Crack script is doing. After you get comfortable with Crack, you can turn this off, but I highly recommend that you turn this option on the first several times you run it.

•recover. Used when restarting an abnormally terminated session. For whatever reason, sometimes programs do not always run properly or finish execution. In this case, you can try to gracefully recover.

•fgnd. Runs the password cracker in the foreground while stdin, stdout, and stderr are sent to the display so that users can better monitor what is occurring.

•fmt. Allows the user to specify the input file format that should be used.

•n. Allows the user to jump to a specific spot in the rule base and start password cracking from a specific rule number “n.”

•keep. Prevents deletion of the temporary file used to store the password cracker’s input. This is helpful for determining what the user did or troubleshooting problems.

•mail. Emails a warning message to anyone whose password is cracked. Be cautious of using this because often the people in an organization who have weak passwords are the ones who sign the checks.

•network. Runs the password cracker in network mode.

•nice. Runs the password cracker at a reduced priority for other jobs to take priority over the CPU. I recommend using this option. Normally when Crack is run, it uses whatever resources are available. By running it in nice mode, you enable other people to still use the system.

Crack Accuracy

To see how well Crack performs, I ran the program with an out-of-the-box install against a password file with various types of passwords. Following is the sample file that was used:

User Eric password eric

User John password john1234

User Mike password 5369421