Use LC3 auditing to back up your password policy

I'm preaching to the converted when I say that one of the best ways to secure your network is through strong user passwords. However, getting users to create strong passwords is easier said than done. Improving the quality of passwords in your organization requires a multipronged approach. You need to publish a written policy that defines what strong passwords are and requires users to select and implement them. You also need to educate users about proven methods for remembering strong passwords (e.g., a pass phrase—usually a sentence from which you use the first letter of each word to construct your password). Then, you need to follow up regularly and verify that users have created high-quality passwords that someone else can't easily guess.

You simply can't get a full password report because Windows XP, Windows 2000, and Windows NT use hash algorithms to protect passwords stored in the SAM or Active Directory (AD). Therefore, you need a password-cracking tool such as @stake's L0phtCrack. The latest incarnation of the famous L0phtCrack tool, LC3, lets you import the password hashes from AD on a Win2K domain controller (DC) or from an NT DC's SAM. (To learn more about password hashing, see "Cracking User Passwords in Windows 2000," http://www.secadministrator.com, InstantDoc ID 9186.) You can then subject those hashed passwords to a variety of cracking techniques to reveal weaknesses.

Keep in mind, however, that the purpose of requiring strong passwords isn't to defeat LC3—you can't defeat a properly designed password cracker. To defeat LC3, you must prevent intruders from getting a copy of your password hashes in the first place. (To learn more about such measures, see my article "Protect Your Passwords," http://www.winnetmag.com, InstantDoc ID 3844.) Strong passwords will help you defeat other users and attackers who try to guess the password by attempting to log on to your computers. With LC3, you can simulate the same tactics attackers use when they try to guess a password—only millions of times faster. I show you how to use LC3 to effectively audit your passwords. (You can download a 15-day evaluation copy of LC3 at http://www.atstake.com/research/lc3/download.html.)

Obtain Password Hashes
The first step in auditing your domain's password strength is to obtain a copy of your password hashes. To obtain the hashes, you'll need to install LC3 on one of your Win2K DCs (from which it's duplicated to the other DCs). Win2K automatically uses the Syskey command to encrypt password hashes, which defeats remote or file-based methods for importing password hashes. If you've enabled Syskey on your NT DCs, you'll also need to install LC3 on one of your NT DCs.

On Syskey-protected computers, you can install LC3 on one DC and use the Import from local machine command to get a copy of your domain's password hashes. This method requires administrator authority and uses sophisticated Win32 programming techniques to extract password hashes from OS memory, where they have already been decrypted. (Note: Although you use Syskey, password hashes are still stored in the clear—that is, in plaintext—in memory.)

Run LC3 on a Test Machine
Because LC3 uses undocumented APIs and DLL injection, which can be unstable, you might not want to install LC3 on a production DC. In that case, you'll need to install Win2K or NT (whichever is appropriate) on a test machine. Make the computer a DC in your domain, which will create a copy of the domain's SAM or AD database on the scratch computer. Download LC3 and unplug the computer from the network. Run l0phtcracksetup02.exe, accept all the defaults, and cancel the Password Crack Wizard. Now, in the unlikely case that LC3 crashes or corrupts your computer, you won't affect your network.

On the Import menu, select the Import from local machine option. You'll see a list of your domain's users, as Figure 1 shows. As you can see, LC3 creates separate columns for the LAN Manager (LM) and NT LAN Manager (NTLM) passwords. Win2K and NT actually maintain two hashes for each password—an LM hash for backward compatibility with NTLM clients and an NTLM hash to support NT clients. Because LM hashing is significantly weaker than NTLM hashing, LC3 concentrates on LM hashing first.

After LC3 starts cracking, the only difference between the two columns is that the LM password is simply an all-uppercase version of the usual mixed-case NTLM password. Because of one vulnerability in NTLM hashing, LC3 can immediately identify passwords that are fewer than eight characters long and display them in the <8 column. Before you proceed further, decide whether you want to see your users' passwords as they're cracked. If you simply want to know whether the password was cracked but avoid seeing sensitive passwords, clear the View Audited Passwords settings in the Auditing Options For This Session dialog box, which causes LC3 to hide both the LM and NTLM password columns.

Select a Cracking Scheme
After you have your password hashes, you can configure the cracking methods LC3 will use against your domain. To view your choices, select Session, Session Options in the LC3 interface. Figure 2 shows the default session options settings. You can use four kinds of cracks in your password audit.

The first crack LC3 attempts is simply the username for those users who've used their names as their password. (Because this crack is so fast, Figure 2 doesn't show it as an option.) The second option is the Dictionary Crack, in which LC3 hashes each word in a specified word-list file and compares it with the hashes you obtained. (To import a custom word-list file for a dictionary attack, select Session, Options, then choose a different word-list file.) LC3 can process even a large word-list file in a matter of minutes, so the dictionary attack quickly identifies any users who are using a simple word as their password. The third option is the Brute Hybrid Crack. During the hybrid crack, LC3 processes the word-list file again, but adds one to three numbers or symbols to the end of the word. The hybrid attack gleans passwords such as password! or Clemens22. Finally, LC3 subjects any remaining passwords to a Brute Force Crack that uses every possible combination of characters.

To run your first crack, click OK in the Auditing Options For This Session dialog box, then select Session, Begin Audit. LC3 proceeds through the different types of cracks, as Web Figure 1 shows. (To view this figure, go to http://www.secadministrator.com and enter InstantDoc ID 24052.) During the dictionary and hybrid attacks, you can see how far along LC3 is by looking under Dictionary Status in the interface's right pane. During brute-force cracks, LC3 displays its progress statistics under Brute Force in the right pane. As LC3 completes each password-cracking approach, LC3 checks off that type with a red check mark in the interface's bottom right corner. Whenever LC3 cracks a password, it displays the amount of time it took in the Audit Time column and displays the password in the LM Password and NTLM Password columns.

Occasionally, you'll see the last portion of a password preceded by seven question marks, such as the SavvyUser's password, which Web Figure 1 shows. Passwords can be up to 14 characters long. Because of vulnerabilities in the LM hash algorithm, LC3 can work on the first and second sets of seven characters independently. LC3 often cracks the last seven characters of a password before the first seven, which is important because those characters might offer a clue to the beginning portion of the password.

Fine-Tune the Audit
LC3 comes with two word lists: words-english and words-english-big. Words-english contains 29,157 words. Words-english-big has 235,007 words. You can add words (e.g., sports teams for your area) to these dictionaries or substitute foreign-language word lists if appropriate. LC3 can use any text file formatted with one word per line. You don't need to sort the words.

You should know about some important caveats with the hybrid attack. The hybrid attack appends only numbers and symbols to the end of passwords, not letters. Therefore, you miss passwords such as jets even though "jet" is in the word list. The hybrid attack tries only combinations of the full length specified. As Figure 2 shows, the default length is 2, which means that a default crack will miss passwords composed of a word followed by just one letter or symbol (e.g., John1). Therefore, change the Characters to vary (more is slower) setting to 1 in the Auditing Options For This Session dialog box, then run LC3 again.

The brute-force attack takes anywhere from hours to days depending on the character set you use. You can select from letters; letters and numbers; letters, numbers, and the symbols on the top row of your keyboard; or letters, numbers, and all symbols on a typical keyboard. Even the largest character set doesn't guarantee that LC3 will crack every password, because users can use the Alt key and the numeric keypad to enter the ASCII code of other characters. LC3's default character sets don't include these extended characters. (For more information about making your password-cracking sessions as efficient as possible, see the Web-exclusive sidebar "LC3's Power Features," http://www.secadministrator.com, InstantDoc ID 23945.)

To create a custom character set, open the Auditing Options For This Session dialog box, select Custom from the Character Set drop-down list, then enter all the characters you want to use in the drop-down list in order from lowest to highest (in terms of their ASCII numbers). Custom character sets also let you implement a more limited character set than those LC3 provides. The smaller the character set is, the less time a complete session will take. If you need to reboot your computer before LC3 finishes a cracking session, you can pause the audit by selecting Session, Pause Audit in the interface, then save the data to a disk. The session file will have an .lcs extension. To restart LC3, open the session file and select Session, Begin Audit in the interface.

Get Useful Results
When you use LC3, remember that you're performing an audit of password strength; you aren't cracking passwords to see whether it can be done. Given enough time, LC3 will crack any password. Therefore, when you choose which auditing options to include in your formal audit, it would be unfair to your users to use a crack method that's stronger than your published password policy.

Here's one way you might consider your password-strength audit. Always run a dictionary attack with the supplied words-english file. (You might also use another language word list if appropriate.) Next, I recommend running a hybrid crack with Characters to vary set to 1 and possibly another hybrid crack that involves two characters. Decide whether to include a brute-force crack. If your organization has specific password requirements that call for a certain variety of characters, such as letters and numbers, you can select a weaker character set such as just A through Z to find noncompliant passwords. (If passwords are supposed to include at least one letter and one number, any passwords cracked with A through Z are obviously out of compliance.)

Use the Results
After you finish your audit, you need to determine what to do with the results. An attacker is happy just to get a list of passwords, but you're auditing your passwords to strengthen security. You might decide to simply inform management what percentage of audited passwords was substandard. Make sure managers realize that you might not have identified all the substandard passwords because of gaps between your available crack methods and your password policy. Don't emphasize how little time it took to crack these passwords—that isn't the point. You aren't trying to defeat L0phtCrack but to defeat human attackers inside and outside the organization.

Depending on your management support, as your password auditing initiative matures, you might begin to provide individualized feedback to users (and perhaps to their supervisors) if they repeatedly fail to create a strong password. One company I know about resorts to assigning mandatory passwords and selecting the user account property User may not change password option in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in because users have been uncooperative. If you need to give individualized feedback, you can export the results of your audit to a tab-delimited text file that can be easily imported into Microsoft Excel or Microsoft Access for further manipulation into a report.

Protect Against L0phtCrack
LC3 is an effective password-auditing tool, but like a chef's knife, LC3 can be used for malicious purposes. To prevent LC3 from being used against you, you can take several steps. First, use Syskey to protect the SAM files on all NT computers. Win2K computers already have this protection. Next, implement NTLMv2, which effectively defeats the L0phtCrack sniffer. Implementing NTLMv2 involves making a registry change on all NT and Windows 9x computers and loading NT Service Pack 4 (SP4) on NT machines and the Directory Service (DS) client on Win9x machines. You don't need to worry about the LC3 sniffer in a pure Windows XP/Win2K environment if you use only AD domain accounts (no NT domain accounts or local users). In such an environment, Kerberos replaces NTLM on the network. If you don't have a pure environment, you can enable NTLMv2 on XP and Win2K computers with the LAN Manager Authentication Level policy in Group Policy Objects (GPOs).

For example, to enable NTLMv2 on every computer in your domain, open the MMC Domain Security Policy snap-in and maneuver to Windows Settings, Security Settings, Local Policies, Security Options. Double-click LAN Manager Authentication Level, select the Define this policy option, then select the Send LM & NTLM—Use NTLMv2 session security if negotiated check box.

You know that LC3 can be used against your system. Now, you can use LC3 to perform an audit of password strength to enforce your password policy and strengthen system security.