“ Hackers Beware “ New Riders Publishing
407
System: SunOS 5.6 Generic sun4u sparc SUNW,Ultra-2
Home: /home/
Invoked: Crack npasswd
Stamp: sunos-5-sparc
Crack: making utilities in run/bin/sunos-5-sparc
find . -name "*~" -print | xargs -n50 rm -f
( cd src; for dir in * ; do ( cd $dir ; make clean ) ; done )
rm -f dawglib.o debug.o rules.o stringlib.o *~
/bin/rm -f *.o tags core rpw destest des speed libdes.a .nfs*
.old \
*.bak destest rpw des speed
rm -f *.o *~
` / /run/bin/sunos-5-sparc/libc5.a' is up to date.
all made in util
Crack: The dictionaries seem up to date
Crack: Sorting out and merging feedback, please be patient
Crack: Merging password files
Crack: Creating gecos-derived dictionaries
mkgecosd: making non-permuted words dictionary
mkgecosd: making permuted words dictionary
Crack: launching: cracker -kill run/sun.16095
Done
It is important to note that this is not the output showing which passwords
were cracked, but the output of the program explaining what the system
is doing. The key things you are looking for is that no error messages
were generated and that the last line says Done. If both of these occur,
you are in good shape. To make sure Crack is running properly, create an

account named eric with a password of eric. Then, run the program and
make sure it successfully cracks the password. I recommend always
creating a test account, just to make sure the program is working
properly. After you verify that Crack is working properly, make sure that
you delete the account.
I went to one company, and the administrators kept telling me how secure
their users were and they were not sure why management wanted a
security audit performed. In this case, management wanted me to keep
the administrators involved, so I explained to them that I was going to
extract and crack the passwords. They assured me that this was a waste
of time, because they had already run Crack and did not find any weak
passwords. I told them that I needed to run Crack even if it merely
validated the results they already found. Sure enough, after running Crack
for 30 minutes, it cracked over 90 percent of the passwords. The company
was shocked and amazed. As it turned out, they had configured Crack
with the wrong parameters and therefore it was unable to crack anyone’s
password.
Checking the Output of Crack—Reporter


“ Hackers Beware “ New Riders Publishing
408
To check the results of the Crack program to see which passwords have
been cracked, you need to run the Reporter script. This script outputs the
results of which passwords were cracked. This can also be piped to a file.
If you used an earlier version of Crack, it no longer generates human-
readable output directly; instead, to see the results of a Crack run, the
user should type the following command:

./Reporter [-quiet] [-html]

Guesses are listed chronologically, so users who want to see incremental
changes in the output as Crack continues to run over the course of days
or weeks are encouraged to wrap invocations of Reporter in a script with
diff. The -quiet option suppresses the reporting of errors in the
password file (corrupt entries and so on), whereas -html produces output
in a fairly basic HTML-readable format. In most cases, I do not
recommend the HTML option because I personally would not want to post
the results of cracked passwords to a web site, but that option is there.
Some companies use it to create a program that parses the HTML and
keeps a database of cracked passwords or sends management an email.
The following example illustrates the reasoning behind my apprehension
to post cracked passwords to a web site. I was performing an assessment
for a client and noticed a vulnerability in their web site. I was able to view
all of the files in the parent directory, one of which was called
badusers.html. When I opened it up, it was an HTML file of the results of
Crack. By posting weak passwords to a Web site where the entire
company could view it, the administrators hoped to not only embarrass
users with their weak passwords but also force them to change their
passwords, because the entire company could see their passwords.
Unfortunately, this creative idea for enforcing strong passwords failed
because 10 of the 15 passwords were not changed. The users were so
furious with IT for creating the page that they refused to change their
passwords; however, the administrators decided to make their point by
refusing to remove the page. In the long run, anyone, through access to
those ten active accounts could have gained access to the network.
Embarrassing and threatening users does no good—in most cases, it
makes matters worse. Remember that having users as your allies goes a
long way toward securing a system. I have found that by combining user
awareness with strict enforcement helps maintain a high number of users
as allies, while increasing the overall security of your network. Not all

users will listen, but if you clearly explain and help them understand
security, most users will adhere to the guidelines.
Even though programs have all sorts of options, use some common sense
when utilizing their features. The preceding example might seem fictitious,


“ Hackers Beware “ New Riders Publishing
409
but actually happened. I included it to show you how easy it is for a
company to lose sight of what is important when securing its systems.
Crack Options
Crack has several options that can be used. The following are the most
popular ones:
• debug. Lets you see what the Crack script is doing. After you get
comfortable with Crack, you can turn this off, but I highly
recommend that you turn this option on the first several times you
run it.
• recover. Used when restarting an abnormally terminated session.
For whatever reason, sometimes programs do not always run
properly or finish execution. In this case, you can try to gracefully
recover.
• fgnd. Runs the password cracker in the foreground while stdin,
stdout, and stderr are sent to the display so that users can better
monitor what is occurring.
• fmt. Allows the user to specify the input file format that should be
used.
• n. Allows the user to jump to a specific spot in the rule base and
start password cracking from a specific rule number “n.”
• keep. Prevents deletion of the temporary file used to store the
password cracker’s input. This is helpful for determining what the

user did or troubleshooting problems.
• mail. Emails a warning message to anyone whose password is
cracked. Be cautious of using this because often the people in an
organization who have weak passwords are the ones who sign the
checks.
• network. Runs the password cracker in network mode.
• nice. Runs the password cracker at a reduced priority for other
jobs to take priority over the CPU. I recommend using this option.
Normally when Crack is run, it uses whatever resources are
available. By running it in nice mode, you enable other people to still
use the system.
Crack Accuracy
To see how well Crack performs, I ran the program with an out-of-the-box
install against a password file with various types of passwords. Following
is the sample file that was used:

User Eric password eric
User John password john1234
User Mike password 5369421


“ Hackers Beware “ New Riders Publishing
410
User Mary password #57adm7#
User Sue password sue
User Lucy password 12345
User Pat no password
User Tim password password
User Cathy password 55555
User Frank abcde

User Tom password mnopqr
User Karen password bbbbbbbb
Crack was run against this file on a 500Mhz Pentium with 128MB of RAM
with the default options. It ran for approximately 150 seconds and
cracked the following passwords:

passwords cracked as of Tue Aug 17 10:41:00 EDT 1999
0:Guessed pat [<no-ciphertext>] [npasswd /bin/sh]
934899050:Guessed eric [eric] [npasswd /bin/sh]
934899050:Guessed lucy [12345] [npasswd /bin/sh]
934899050:Guessed sue [sue] [npasswd /bin/sh]
934899259:Guessed tim [password] [npasswd /bin/sh]
934899274:Guessed frank [abcde] [npasswd /bin/sh]
934899304:Guessed karen [bbbbbbbb] [npasswd /bin/sh]
934899342:Guessed cathy [55555] [npasswd /bin/sh]
done
To see how well Crack performed, here is a summary listing of which
passwords it found and which ones it did not:

User Eric password eric - CRACKED
User John password john1234
User Mike password 5369421
User Mary password #57adm7#
User Sue password sue - CRACKED
User Lucy password 12345 - CRACKED
User Pat no password - CRACKED
User Tim password password - CRACKED
User Cathy password 55555 - CRACKED
User Frank abcde - CRACKED
User Tom password mnopqr

User Karen password bbbbbbbb – CRACKED
As you can see, Crack guessed eight of the passwords. All of the
passwords that were guessed were simple words, repetitive characters, or
strings of characters or numbers. It is interesting that abcde was cracked
but mnopqr was not. Both are strings, but one started in the beginning of
the alphabet and the other started in the middle. Also, john1234 was not
cracked, which is a simple combination of two strings.


“ Hackers Beware “ New Riders Publishing
411
This is not a negative aspect of Crack, however it is important to
understand the limitations of a program whenever you use it. Just
because Crack didn’t guess a password does not mean that an attacker
might not or that a given password is strong.
Also, it is important to note that these results are based on the standard
configuration of Crack. Crack can be configured to guess additional
passwords. One key characteristic of password crackers that use
dictionary attacks is the quality of the dictionary they use. The old saying,
“Garbage in, garbage out,” holds true, and a dictionary cracker is only as
good as the dictionary that it uses. There are several sites on the Internet
that contain dictionaries and you also can create your own. Also,
depending on where your company is located, there are dictionaries that
contain foreign words.
John the Ripper (John)
John the Ripper (John) is a UNIX password cracker, but can be run from
either a UNIX or a Windows platform. It is available from
There are different versions that can be
downloaded for each operating system. Both versions come with the
source code, which is a nice feature. On the UNIX machine, the source

code has to be compiled; but on Windows systems, John gives both the
source files and the compiled binary. John is powerful and fast and has a
lot of built-in features that are easy to use. These include dictionary and
brute force attacks, which were covered in detail in Chapter 8, “Password
Security.”
Latest Version of John
According to the documentation that came with John, the following are
some of the new features included in the latest version, 1.6:
• Everything is re-coded to be more extendable, more portable (no
GNU C extensions used, unless __GNUC__ is defined), and more
readable.
• Support for running two hashes simultaneously.
• Bit slice DES routines: Up to three times faster on RISC.
• Initial attempt at vectorization support for bit slicing.
• BSDI’s extended DES-based ciphertext format support.
• OpenBSD’s Blowfish-based ciphertext format support.
• Special assembly DES routines for x86 with MMX: more than 30
percent on a Pentium II.
• Improved MD5 routines (both C and x86 assembly), 10 to 50
percent faster.
• Smarter length switching in incremental mode.
• Wordlist rules are now expanded while cracking, not at startup.


“ Hackers Beware “ New Riders Publishing
412
• New options -session and -groups.
• Simplified the syntax of -users, -shells, and -salts.
• Replaced -noname and -nohash with -savemem.
• Replaced -des and -md5 with -format.

• Removed some obsolete options to keep the thing simple.
• Added continue, break, return to the built-in compiler.
• Allows C comments in external mode definitions.
• Better default rule sets: variable length limit, less redundancy.
• System support for BSD and Linux distributions.
• Tested and make files for more versions of UNIX like Linux/PowerPC,
FreeBSD/Alpha, and SCO.
• Many internal algorithm improvements.
• Fixed most of the bugs and portability issues.
John Requirements
John has versions that can run on either a UNIX or Windows platform, so
each will be covered separately.
Using John with UNIX
The latest version has been tested on the following versions of UNIX:
• Linux x86/Alpha/Sparc
• FreeBSD x86
• OpenBSD x86
• Solaris 2.x Sparc/x86
• Digital UNIX
With UNIX, you only download the source code, so the following are the
requirements that are needed to get it up and running:
• UNIX-like operating system.
• C compiler.
• Moderate amount of disk space (10MB).
• Lots of CPU time.
• Permission from the system administrator. You should always get
permission and authorization before running these programs.
• Root privileges (if using shadow files).
• Uncompression program like gzip and tar.
John is not as large and computation intensive as Crack, but because it is

cracking passwords, it can still use up a considerable amount of resources,
depending on the size and difficulty of the passwords and the options that
are used when running the program. Therefore, before you install John,
make sure you have enough resources to compile and run it. If other
departments are using the UNIX machine, please check with them prior to


“ Hackers Beware “ New Riders Publishing
413
running it. Otherwise, it could cause unnecessary issues if they are
running critical applications.
Always get permission from the administrator and your supervisor before
running this tool or any similar tool. I know I am repeating myself, but
this point cannot be overemphasized. Especially if you do not own the
machine, always make sure you check with the appropriate people prior to
running it. With UNIX, you download a compressed tar file. To do so,
follow these steps:
1. Download the John file.
2. Unzip the file using gzip:
3.
gunzip john-1_5_tar.gz
4. Untar the file:
5.
tar -xvf john-1_5_tar
6. Read the README and INSTALL documents.
7. If necessary, edit the source code.
8. Compile the program:
9.
10. cd src
make

SYSTEM (where SYSTEM is the system type you will be compiling it
on)
If everything works, the executable version will appear in the run
directory.
Windows
The latest version of John can run on Windows NT/95/98 and DOS. With
the Windows version, you download a zip file that contains the source
code and the precompiled binaries. Based on this, the only system
requirements are an uncompression program and enough disk space.
Also, because this program is used to crack UNIX passwords, there must
be some way that you can acquire the UNIX password file and transfer it
to the Windows machine.
With Windows, after the program is downloaded and uncompressed, you
cd to the run directory and you are ready to go, because the Windows
version comes with a precompiled binary. If the user chooses to recompile
or make any changes, the source code is in the src directory. To do this,
the user needs a C compiler for the operating system he is working on.


“ Hackers Beware “ New Riders Publishing
414
Running John
Running John is straightforward. You just type john, followed by any
options, followed by the password file. The following are some of the
options that can be used with John:
• single. Cracks a single password file. This is the simplest and
most straightforward method.
• wordlist:file. Enables John to use a dictionary file to crack the
passwords.
• rules. Enables rules to be used that allow John to make changes

in the dictionary words it uses to crack the passwords.
• incremental. Enables the incremental or brute force mode based
on the parameters that are specified in the john.ini file.
• restore:file. Continues an interrupted session.
• session:file. Allows you to specify a filename where the session
information is saved to.
• show. Shows the cracked passwords for the last session that was
run.
• test. Performs some benchmark tests to make sure the system is
working properly.
• users:[-]LOGIN|UID[, ]. Loads only a specific group of users or
accounts. This allows you to filter out and only crack a few accounts.
This is helpful if you have a couple of very sensitive accounts that
you want to check more frequently.
• groups:[-]GID[, ]. Loads only specified groups into the system.
• salts:[-] count. Allows you to set a password per salt limit,
which will achieve better performance.
John also comes with the following two utilities that are useful in some
environments:
• unshadow PASSWORD-FILE SHADOW-FILE >output file. Used to
combine the passwd and shadow files together for systems that use
the shadow file. These files must be combined prior to running John.
• Mailer password-file. A script that sends email to all users who
have weak passwords.
I recommend running John in the following order. First, run the following
to see what passwords you crack:

john –single password-file
john –show
Next, run a dictionary attack:



“ Hackers Beware “ New Riders Publishing
415

john –w:wordfile password-file
john –show
If the passwords have still not been cracked, run a brute force attack:

edit john.ini file
john –i password-file
john –show
There are several other parameters you can use, but these are the most
basic.
Results from Running John
When you run John, the results are displayed on the screen, but you can
also type john –show to see the results again or save them to a file. To
compare the accuracy of the results, let’s use the same password file we
used for Crack. These results are based on running on a 500Mhz Pentium
with 128MB of RAM.
After running john –single passfile, it completed in 10 seconds and
cracked 2 passwords. The following is the output:

John the Ripper Version 1.5 Copyright (c) 1996-98 by Solar
Designer
eric:eric:1001:10::/usr/eric:/bin/sh
sue:sue:1005:10::/usr/sue:/bin/sh

2 passwords cracked, 10 left
When running John with a dictionary file, by issuing the command john

w:wordlist passfile, it ran in 120 seconds and cracked 5 passwords.
The following is the output:

John the Ripper Version 1.5 Copyright (c) 1996-98 by Solar
Designer

eric:eric:1001:10::/usr/eric:/bin/sh
sue:sue:1005:10::/usr/sue:/bin/sh
lucy:12345:1006:10::/usr/lucy:/bin/sh
tim:password:1009:10::/usr/tim:/bin/sh
frank:abcde:1011:10::/usr/frank:/bin/sh

5 passwords cracked, 7 left


“ Hackers Beware “ New Riders Publishing
416
With the -i option, which causes John to perform a brute force attack,
John ran for several weeks and of course cracked all of the passwords,
because that is what a brute force attack does.
XIT
XIT is a password cracker for UNIX that performs a dictionary attack and
is available from It is a small but fast program.
It does have limited functionality because it only can perform a dictionary
attack, but in some environments you need a quick program that can
check passwords. It runs in a DOS window on most Window platforms. It
comes with the C source code, so if you want a better understanding of
how cracking works or if you want to build your own password-cracking
tool, this might be a good start. The source code is very well commented
and fairly easy to port and recompile. I was able to get it compiled in a

short period of time.
Latest Version of XIT
In this version, there are a couple of new enhancements:
• New SPACEBAR option to display status line. When the program is
running, you can press the spacebar and it displays status
information of how far along the program is.
• Can optimize the code for better performance.
• Full C documented source code of the main executable file.
As I stated earlier, this is not meant as a replacement for Crack, but I
know in some environments, where a company wants to periodically check
to make sure users are not using certain words as their passwords, this
program is a good solution. If that is the case, this might be the right tool
because it has less features and therefore is easier to use and uses less
resources to run.
XIT Requirements
The requirements to run this program are very simple—all you need is a
Windows machine and enough hard drive space to run the program. When
the program runs, it expands some files, so it could have some difficulty
running on a floppy, but if you have at least 5MB of disk space you should
be fine. The only requirements you need are a dictionary file and a UNIX
password file (with the encrypted passwords if you are using a shadow
file). It does not have a utility to merge the passwd and shadow files
together, so you either have to write one or use the one from John the
Ripper or Crack.
Configuring XIT


“ Hackers Beware “ New Riders Publishing
417
To configure the program, you download the file xit2.zip and uncompress

the 11 files into a directory. The following are the files that are contained
in the zip file:
• XIT.BAT. Main batch file used to run the program.
• CRYPT.C. Module containing the crypt() and related functions.
• XIT.C. Main C module.
• PWD.H. Include file needed to compile the source.
• XIT.TXT. File containing general information on how the program
works.
• X-PWD.EXE. Extracts encrypted passwords from passwd file.
• X-SORT.EXE. Sorts file generated by X-PWD.
• X-REP.EXE. Reports results generated by XIT*.EXE.
• XIT2.EXE. Main executable. All the encryption takes place in this
module.
• XIT3.EXE. 386 version.
• FILES.TXT. A listing of the 11 files contained in the zip file.
Running XIT
To run the program, you call xit.bat, which is a bat file that calls the
necessary files. The format is as follows:

xit passwordfile dictionary file
Remember that the password file has to contain the account information
and the encrypted passwords. If your system uses a shadow file, it must
be merged with the passwd file prior to running this system. The
dictionary file is a text file that contains dictionary words. There are
hundreds of dictionary files that can be downloaded off of the Internet.
The batch file performs the following steps:
1. Extracts all of the encrypted passwords from the input password
files and saves them in a temporary file.
2. The temporary file is sorted to increase the cracking process. XIT
does this by putting passwords that use the same salt next to each

other.
3. Runs the cracker program xit.exe.
4. Creates a file called status that contains the statistics on the
password cracking session. It also creates a file called report that
shows which passwords were cracked and the plain text password.
Results from Running XIT
When you run XIT, the results are displayed on the screen, but they are
also saved to two separate files: status and reports. To compare the


“ Hackers Beware “ New Riders Publishing
418
accuracy of the results, let’s use the same password file we used for
Crack. These results are based on running XIT on a 500Mhz Pentium with
128MB of RAM.
When I ran XIT on this password file, it ran in 136 seconds and cracked 6
passwords. The following is the status file:

'CFWow5IYPyEHU' deCrypts as '12345'
'bY5CQKumRmv2g' deCrypts as 'abcde'
'T9ZsVMlmal6eA' deCrypts as 'eric'
'sXu5NbSPLNEAI' deCrypts as 'password'
'sXu5NbSPLNEAI' deCrypts as 'password'
'T9ZsVMlmal6eA' deCrypts as 'eric'
'XEsB/Eo9JCf6.' deCrypts as 'sue'


Total number of words processed in this session: 37069
Total number of accounts : 13
Total number of ecryptions made in this session : 481897

Total time elapsed : 136 seconds
Encryptions/second : 3543
Total number of passwords found: 7
The following are the results from the report file:

USERNAME PASSWORD REAL NAME USER ID HOME
DIRECTORY


lucy 1234 /usr/lucy 1006:10 /usr/lucy
frank abcde /usr/frank 1011:10
/usr/frank
eric eric /usr/eric 1001:10
/usr/eric
tim password /usr/tim 1009:10
/usr/tim
tim password /usr/tim 1009:10
/usr/tim
eric eric /usr/eric 1001:10
/usr/eric
sue sue /usr/sue 1005:10
/usr/sue
When looking at the results, XIT only cracked five of the passwords. For
some reason, it listed the Tim and Eric password twice. As you can see,
XIT cracked dictionary words and strings of numbers. Anything that was in
the dictionary file I gave it, XIT would have found. To make these results
reproducible, I used the dictionary words-english that comes with the


“ Hackers Beware “ New Riders Publishing

419
L0phtcrack program. L0phtcrack is a password-cracking program for NT
and words-english is just a listing of dictionary words.
Slurpie
Slurpie is a password cracker for UNIX that runs on a UNIX machine and
can be downloaded from It can perform a
dictionary attack and a customized brute force attack. With a customized
brute force attack, you stipulate the number of characters and the type of
characters you want it to use. For example, you can have Slurpie launch
an attack that attempts to conduct a brute force attack on words that are
between seven and eight characters in length and only uses lowercase
letters.
The big advantage Slurpie has over John and Crack is that it can run in
distributed mode. This means that if you have several machines that you
want to use to crack passwords, Slurpie can coordinate between all of the
machines to crack the passwords in less time than if one machine was
used. It lets you use several computers to create a distributed virtual
machine that can accomplish the tasks of cracking passwords in a much
shorter period of time. For example, if you have four high-end computers,
you could run Slurpie in distributed mode across the computers and have
the power of a quad processor machine.
To do this, you set up a daemon on each of the machines and tell the
main Slurpie program what machines they are on. It then connects to
those machines and distributes the work between all of the machines to
crack the passwords. Slurpie can also run on just one machine, but then
you lose some of the benefits of the program. Running the daemon and
the main program on the same machine is useful if you have want to use
Slurpie, but you are not taking advantage of the distributed power of the
program.
Latest Version of Slurpie

As of the writing of this book, the current version of Slurpie is version
2.0b, and in terms of functionality, it fits somewhere between XIT and
John the Ripper. In terms of the distributed nature of how it works, it
stands alone, because none of the other programs have this feature by
default when the program is installed. In most environments, you have
several machines that are idle or have minimal usage at night. Slurpie
gives you an easy way to tap into these machines to get additional
processing power.
Crack, the first program that we covered in this section, also can run in
distributed mode, but it is not as easy or straightforward to configure as
Slurpie. Crack uses a master system to remotely start clients, and


“ Hackers Beware “ New Riders Publishing
420
typically the data is shared between the systems by using NFS. Because
NFS has a large number of vulnerabilities, this can create other security
problems.
Slurpie Requirements
The following requirements for Slurpie are similar to the other programs
covered in this chapter:
• UNIX-like operating system
• C compiler
• Moderate amount of disk space (10 MB)
• Permission from the system administrator
• A copy of passwd that contains the encrypted passwords
• A dictionary file
• Uncompression program like gunzip and tar
Slurpie assumes that you have a passwd file that contains the encrypted
passwords. If you are using shadow files, you either have to write your

own utility to merge them together or use the utility that comes with John
the Ripper or Crack. Also, because the main benefit of using Slurpie is its
distributed functionality, having a network connection with other UNIX
boxes available is a plus.
Configuring Slurpie
Installation and configuration are very straightforward. After you
uncompress and untar the files, you cd to the directory and issue the make
all command. The following are the main steps:
1. Uncompress the file using gunzip slurpie.tar.gz
2. Extract the tar archive by typing tar –xvf slurpie.tar
3. Change to the correct directory by issuing the command cd slurpie
4. Compile the program by typing make all
5. If there is a problem and Slurpie doesn’t compile the file, cd to src
and modify the source code.
6. Run ./slurpie –h to get a listing of the features.
Running Slurpie
Before you run Slurpie, you have to tell the program where the distributed
hosts are located. You do this by editing the hosts.dat file. The file
contains one line for each entry, and each entry contains the IP address of
the machine followed by the port number that Slurpie is going to connect
on. To run this on a single machine, you just use the loopback address as
the IP address. The following is the contents of the hosts.dat file:



“ Hackers Beware “ New Riders Publishing
421
127.0.0.1 15001
After you know which machines you are going to run this program on, you
have to go to each machine and start the slurp daemon, which causes the

program to listen on the port you specified. To start up the daemon, type
the command./slurp 15001, where 15001 is the same port number that
is specified in your hosts.dat file.
Now that this is set up, you are ready to start Slurpie. Remember that to
run this program, you need a copy of the passwd file, and if you are using
shadow files, you should have already merged the two files together.
Slurpie does not have a utility to do this. You also need a dictionary file.
There are two main modes that Slurpie can run in, as follows:
• -p . Uses a dictionary to try and crack the passwords.
• -g . Uses a brute force attack where you can specify the parameters
that it uses. For example, –g a? 5 8 tries every possible word
ranging in length from five to eight characters and contains
lowercase letters and punctuation.
Because brute force attacks can take several weeks to run, we will
concentrate on a dictionary attack. After the daemons have been started,
you type the following command to start Slurpie:

./slurpie –p words.txt passwd.txt
Slurpie runs and the results appear in a file that is the same as the
password filename with .log appended to the end. In this case, the results
appear in passwd.txt.log.
Results from Running Slurpie
After Slurpie runs, no results are displayed on the screen. All of the results
are saved to a file. To compare the accuracy of the results, let’s use the
same password file we used for Crack. These results are based on running
Slurpie on a 500Mhz Pentium with 128MB of RAM.
When I ran Slurpie on this password file, it ran in 50 seconds and cracked
5 passwords. The following is the status file:

connecting to: 127.0.0.1 15001: successful.

1 nodes connected.
cracking: root 6T1E6qZ2Q3QQ2
cracking: daemon NP
cracking: bin NP
cracking: sys NP


“ Hackers Beware “ New Riders Publishing
422
cracking: adm NP
cracking: lp NP
cracking: uucp NP
cracking: nuucp NP
cracking: nobody NP
cracking: noaccess NP
cracking: nobody4 NP
cracking: eric T9ZsVMlmal6eA
password found for eric: eric
cracking: John .D532YrN12G8c
cracking: mike WD.ADWz99Cjjc
cracking: mary DEvGEswDCVOtI
cracking: sue XEsB/Eo9JCf6.
password found for sue: sue
cracking: lucy CFWow5IYPyEHU
password found for lucy: 12345
cracking: pat x
cracking: doug NP
cracking: tim sXu5NbSPLNEAI
password found for tim: password
cracking: cathy BYQpdSZZv3gOo

cracking: frank bY5CQKumRmv2g
password found for frank: abcde
cracking: tom zYrxJGVGJzQL.
cracking: karen OZFGkH258h8yg
done.
closing connection: 127.0.0.1 15001.
elapsed time: 0:0:0:16
Slurpie found five passwords. These start with the words password found
for.


“ Hackers Beware “ New Riders Publishing
423
Dictionary Attacks
I am sure you have noticed that all of the pro
g
rams are findin
g
the

same passwords when they perform a dictionary attack. This is
because they are using the same dictionary. When you run a
dictionary attack, remember that the results are only as good as
the dictionary being used. If you run a password-crackin
g
pro
g
ram
with a dictionary of one word, the only password it can crack is
that one word. In most cases, the larger the dictionary that is

used, the higher the chances that a particular password will be
cracked. Therefore, if each of the programs is run with a different
dictionary, some pro
g
rams mi
g
ht find more words than others, not
because the program is better but because the third-party
dictionary that is used is more thorough. I ran all of these
programs with the same dictionary so you could compare the
programs and see how well they performed.
Comparison
As we have covered in this chapter, there are several different tools that
can be used to crack UNIX passwords. Table 10.1 is a summary chart to
help you pick the one that is right for your environment.
Table 10.1. Comparison of the Effectiveness of UNIX Password Cracking Tools
Features Crack John the Ripper XIT Slurpie
Platforms they run on UNIX UNIX/Windows

Windows UNIX
Passwords they crack UNIX UNIX/NT UNIX UNIX
Dictionary attack Yes Yes Yes Yes
Brute force attack Yes Yes No Yes
Hybrid attack Yes Yes No No
Distributed Yes, with additional
configuration.
No No Yes
Utility to merge passwd and
shadow files
Yes Yes No No

Time to perform dictionary
attack
150 seconds 120 seconds 136
seconds
50
seconds
Ease of install (1 easiest, 4
most difficult)
4 3 1 2
Ease of use (1 easiest, 4 most
difficult)
4 2 1 3
Most features (1 having the
most features and 4 the least)
1 2 4 3
As you can see, there is a direct relationship between ease of use and
functionality. The easier a program is to use, the less features it has. If
you are going to work in the UNIX environment, you should invest the


“ Hackers Beware “ New Riders Publishing
424
time to learn a password-cracking tool extremely well so that you can
properly use it to secure your system.
Table 10.2 shows a comparison of which passwords each program cracked
and the accuracy.
Table 10.2. Comparison of Passwords Cracked Using a Dictionary Attack
User Original password Crack John the Ripper XIT Slurpie
Eric Eric X X X X
John John1234

Mike 5639421
Mary #57adm7#
Sue Sue X X X X
Lucy 12345 X X X X
Pat No password X
Tim Password X X X X
Cathy 55555 X
Frank Abcde X X X X
Tom Mnopqr
Karen Bbbbbbbb X
Total cracked 8 5 5 5
Accuracy 66% 42% 42% 42%
This table points out that the password-cracking programs that do a
straight dictionary attack only crack passwords that are in the dictionary.
So, the cracking is only as good as the dictionary that is used. Note that
because the dictionary I used does not have a blank line, three of the four
programs did not crack the account that had no password. This also shows
that just because a password cracker does not crack a password does not
mean that it is secure. In my opinion, all of the passwords except
5639421 and #57adm7# are trivial, which means 83 percent of the
passwords are extremely weak, yet three of the four programs cracked
less than 50 percent of them.
This is why it is so important to familiarize yourself with a tool and learn
how to customize it, because the default install does not do the best job.
Protecting Against UNIX Password Crackers
Just as was stated in Chapter 9, “Microsoft NT Password Crackers,” there
is no silver bullet for protecting against password cracking, although there
are ways to minimize the chances of a successful crack. The following are
some key aspects to strong password protection:
• Have a strong password policy

• Use shadow files
• Use one-time passwords


“ Hackers Beware “ New Riders Publishing
425
• Use biometric authentication
• Use Passwd+ to enforce strong passwords
• Audit access to key files
• Scan for cracking tools
• Keep inventory of active accounts
• Limit who has access to root
Have a Strong Password Policy
Because password policies have already been covered in Chapter 9, they
will only be briefly covered here. Password policies, or any security policy
for that matter, play a key role in the strength of a company’s security
program. If users do not know what is expected of them, there is no way
that they can be held responsible for having weak passwords.
Also, a password policy helps get management buy-in, ensuring that it is
behind you and supports security. Some key things to strive for in a
password policy are the policy should be uniformly enforced across the
company, and reasonable so that most users will read and follow it. A
one- to two-page password policy that clearly outlines what is expected of
users is a good start.
The following is my recommendation for a password policy:
• Passwords change every 45 days.
• After three failed logon attempts in five hours, accounts are locked
for three hours.
• All passwords must contain at least one alpha, one number, and one
special character.

• Users cannot reuse their previous five passwords.
• Passwords should not contain birthdays, childrens’ names, sports
teams, or other personal information.
• Passwords should not be dictionary words.
The following is a tip for picking good password:
• Use a phrase, not a word, and then use the first letter of each word
in the phrase.
• Example—When I stub my toe I say !@#$% 5 times
• Password—WismtIS !@#$%5t.
The key to remember is that a password policy is company and
environment dependent. There are some cases where I would tighten it,
but the preceding policy is a good starting point. You just have to assess
the security at your company to make sure you pick an appropriate policy.


“ Hackers Beware “ New Riders Publishing
426
Use Shadow Files
As discussed in the beginning of this chapter, shadow files make it difficult
for users to gain access to the encrypted passwords. If your UNIX system
is not using shadow files, you should either upgrade the operating system
or use a program that will convert your passwd file to a shadow file. After
shadow files are used in most cases, an attacker needs root access to
extract the encrypted passwords. In other words, shadow files do not
eliminate the threat, they just reduce the threat by increasing the chances
that only legitimate users can access the passwords and run Crack. If an
attacker has root access on your system, the fact that he can run Crack is
the least of your worries. Why would an unauthorized user with root
access worry about running Crack, when he can create whatever accounts
he wants?

It is important to note that Crack can still be used on a system with
shadow files; it just requires an extra step and extra access for the user.
To run Crack on such a system, an attacker must have root access to read
the shadow file or some way to acquire a copy of the file.
After you have a copy of the shadow file, you must merge it with the
passwd file. Crack cannot be run directly against the shadow file; you
must merge the files together. To merge the files, if you are very careful
and good with a text editor, you can do it manually. Or for the less insane,
Crack comes with a shadmrg.sv script that enables the user to combine
the two files. The shadmrg script does not use arguments and must be
edited for it to work properly. For example, you would go into the file and
find the first non-commented lines that contain the words SHADOW = and
PASSWD =, edit the file, and put the path of the location of the two files.
The output file that is produced can then be run through Crack.
USE One-Time Passwords
One-time passwords are very effective against password guessing because
the passwords change each time the user logs on. In other words, there
are really no passwords to guess. If you want to overcome the password-
guessing problem, the ideal way is to use one-time passwords. The
drawbacks are implementation costs, complexities, and ongoing operating
costs. The most common form of one-time passwords is smart cards. This
is a device that the user must carry around with her whenever she wants
to log on to the system. The device is triggered by time, so the password
changes every minute. When the user wants to log on, she reads the
current password off of the display and types it in as the password.
A huge liability with smart cards is replacement of the cards when they
are lost or stolen. Think of how often employees lose or forget their badge
or the keys to their office. Because smart cards are a lot more expensive,



“ Hackers Beware “ New Riders Publishing
427
a company can have considerable, increased costs based on the number
of cards it has to replace. I know several companies that implemented
smart cards and stopped using them because they forgot to account for
lost cards, and based on that they severely ran over their budget.
Many companies implement one-time passwords in addition to regular
passwords. For example, while an employee is at a company facility, she
would use her regular password to authenticate. Only when she is out of
the office and dialing in remotely does she use the one-time password.
This helps keep initial costs down and lets you dole out one-time
passwords in an incremental manner. Also, using regular passwords in
conjunction with one-time passwords helps increase a company’s security,
because now authentication is based on something you have and
something that you know.
Instead of time, some devices use what is known as a challenge response.
The user presents his user ID to the system and the system responds with
a challenge. The user then types the challenge into the device and the
device displays a response, which the user then types as the password.
Another form, which is less expensive, is software-based, one-time
passwords. A common implementation of this is called SKEY. SKEY uses
one-time passwords that are pre-computed when the system is set up.
Each user gets a pre-computed list of passwords and uses a different
password each time they log on.
The weakness of software-based, one-time passwords is that the
password list resides on the user’s computer, so it is easier for an attacker
to access. Also, if the computer’s hard drive gets damaged, the keys are
also lost. On the other hand, because the passwords are on the computer,
they are harder for the user to lose, as compared to smart cards or other
devices the user carries around. The following web site provides additional

information on SKEY: />.
Use Biometrics
Passwords are getting easier to crack because machines are getting so
fast. As a result, more companies are turning to biometrics as the
solution. Biometrics authenticates a user based on human factors such as
fingerprint, handprint, retinal scan, and voice scan. These methods are
highly reliable and are with a user at all times, so you do not need to
worry about someone losing or misplacing a token like you do with one-
time passwords. Because they are very difficult for the user to lose and
there is nothing for an attacker to steal, biometrics are much more
reliable.


“ Hackers Beware “ New Riders Publishing
428
There are several biometric solutions that are available for computers
today. Some of the issues are cost, because every machine that a user
could possibly log on to must have an authentication device. Even though
they have been proven to be safe, some users are concerned about
having their eyes scanned with a retinal scanner. Lastly, many people feel
uncomfortable having “big brother” taking their personal information and
being able to track them wherever they go.
The following site is a great reference for additional information on
biometrics: It contains links to more
than 100 vendors that provide biometric solutions. It also contains
detailed information on the following types of biometrics: finger, facial,
iris, retina, hand, voice and signature.
Use Passwd+
Passwd+ is a program that runs checks against the user’s password
whenever he changes it, to make sure it follows some basic rules. There

are other variations such as anlpasswd and npasswd that have similar
features. Following are some of the checks that Passwd+ performs:
• The user must enter the password twice.
• Verifies the password is a minimum length.
• Verifies passwords must be a mixture of letters, numbers, and
special characters.
• Verifies the password is not the user’s name.
• Verifies that the new password differs from a previous password.
Again, it is not a silver bullet; however, it is a good start. There are
various versions of Passwd+ available on the Internet. The following are
the URLs where you can find additional information:
• Passwd+:
• Anlpasswd:

• Npasswd:
Audit Access to Key Files
Because in most cases password cracking is performed offline, the only
way you can detect that someone is performing such an attack is to catch
him when he is accessing the passwd or shadow file. Even if you do not
check the audit logs on a regular basis, you must have scripts that scan
the audit log looking for someone accessing key files. If you detect that
someone has accessed these files, you might have to take action, because
it probably means that an attacker has compromised or is compromising
your passwords. Programs like tripwire are a good start and should be


“ Hackers Beware “ New Riders Publishing
429
part of your security plan. The problem is that these programs only catch
files that have been modified. With password cracking, an attacker only

has to access or read the file; he does not have to make any changes.
Scan for Cracking Tools
In some cases, you might get lucky and an employee or attacker might
actually run the program on your system. This is not nearly as covert as
downloading the password file and cracking it offline, but attackers might
do it to use the computing power of the system. In these cases, running a
periodic scan for known hacker tools such as Crack is fairly easy to do,
and it can have a huge payoff if an attacker is using the program against
your company. When performing security assessments, you cannot
imagine how many times I find large numbers of hacker tools that the
administrator did not know about because he never looked for them. To
secure your systems, you have to know what is running on them. Do your
homework and check for these tools before they do a lot of damage.
Keep Inventory of Active Accounts
Active accounts that belong to people that are on leave or are no longer at
a company present a huge vulnerability. These accounts are easy for an
attacker to compromise. Because no one is using the account, there is no
way an unauthorized person can be detected. Therefore, there is no one
to verify that the last logon date is incorrect, which would indicate that
someone other than the user has been accessing the account.
A company must have a policy for checking active accounts and removing
accounts that no longer should be active. If you do not periodically check
your accounts, an attacker can create a backdoor account on your system
and give it root access, and you would never know about it. Only by
checking the system and being able to detect new or suspicious accounts
can you prevent this type of behavior.
Limit Who Has Root Access
Only a small percentage of users should have root access. I have found
that having root access tends to be an ego thing in many companies
where everyone has to have root access. (“Well, I am certified.” Or, “I am

a senior administrator.”) Therefore, the individual feels he must have root
access. This type of thinking is a huge security risk and must be changed.
If a large number of people have root access and log on as root, it is very
hard to tell what is authorized and what is not authorized activity.
Also, the potential for damage increases because, by a slip of the hand, a
user can accidentally delete the entire system if she is logged on as root.


“ Hackers Beware “ New Riders Publishing
430
On the other hand, if only a few people have root access, an administrator
can quickly scan and detect unauthorized root access
Summary
As you can see, password security is critical, no matter what operating
system you are running. It is important to remember that the tools
discussed in this section for password cracking are not just for attackers
to use. Many administrators are afraid or get upset when they run across
these tools, only seeing the negative aspect.
The positive side of using these tools is that they can be used to protect
your site and should be embraced if they are used properly. If an
administrator runs cracking programs on a consistent basis and uses them
to increase the security on his site, the usefulness of these tools to an
attacker decreases tremendously. Therefore, it is imperative that you not
only understand what tools are available, but also use them, especially
when it comes to password security
Chapter 11. Fundamentals of Microsoft NT

Before you go to the next chapter, where we cover a detailed discussion of
specific NT exploits, how to detect them on your network, and how to
protect against them, it is important to lay the groundwork for how NT

works. This chapter starts with an overview of NT exploits highlighting
some similarities between the exploits and emphasizing some issues,
which lead to the fairly high number of vulnerabilities. It is important that
you understand the general concepts of why there are vulnerabilities and
how they work, so you can better protect your system.
No single book could list every vulnerability and every step you need to
take to protect your system. This book tries to give you enough details so
that when you are protecting your systems, you can address the problem
areas. This way, when a new exploit comes out, your potential damage is
minimized. This chapter gives you a basic understanding of NT, so that
not only the exploits in the next chapter make sense, but also you
understand what can be done to secure NT.


“ Hackers Beware “ New Riders Publishing
431
After an overview, we will then look at some fundamental concepts that
are needed to understand NT exploits, which will be covered in Chapter
12, “Specific Exploits for NT.” NT has so many features that even the most
proficient users still discover features or tools that they did not realize
existed. This chapter will look at these features from a security standpoint
and make sure you understand and concentrate on the right aspects
needed to protect your systems. So many think they understand NT, but
do not understand NT security, because NT from a server standpoint and
NT from a security standpoint are two different things.
There are entire books written on NT and NT security, and this chapter is
not meant to replace those books. Its purpose is to give you enough
understanding of how the exploits work, and the right features and tools
that are needed to secure your systems
Overview of NT Security

There is a great deal of criticism for NT, highlighting its high number of
security vulnerabilities. Yes, NT has made some mistakes that lead to the
high number of vulnerabilities, but you also have to put them in
perspective considering the functionality and the length of time NT has
been around.
NT has been around a shorter time period than UNIX, so it is natural that
UNIX is a more mature operating system. The other benefit UNIX has is it
matured over a longer period of time, when networking and the Internet
were not as popular as they are today, so issues could be resolved before
they turned into major problems.
Today, with such a large install base of NT and the type of mission-critical
systems it is running, even minor problems can have a major impact from
a security standpoint. Keep in mind that NT is a fairly new operating
system and will continue to have security vulnerabilities. If you run NT,
you have to make sure you understand it from a security perspective and
stay on top of the issues so that your company can be secure.
Another security issue with NT is the size and features of the operating
system. For those of us who write code, we know that there is a direct
correlation between the features of a piece of software and the number of
lines of code. The more features you add, the more code is needed to
support these features. There is also a correlation between the amount of
code and the number of bugs that are in the code. As the size of the code
increases, the chance for unforeseen issues to appear in the code also
increases.
When you have a program that is as feature rich as NT, which leads to a
large amount of code, it is only natural that there are inherent bugs and