Friday, July 9, 2010

Cracking Windows Passwords withJohn The Ripper(JTR) & prevention

We always hear that small passwords are vulnerable and long passwords possibly containing numbers should be used.What can be the reason? If you are sniffing it does not really make a difference even if a password of 100 characters is used, if the channel is not secure it is going to be visible. What about 'login' passwords we use to login to our favourite OS (of course I am talking about Windows). Let us make a few things clear.
First of all , the password has to stored in hard drive so that when Windows boots and a user enters a password it can be matched to authorize.

Secondly the password has to be placed in a directory inaccessible to a user.  Lastly, in an extreme situation where someone is able to access that 'password' file should be unreadable. Microsoft addresses the issues by storing passwords in a  "SAM" file in C:\Windows\System32\config\ folder. Also the files cannot be viewed by a user even if it has admin privileges. The contents of the files are stored in a hashed form. Hashing loosely means that the contents are passed through a function which changes the contents  to an unreadable form, many online sites provide hashing of a string to based on different functions, one such hash-generator site's link is provided at the bottom. The main difference which concerns us is that while encryption is a reversible process , hashing is irreversible and hashed data cannot be retrieved back.
When an user creates an account the password is hashed and stored by the OS. Subsequently whenever the user will enter a password it will be hashed and compared with the correct password which has been saved by the OS.

Microsoft before launching NT used to store passwords using LM (Lan Manager) hashing algorithm. Later it introduced NTLM (NT Lan Manager) which was a stronger hashing algorithm. To ensure backward compatibility an LM hash was also computed and stored. This was the default behaviour before Vista was launched. Therefore XP ,even though uses NTLM , keeps the passwords in LM hash as well.

The LM hashing is so weak that certain researchers and enthusiasts developed tools such as Ophcrack and John The Ripper( famously known as JTR) which can crack alphanumeric passwords within a few hours. John The Ripper uses two methods -dictionary attack and bruteforce attack, both have their advantages and disadvantages. Dictionary attack uses a user defined file which contains all the words in a dictionary while bruteforce uses all the permutation and combination of the defined keyspace (user can define whether only alphabets should be considered or numbers etc). A dictionary attack is obviously faster since there are less words but you have to be sure that the user has used a dictionary word as his/her password. Bruteforce attack on the other hand is slower but gives more assurance of the password being cracked!

John The Ripper -Introduction ,Installation and Usage

You can download John the ripper (free version) ,link is at the bottom. JTR is available for both Windows and Linux. Here both will be used. First let us explore the Windows version. Here are the basic commands to use JTR

--single :use predefined parameters such as login names,user's home directory as username and password to compare with the hash
--incremental:basically bruteforce mode modes include 'All', 'Alpha' ,'Alnum','Digits' and 'LanMan'
--wordlist : use this keyword to use the dictionary method, words in a defined file be used only. A sorted wordlist can make JTR faster.
--show passwd :show the cracked password
--restore :Press control C once to save the session, use this command to restore the saved session. Remember pressing control C twice immediately aborts the session

Usage :
jtr-386.exe [OPTIONS] password file

password file contains the password hashes.

Retrieve Password Hashes.

To get cracking password hashes are required, and this is where ophcrack comes into play. It is a free ware and allows you to extract the hashes and export it to a file. You can find the appropriate links at the end.
Or you can use a linux distro ,boot it live and copy the SAM file . Running it in ophcrack will reveal the username and their corresponding hashes. Delete the entries that you do not want to crack (eg helpandsupport etc) and let JTR do the rest.

I ran JTR on a SAM file containing "yellowz" as the password  with the command
john-386.exe --incremental:Alpha [filename]

It took 28 minutes to crack the password. All the passwords are saved in john.pot file by default.

Linux users

Linux users need to download the tar-ball and run the following commands:
Go to the src folder 
 make clean generic
cd ../run
./john password file

Please read the INSTALL file for complete instructions

You can also crack the Linux hashes by running the UNSHADOW utility in run folder


./unshadow /etc/passwd  /etc/shadow > dest password file
This will store the password hashes in the specified destination file.Root privileges are required to run this command.This file can now be used as a password file for JTR.

Ophcrack is available in Linux as well. Ubuntu users need to simply go to
Applications->Add/Remove -> search for ophcrack and install it.Once installed, it can be found in Applications->System Tools.


Bruteforce is very effective with today's modern CPU but if the password is longer than 7 then it takes a very long time to crack the password even if it comprises alphabets only. But hold on folks! If you thought that this is where it ends then you are completely wrong as I found out a few weeks ago. Yes you can crack passwords a hell lot faster with the use of tables also known as rainbow tables.

Rainbow tables

As earlier mentioned, software such as JTR take a string, convert it to the hash and compare it with the hash in the supplied password file. Why not compute all these hashes and store it in a table? This is a rough definition of a rainbow table. More about it in a future article.


Since XP is still the most widely used OS , it is very vulnerable to this attack. Anyone with physical access to the machine can find login passwords within minutes. You can disable LM authentication by following these steps:
Start -> Settings -> Control Panel -> Administrative Tools -> Local Security Policy
Expand the “Local Policies” folder and select “Security Options” beneath it.
Double click “Network security: LAN Manager authentication level”.
Change the setting to “Send NTLMv2 response only\refuse LM & NTLM”.

To disable storage of LM hashes in future:
Still in the “Security Options” folder, double click “Network security: Do not store LAN Manager
hash value on next password change”, and choose ‘Enabled”.
Restart your computer and change the password for all accounts on the computer.

Windows Server 2003 users and NT users,if any, can check out google on how to disable LM authentication.

Important links:

Online hash generator
Ophcrack homepage
John The Ripper
Disable LM authentication
Secure Practices