Editor's Choice: Security
<b>Winner: </b>@stake LC4<br>
<b>Honorable Mention:</b> <a href="#msdn">Microsoft Corp. MSDN Universal
$350 per license
@stake; 617-621-3500; www.atstake.com
- By Roberta Bragg
- December 01, 2002
Why would a security evangelist tap a password-cracking program as her
favorite security tool? Think about it: How can I get the attention of
users and techies? How can I best attack the most problematic issue in
information system security? I can convince them that using strong passwords
and changing them frequently are actions they can take to improve security
(and that not doing so is the No. 1 reason much of their other security
efforts are futile). With this tool, I can do just that—and so can you.
But before you hyperlink over to www.atstake.com,
shell out the cash and proudly present the CEO with his password, download
a little common sense and get permission to crack the passwords on your
network domains, servers and desktops. Get it in writing. Sure, listing
passwords for executives will get their attention; but, without appropriate
authority, it may get you fired. Instead, learn what LC4 can do, make
it part of a rational password-auditing policy for your organization and
use it to strengthen security. You’ll probably never get to show the CEO
this, but at least he or she won’t be showing you the door.
session options for the type of cracks you want to perform.
You use LC4 to extract the password hashes from a SAM database or Active
Directory. Alternatively, you can capture LM and NTLM challenge/response
data from a network authentication session, use a SAM file from a backup
tape, or use one extracted from AD with pwdump3 (a shareware tool).
Next, set session options, then start the crack. By default, passwords
are checked for usage of the user ID as well. The cracked password, which
type of crack actually got the password, and the time it took to crack
each password are displayed on the screen. Alternatively you can turn
off the “display the password” part of the program. Cracked passwords
aren’t displayed, but the time it took to crack them is. This is an excellent
feature if you don’t want to expose everyone’s password but want to show
the results of your audit to the widest audience.
So why bother writing strong passwords? As an LC4 audit teaches: The
stronger take longer, and bigger is better. Maybe the attacker will go
elsewhere or maybe you’ll have changed the password by the time they crack
it. It’s a definite “must” tool in your arsenal of audit tools, and it
makes a darn good teaching tool, as well.
Sometimes, the leader is so far out ahead of the pack that coming in
second doesn’t matter. This time, however, it does. My runner-up security
tool is my MSDN Universal subscription. What? “That’s not a security tool,”
you say! I beg to differ. This little tool provides me with a copy of
Visual Studio .NET and copies, for educational and testing purposes, of
Windows 2000, Windows XP and Windows .NET, SQL Server, Exchange Server,
ISA Server, BizTalk Server, Commerce Server, Application Center Server,
SharePoint Portal Server, Visio and more. This—along with the SDK, MSDN
Library, access to special newsgroups and other special offers—is something
no serious Windows security researcher can afford to do without. As an
added benefit, my production machines remain production machines. I can
set up the test network of my dreams for one small software cost.
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.