A new Windows password cracker
A group that made waves last spring with hacker code that can gain access passwords for Microsoft's Windows-based OS software is back with a revised tool.
Lopht Heavy Industries bills the latest version of its "lOphtcrack" code as a "password cracker" intended for use by systems administrators and security professionals concerned about potential points of access in their local networks. But the software could also be used with evil intent by corporate hackers.
New functions now allow passwords to be intercepted across a local network from NT or 95 machines that use the older LAN Manager authentication system. With updated NT authentication, passwords cannot be intercepted. Users of Windows 95, however, remain a potential target. In large organizations with a variety of employees whose motives may be in question, use of this tool could wreak havoc.
A previous version of lOphtcrack allowed a hacker to retrieve "hashed" or encrypted passwords from an NT machine after administrative access had been gained. Those passwords could then be victims of a "dictionary attack" in which a software program runs through potential passwords until it guesses them correctly.
The latest version allows a user to do the same thing, only a hacker can pick off passwords as they are being sent across the network to the machine to which the user wishes to gain access. Microsoft executives said this capability was part of a previous version, but representatives of the group now are promoting it as a method to gain entry without administrative rights. In a sense, this capability is OS-independent, Microsoft executives point out, since a password from any OS could be sent over a network.
News of the latest version of the tool underscores the stakes involved in Microsoft's push into enterprise corporate networks with Windows NT. Years of hacking into Unix systems have taught administrators a few tricks of the trade, and some of those have trickled into NT development.
But hackers are sure to be lured to NT, according to analysts, due to the rapid development of new services for the operating system (OS). And for networks using Windows 95, the new tool highlights the limited security mechanisms found in the consumer-oriented OS and hints at the picture Microsoft will paint for corporate customers: an NT-based world.
"I think the methods we are using to access passwords are well-known and publicly available so I think the criminal element and the espionage community are already using them," a member of lOpht Heavy Industries who called himself "Weld Pond" wrote in an email to CNET's NEWS.COM. "L0phtCrack allows administrators, tiger teams, and security auditors to quickly exploit these vulnerabilities."
"From our experience in the computer security world, the only way to get people to shore up vulnerabilities is to prove they exist and are a threat to the people who have to pay for the fixes," he noted.
Information on the group's Web site promises: "It's big. It's bad. It cuts through NT passwords like a diamond-tipped steel blade. It ferrets them out from the registry, from repair disks, and by sniffing the Net like an anteater on dexadrene."
Members of the lOpht team did note that appropriate measures can guard against attack.
"Microsoft has released the SYSKEY utility with Service Pack 3 [for NT] which allows an administrator to add another layer of encryption so that this method of accessing the password hashes is foiled. At least for l0phtcrack 2.0," the lOpht representative wrote.
The email message also pointed out that a tool available on the Net called "PWDUMP2" can access hashed passwords even with the patch. But Microsoft executives said a user would still need access rights to the password database to gain entry. That database can be encrypted using the SYSKEY software addition.
Karan Khanna, a product manager for Windows NT Server, said the latest version of the code is similar to previous versions. He said the same fix posted on the company's support Web site over the past few months, which does not allow hackers using lOphtcrack to get passwords, should suffice for Windows NT-based machines.
Khanna said the new version of lOphtcrack is basically the same as the previous version except the new version has a better interface and speedier execution. He stressed that customers should continue a policy of maintaining strong passwords, using a variety of numbers and letters.
However, Windows 95 machines retain an authentication mechanism left over from an older LAN Manager product. In instances where Windows 95 is being used in a networked environment, Microsoft is advising customers to move to NT, which has stronger authentication, Khanna said.
The executive said the company has not received any word of break-ins from customers. The 2.0 version of the tool was just posted on the Web earlier this week.
The next version of NT--dubbed 5.0--will include a Kerberos security system. The company also promotes the C2 certification gained for NT-based systems, a designation that allows NT-based systems to be used in government settings. However, that certification currently only applies to non-networked NT boxes, offering limited relief for administrators who govern network-based applications and systems.
Khanna noted that NT 3.51 has gained network certification in the United Kingdom.
As part of a previous advisory on lOphtcrack, Microsoft had this advice: "Every computer operating system is susceptible to security issues if basic security guidelines are not followed. Security is achieved through a combination of technology and policy."
The lOphtcrack tool is available for free on the company's Web site but includes a time-out mechanism which renders the software useless after 15 days. In order to keep the latest version, users must pay a $50 fee.