 |
|||||||||||||||||||||
  
|
Let John the Ripper Audit Your Passwordsby Corey Nachreiner, Network Security Analyst Recently, I watched a Discovery™ channel documentary about a group of teenagers progressing through U. S. Army boot camp. One day during basic training, the loud (and seemingly psychotic) drill sergeants forced the miserable group of teens into a bunker which was then filled with noxious gas. Once the room was good and toxic, the stern sergeants forced the cadets to remove their gas masks and breath the obnoxious fumes. My first reaction was, "That's cruel and unusual punishment!" What was the point of making those poor kids so miserable? However, as I pondered the fact that those "kids" were training to react and respond to extremely dangerous combat situations, the tear gas drill made some sense. Sometimes the only thing that will open your eyes to the true risks associated with certain actions is to experience their consequences first-hand, but in a safe environment. This concept extends to the network security arena as well. Sometimes it's good to experience the results of an ethical hack first-hand in order to appreciate why network security is vital. So with me as your drill sergeant, let's experience the true importance of strong passwords — by submitting your network to a beating from John the Ripper. What's John the Ripper?John the Ripper (JtR) is a free password-cracking program popular amongst hackers and security experts alike. Provide John with an encrypted password file, and it will rip the file apart until it knows every password for every user on your network. JtR employs methods such as dictionary attacks, where it tries thousands of words from a wordlist in hopes of finding a match, or brute force, where it systematically experiments with millions of character combinations until it stumbles upon a password. If you think your user's passwords are safe, 24 hours with John the Ripper might show you otherwise. Let's Keep It Ethical Out There!Remember, cracking passwords is obviously very sensitive. If you are not the network administrator of your organization you must get prior consent from him or her, as well as your CIO if you have one, and anyone else specified in your company's security policy. The purpose of this experiment is to discover the strength of your user's passwords and whether or not you need to implement a new password policy. You should discard any passwords you discover through this process, and warn any users whose passwords were trivial to crack. If you prefer, you can perform this test on a group of fake users, as I do in my example. However, you'll gain a better understanding of your network's password security if you use your actual password file. Nothing motivates a new commitment to security quite like seeing your authentication measures fall apart in the first ten minutes of Ripper's attack. "Into the Bunker, Soldiers!"You'll need to do the following to perform this test:
Okay, soldier, let's do it. First, extract the list of encrypted user passwords off your Windows Domain Controller. Windows stores all its encrypted passwords in what's called the SAM (Security Application Manager) file. As a security measure, Windows locks this file so it can't be read or copied when you boot into Windows. But the pwdump2 application uses a sneaky process called DLL injection to trick Windows into returning the encrypted passwords. To use pwdump2, you must log in using an account that has Domain Administrator access. Then, go to a command prompt and change to the "jtr" directory you created before. Finally, type: pwdump2 > passwords.txt This command creates a text file called "password.txt" which, when opened, looks something like this: Administrator:500:B29DF722DCA82C00AAD3B435B51404EE: Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0 AliceB:1010:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7 Bobs:1011:DE2E5041A77AA6078D1DD5E7B0A360AA:CADC8509 Etc. Pwdump2 might return an error rather than a file. Unfortunately, the authors of the application don't offer many trouble-shooting tips. If pwdump2 doesn't work for you, seek the alternative methods for extracting the SAM in the References section below. Now that you have a list of encrypted passwords, you're ready to get cracking (pun intended). But first you need to configure JtR to use the word list you downloaded previously. In the "jtr" directory, you'll find a file called "john.ini". Open "john.ini" in a text editor and find the line that says, "Wordfile = ~/password.lst". Change it to "Wordfile=~/English.txt". JtR has many modes and options that help advanced crackers increase their chances of success. However, for this experiment, JtR's basic settings will work just fine. To start cracking your passwords, just type: john password.txt That's it. Now you wait. I recommend running JtR right before going home for the day. When you come back in the morning you should have significant results. My Surprising ResultsTo test JtR myself, I created a small group of "users" with passwords representing those you might find in the real world. Below is the list of my users and their passwords:
You probably recognize that some of those passwords, including the Administrator's, are very insecure. Others seem pretty good. But the real question is what JtR thinks of them. The results might surprise you. JtR cracked AliceB's password of "password" in seconds. This was expected, since "password" is one of the most common passwords. JtR, like many commercial cracking applications, checks for these commonly-used passwords first. More worrisome: within 30 minutes or so, JtR had found six of my nine passwords. Only JanH's 179Secure!, JerryB's See spot run!, and SamP's S#4?p remained safe. Yet, I hadn't given JtR a full 24 hours yet. Would any of my passwords withstand the Ripper's assault? In the end, JtR cracked every password within 24 hours except JerryB's sentence-based password, "See spot run!" Although I had expected JtR to learn most of my sample passwords, I was surprised at how easily it found a few of them. For instance, I had considered JanH's password, "179Secure!", a fairly secure password. It's more than eight characters long, combines lowercase and capitalized letters, and even uses numbers and symbols. However, JtR showed me the light. Ok, You've Scared Me. Now What?As with the cadets choking on the gas, sometimes the best-learned lessons come with some pain. Now that I know even a ten-character password that includes letters, numbers and symbols can be cracked in less than a day, I've had to completely re-think my password policy. Now I believe passwords should contain at least twelve characters. After hearing that, you might groan, "Twelve characters! Are you crazy? I already have enough trouble remembering all my passwords." However, there is a silver lining to JtR's results. JtR also demonstrated that even simple, sentence-based passwords like, "See spot run!" are hard to crack. By using sentence-based passwords, starting with the first letter capitalized and ending with normal punctuation, your users will have very secure, yet easy-to-remember passwords that will keep your network safer. Testing John the Ripper on your network may initially present you with some bad news, but if your passwords are weak, you want to know it before an attacker does. Like an educational dose of tear gas, John the Ripper might make you cry, but at least its assault is not fatal — this time. ## References:Alternate Methods of Extracting the SAM: |
