INLS 187 Software Evaluation
|
|
|
Kristy Irvin
Assignment #3
INLS 187
March 19, 2003
I chose to evaluate LC4 by @stake
(http://www.atstake.com/research/lc/).
This is version 4 of what used to be known as L0phtcrack. I have recently become very interested in the
importance of password security. Once
upon a time, I was naïve enough to think that my password choices really did
not matter because I did not believe people would try to crack them. I have become enlightened since then and am
now very concerned with creating strong passwords that are not easy to
crack. I have also taken on some new
responsibilities at work and have been creating passwords for database
accounts. Because several people need
access to these accounts, I want them to be easy to remember, but I also do not
want them to be easy enough for other people to guess. Therefore, I thought it would be interesting
to test out LC4 to see how it works.
Installing LC4 is extremely easy. It is as simple as downloading the setup file from their website (http://www.atstake.com/research/lc/download.html) and running the setup file. The setup file launches an installation wizard which has a few simple screens to complete the installation. LC4 is installed into the Progam Files and a Program Icon is even created in the Windows Start menu. All that is needed to run the program is to click on that Icon.
The first time LC4 is executed, it displays the LC4 wizard which guides the user through the steps needed to set up a session. For each step, the different options are displayed with an explanation of what choosing each option means. The steps are:
That is all a user needs to do to run his/her first session of LC4. It is amazingly easy.
LC4 is a password cracking program for Windows machines. It works with Windows NT, Windows 2000, and Windows XP. It allows network administrators to audit the passwords of their users which enables administrators to be aware of any weaknesses or vulnerabilities in the users’ passwords. LC4 also includes a password recovery utility.
LC4 is available in a 15-day trial version for free. The only feature not available with the trial mode is the brute force attack. A license for LC4 is available for $350. Educational/Non-Profit licenses are also available at a 20% discount.
The software can extract passwords from the local machine, a remote machine with the network name or IP address, network traffic from an Ethernet device, or an NT emergency repair disk. It also audits passwords that are contained in SAM files or extracted into pwdump files. (Pwdump, http://www.polivec.com/pwdump3.html, is a utility that extracts passwords from a Windows registry). For Windows 2000 machines with the SYSKEY enabled, LC4 cannot access the encrypted passwords. Pwdump3 is useful for extracting these passwords and it works remotely.
To analyze the software, I ran a session on my own laptop. I also tried a network sniffing session with my home network, but we are using firewalls on our machines so I did not have much luck. Also, three of the machines on our network are Windows 2000 machines. This also means I could not access them using the remote machine option, but I could export the encrypted passwords using pwdump3 and then analyze them with LC4. The other two machines on our network are Win98 so I could not analyze those either as they are not supported by the software.
My criteria for software analysis are as follows:
One of the criteria I am interested in for this utility is its ease of use. I think that since the system only audits passwords and does not have rich functionality, that the tool should be quick to install and use. Ease of use will be rated on the steps for installation as well as the difficulty in running a session and interpreting the results.
LC4 claims to find basic dictionary words, combinations of dictionary words where the first word is less than 7 characters, username passwords, and to crack portions of words when possible. Therefore, I will test the following questions:
Does the program crack common dictionary words?
Can it crack combined dictionary words?
Can it crack variations on dictionary words?
Does it find passwords that are the same as the username?
I think it is also important for the tool to work quickly and efficiently. Network administrators using this tool may have thousands of passwords or even tens of thousands of passwords to audit. Therefore, for the small set of passwords that my tests contains, the tool should be very fast.
Another important aspect of software is the help documentation provided with the
tool. The help documentation should provide adequate assistance for using the tool
as well as providing an understanding about how the tool works so that the user can
understand the limitations. This is particularly important for a password cracking
tool.
To test the software, I created several users on my local machine with a variety of passwords including:
Turtle – to test the dictionary word
Pierogi – a Polish food
Ch0c0late - to test a variation of a dictionary word
ChocolateDrink – to test a combination of two dictionary words with the first word > 7 characters
Drink45Y – to test a variation of a dictionary word with random numbers
I also extracted the encrypted passwords from a remote Windows 2000 machine using pwdump3 to test the import utility for the pwdump files.
The analysis of the tests is based on using 3 of the 4 available cracking methods for LC4. These are the user info check, dictionary, and hybrid methods. As the brute force method is not available in the trial version, it was not tested. It should be noted that this tool may be considerably more effective if the brute force attack is enabled.
I found the program extremely easy to use. The installation could not have been easier. The wizard included with the program makes setting up sessions a very simple task. Additionally, the user interface itself is very intuitive especially after using the wizard once or twice. It is also quite easy to understand the results.
The results of the tests are shown in this screen capture:
Does the program crack common dictionary words?
Yes, it easily cracked turtle. It only took 1 second to crack the password.
Can it crack combined dictionary words?
It did not do well with cracking combined dictionary words. Both the administrator password and the Test2 password are combined dictionary passwords. The administrator password was set to JumpJump. The tool was only able to crack the last P. The Test2 password was set to ChocolateDrink which the tool did not crack, but is also not expected to crack since chocolate is more than 7 letters. It was able to crack the first 7 letters.
Can it crack variations on dictionary words?
There were two variations on dictionary words including ch0c0late and drink45Y. It was able to crack drink45Y, but not ch0c0late. I find this disappointing since a common algorithm people use for setting up passwords is to replace Is with 1s and Os with 0s.
Does it find passwords that are the same as the username?
Yes. It was able to determine the username password in less than 1 second.
In general, the tool seems to do very well with dictionary words and somewhat well with hybrid words. I think that it could be better at cracking hybrid passwords. It seemed too easy to create a password that the tool could not crack. It was not even able to guess at any portion of the pierogi password.
The user info check and dictionary check are completed almost instantaneously. It takes 0-1 seconds to crack the dictionary words. The Hybrid check takes a little longer. When it was successful it took 20 seconds to crack the password. The overall audit session took less than 1 minute which I consider to be fairly fast for 9 passwords when only 3 of them were dictionary words or user names.
The Help available with this software is actually quite useful. It very explicitly explains what this tool is capable of and what is not capable of. The documentation clearly explains how to use the tool including detailed definitions of the different options. It even explains that pwdump can be used for Windows 2000 machines.
While the tool is easy to use and provides some insight into what passwords are vulnerable to attack, I did not feel that it was particularly useful. I had to import all of the encrypted passwords from the Windows 2000 machines on my network in order to try cracking the passwords. It was unable to do this by sniffing the network. Perhaps if I had a domain controller and a Windows 2000 Server, the testing of the network may have been different.
I also feel that testing the brute force attack would be important before I could make any strong recommendations one way or the other about this software. It is hard to say how effective it is without that functionality included in the trial version. If a hacker is able to import the encrypted passwords from your network onto their machine, they will certainly run a brute force attack. Without the brute force attack, I was not impressed with the software’s ability to crack passwords.