A new Windows password cracker By Ben Heskett Staff Writer, CNET NEWS.COM February 13, 1998, 12:15 p.m. PT URL: http://www.news.com/News/Item/0,4,19141,00.html A group that made waves last spring with hacker code that can gain accesspasswords for Microsoft'sWindows-based operating system software is back with a revised tool. Lopht Heavy Industries bills the latestversion of its "lOphtcrack" code as a "password cracker" intendedfor use by systems administrators and security professionals concernedabout potential points of access in their local networks. But the softwarecould also be used with evil intent by corporate hackers. New functions now allow passwords to be intercepted across a local networkfrom NT or 95 machines that use the older LAN Manager authenticationsystem. With updated NT authentication, passwords cannot be intercepted.Users of Windows 95, however, remain a potential target. In largeorganizations with a variety of employees whose motives may be in question,use of this tool could wreak havoc. A previous version of lOphtcrack allowed a hacker to retrieve "hashed" orencrypted passwords from an NT machine after administrative access had been gained. Those passwords could then be victims of a "dictionary attack" inwhich a software program runs through potential passwords until it guessesthem correctly. The latest version allows a user to do the same thing, only a hacker can pick off passwords as they are being sent across the network to the machine to which the user wishes to gain access. Microsoft executives said this capability was part of a previous version, but representatives of the group now are promoting it as a method to gain entry without administrative rights. In a sense, this capability is OS-independent, Microsoft executives point out, since a password from any OS could be sent over a network. News of the latest version of the tool underscores the stakes involved inMicrosoft's push into enterprise corporate networks with Windows NT. Yearsof hacking into Unix systems have taught administrators a few tricks of thetrade, and some of those have trickled into NT development. But hackers are sure to be lured to NT, according to analysts, due to therapid development of new services for the operating system (OS). And fornetworks using Windows 95, the new tool highlights the limited securitymechanisms found in the consumer-oriented OS and hints at the pictureMicrosoft will paint for corporate customers: anNT-based world. "I think the methods we are using to access passwords are well-known andpublicly available so I think the criminal element and the espionagecommunity are already using them," a member of lOpht Heavy Industrieswho called himself "Weld Pond" wrote in an email to CNET's NEWS.COM."L0phtCrack allows administrators, tiger teams, and security auditors toquickly exploit these vulnerabilities." "From our experience in the computer security world, the only way to getpeople to shore up vulnerabilities is to prove they exist and are a threatto the people who have to pay for the fixes," he noted. Information on the group's Web site promises: "It's big. It's bad. It cutsthrough NT passwords like a diamond-tipped steel blade. It ferrets themout from the registry, from repair disks, and by sniffing the Net like ananteater on dexadrene." Members of the lOpht team did note that appropriate measures can guardagainst attack. "Microsoft has released the SYSKEY utility with Service Pack 3 [forNT] which allows an administrator to add another layer of encryption sothat this method of accessing the password hashes is foiled. At least forl0phtcrack 2.0," the lOpht representative wrote. The email message also pointed out that a tool available on the Net called "PWDUMP2" can access hashed passwords even with the patch. But Microsoft executives said a user would still need access rights to the password database to gain entry. That database can be encrypted using the SYSKEY software addition. Karan Khanna, a product manager for Windows NT Server, said the latestversion of the code is similar to previous versions. He said the same fix postedon the company's support Web site over the past few months, which does notallow hackers using lOphtcrack to get passwords, should suffice for WindowsNT-based machines. Khanna said the new version of lOphtcrack is basically the same as theprevious version except the new version has a better interface and speedier execution. Hestressed that customers should continue a policy of maintaining strongpasswords, using a variety of numbers and letters. However, Windows 95 machines retain an authentication mechanism left overfrom an older LAN Manager product. In instances where Windows 95 is beingused in a networked environment, Microsoft is advising customers to move toNT, which has stronger authentication, Khanna said. The executive said the company has not received any word of break-ins fromcustomers. The 2.0 version of the tool was just posted on the Web earlierthis week. The next version of NT--dubbed 5.0--will include a Kerberos security system. The company also promotes the C2 certification gained for NT-based systems, a designation that allows NT-based systems to be used in government settings. However, that certification currently only applies to non-networked NT boxes, offering limited relief for administrators who govern network-based applications and systems. Khanna noted that NT 3.51 has gained network certification in the United Kingdom. As part of a previous advisory on lOphtcrack, Microsofthad this advice: "Every computer operating system is susceptible tosecurity issues if basic security guidelines are not followed. Security isachieved through a combination of technology and policy." The lOphtcrack tool is available for free on the company's Web site butincludes a time-out mechanism which renders the softwareuseless after 15 days. In order to keep the latest version, users must pay a $50 fee.