Password cracking software These tools require physical access on the tested computer: • John the Ripper (www.openwall.com/john) • pwdump2 (razor.bindview.com/tools/desc/pwdump2_ readme.html) • Crack (coast.cs.purdue.edu/pub/tools/unix/pwdutils/ crack) • Brutus (www.hoobie.net/brutus) • Pandora (www.nmrc.org/project/pandora) • NTFSDOS Professional (www.winternals.com) Windows usually stores passwords in these locations: • Security Accounts Manager (SAM) database (c:\winnt\system32\config) Password dictionary download _ ftp://ftp.cerias.purdue.edu/pub/dict _ ftp://ftp.ox.ac.uk/pub/wordlists _ packetstormsecurity.nl/Crackers/wordlists _ www.outpost9.com/files/WordLists.html Cracking passwords with pwdump2 and John the Ripper The following steps use two of my favorite utilities to test the security of current passwords on Windows systems: 88 Part II: Putting Ethical Hacking in Motion _ pwdump2 (to extract password hashes from the Windows SAM database) _ John the Ripper (to crack the hashes of Windows and UNIX passwords) This test requires administrative access to either your Windows NT/2000 stand-alone workstation or server: 1. Create a new directory called passwords from the root of your Windows C: drive. 2. Download and install a decompression tool, if you don’t have one. FreeZip (members.ozemail.com.au/~nulifetv/freezip) and IZArc (www.webattack.com/get/izarc.shtml) are free Windows decompression tools. Windows XP includes built-in decompression. 3. Download, extract, and install the following software, if you don’t already have it on your system: • pwdump2 — download the file from razor.bindview.com/ tools/desc/pwdump2_readme.html • John the Ripper — download the file from www.openwall.com/john The network administrator remembers some great password-cracking utilities from ElcomSoft (www.elcomsoft.com) that can help him out. He may see something like Figures 7-5 and 7-6. Keystroke logging One of the best techniques for cracking passwords is remote keystroke logging — the use of software or hardware to record keystrokes as they’re being typed into the computer. Be careful with keystroke logging. Even with good intentions, monitoring employees can raise some legal issues. Discuss what you’ll be doing with your legal counsel, and get approval from upper management. Logging tools With keystroke-logging tools, you can later assess the log files of your application to see what passwords people are using: _ Keystroke-logging applications can be installed on the monitored computer. I recommend that you check out eBlaster and Spector Pro by SpectorSoft (www.spectorsoft.com). Another popular tool that you can use is Invisible KeyLogger Stealth, at www.amecisco.com/iks.htm, as well as the hardware-based KeyGhost (www.keyghost.com). Dozens of other such tools are available on the Internet. _ Hardware-based tools fit between the keyboard and the computer or replace the keyboard altogether. See ip progession below…. netstat -an Awareness and Training Greenidea, Inc. Visible Statement (www.greenidea.com) Interpact, Inc. Awareness Resources (www.interpactinc.com) SANS Security Awareness Program (store.sans.org) Security Awareness, Inc. Awareness Resources (www.securityawareness.com) Dictionary Files and Word Lists ftp://ftp.cerias.purdue.edu/pub/dict ftp://ftp.ox.ac.uk/pub/wordlists packetstormsecurity.nl/Crackers/wordlists www.outpost9.com/files/WordLists.html Default vendor passwords www.cirt.net/cgi-bin/passwd.pl General Research Tools CERT/CC Vulnerability Notes Database www.kb.cert.org/vuls ChoicePoint www.choicepoint.com Common Vulnerabilities and Exposures cve.mitre.org/cve Google www.google.com Hoover’s business information www.hoovers.com NIST ICAT Metabase icat.nist.gov/icat.cfm Sam Spade www.samspade.org U.S. Securities and Exchange Commission www.sec.gov/edgar.shtml Switchboard.com www.switchboard.com U.S. Patent and Trademark Office www.uspto.gov US Search.com www.ussearch.com Yahoo! Finance site finance.yahoo.com Hacker Stuff 2600 — The Hacker Quarterly magazine www.2600.com Computer Underground Digest www.soci.niu.edu/~cudigest Hackers: Heroes of the Computer Revolution book by Steven Levy Hacker t-shirts, equipment, and other trinkets www.thinkgeek.com Honeypots: Tracking Hackers www.tracking-hackers.com The Online Hacker Jargon File www.jargon.8hz.com PHRACK www.phrack.org 330 Part VIII: Appendixes Linux Bastille Linux hardening utility www.bastille-linux.org Debian Linux Security Alerts www.debian.org/security Linux Administrator’s Security Guide www.seifried.org/lasg Linux Kernel Updates www.linuxhq.com Linux Security Auditing Tool (LSAT) usat.sourceforge.net Red Hat Linux Security Alerts www.redhat.com/support/alerts Slackware Linux Security Advisories www.slackware.com/security Suse Linux Security Alerts www.suse.com/us/business/security.html Tiger ftp.debian.org/debian/pool/main/t/tiger VLAD the Scanner razor.bindview.com/tools/vlad Log Analysis LogAnalysis.org system logging resources www.loganalysis.org Malware chkrootkit www.chkrootkit.org EICAR testing string www.eicar.org/anti_virus_test_file.htm McAfee AVERT Stinger vil.nai.com/vil/stinger PestPatrol’s database of pests research.pestpatrol.com/PestInfo/ pestdatabase.asp Rkdet vancouver-webpages.com/rkdet The File Extension Source filext.com Wotsit’s Format at www.wotsit.org Appendix A: Tools and Resources 331 Messaging GFI e-mail security test www.gfi.com/emailsecuritytest smtpscan www.greyhats.org/outils/smtpscan How to disable SMTP relay on various e-mail servers www.mailabuse.org/ tsi/ar-fix.html mailsnarf www.monkey.org/~dugsong/dsniff or ww.datanerds.net/ ~mike/dsniff.html for the Windows version Rogue Aware by Akonix www.akonix.com NetWare chknull www.phreak.org/archives/exploits/novell Craig Johnson’s BorderManager resources nscsysop.hypermart.net NCPQuery razor.bindview.com/tools/index.shtml Novell Product Updates support.novell.com/filefinder Remote packetstormsecurity.nl/Netware/penetration Rcon program at packetstormsecurity.nl/Netware/penetration/ rcon.zip Userdump www.roy.spang.org/freeware/userdump.html Networks dsniff www.monkey.org/~dugsong/dsniff Ethereal network analyzer www.ethereal.com ettercap ettercap.sourceforge.net Firewalk www.packetfactory.net/firewalk Firewall Informer www.blade-software.com 332 Part VIII: Appendixes Foundstone FoundScan www.foundstone.com GFI LANguard Network Scanner www.gfi.com MAC address vendor lookup coffer.com/mac_find Nessus vulnerability assessment tool www.nessus.org Netcat www.atstake.com/research/tools/network_utilities NetScanTools Pro all-in-one network testing tool www.netscantools.com Nmap port scanner www.insecure.org/nmap Port number listing www.iana.org/assignments/port-numbers Qualys QualysGuard vulnerability assessment tool www.qualys.com SuperScan port scanner www.foundstone.com WildPackets EtherPeek www.wildpackets.com Password Cracking LC4 www.atstake.com/research/lc John the Ripper www.openwall.com/john pwdump2 razor.bindview.com/tools/desc/pwdump2_readme.html NetBIOS Auditing Tool www.securityfocus.com/tools/543 Crack ftp://coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack Brutus www.hoobie.net/brutus Pandora www.nmrc.org/project/Pandora NTFSDOS Professional www.winternals.com NTAccess www.mirider.com/ntaccess.html TSCRACK softlabs.spacebitch.com/tscrack/index.html TSGrinder www.hammerofgod.com/download/tsgrinder-2.03.zip Appendix A: Tools and Resources 333 War Dialing Palm ToneLoc Viewer chroot.ath.cx/fade/projects/palm/pTLV.html PhoneSweep www.sandstorm.net/products/phonesweep THC-Scan www.thc.org/releases.php ToneLoc www.securityfocus.com/data/tools/auditing/pstn/tl110.zip ToneLoc Utilities Phun-Pak www.hackcanada.com/ice3/phreak Web Applications 2600’s Hacked Pages www.2600.com/hacked_pages Archive of Hacked Websites www.onething.com/archive BlackWidow www.softbytelabs.com/BlackWidow Flawfinder www.dwheeler.com/flawfinder ITS4 www.cigital.com/its4 Netcraft www.netcraft.com Nikto www.cirt.net/code/nikto.shtml RATS www.securesoftware.com/auditing_tools_download.htm Sanctum AppScan www.sanctuminc.com Shadow Database Scanner www.safety-lab.com/en/products/6.htm SPI Dynamics WebInspect www.spidynamics.com Windows Amap www.thc.org/releases.php DumpSec www.somarsoft.com Legion packetstormsecurity.nl/groups/rhino9/legionv21.zip Microsoft Office Patches office.microsoft.com/officeupdate 334 Part VIII: Appendixes Microsoft Security Resources www.microsoft.com/technet/security/ Default.asp Network Users www.optimumx.com/download/netusers.zip Rpcdump razor.bindview.com/tools/files/rpctools-1.0.zip SMAC MAC address changer www.klcconsulting.net/smac Vision www.foundstone.com Windows Update Utility for Patching windowsupdate.microsoft.com Winfo www.ntsecurity.nu/toolbox/winfo Wireless Networks AirJack 802.11ninja.net/airjack AirMagnet www.airmagnet.com AirSnort airsnort.schmoo.com Cantenna war-driving kit mywebpages.comcast.net/hughpep Fluke WaveRunner www.flukenetworks.com Kismet www.kismetwireless.net Lucent Orinoco Registry Encryption/Decryption program www.cqure.net/ tools.jsp?id=3 Making a wireless antenna from a Pringles can www.oreillynet.com/cs/ weblog/view/wlg/448 NetStumbler www.netstumbler.com Pong wireless firmware vulnerability testing program www.mobileaccess.de/ wlan/dl.php/pong_v1.1.zip Security of the WEP Algorithm www.isaac.cs.berkeley.edu/isaac/ wep-faq.html The Unofficial 802.11 Security Web Page www.drizzle.com/~aboba/IEEE Wellenreiter www.wellenreiter.net WiGLE database of wireless networks at www.wigle.net WildPackets AiroPeek www.wildpackets.com Appendix A: Tools and Resources 335 336 Part VIII: Appendixes