Use LC3 auditing to back up your password policy
I'm preaching to the converted when I say that one of the best ways to secure your network is through strong user passwords. However, getting users to create strong passwords is easier said than done. Improving the quality of passwords in your organization requires a multipronged approach. You need to publish a written policy that defines what strong passwords are and requires users to select and implement them. You also need to educate users about proven methods for remembering strong passwords (e.g., a pass phrase—usually a sentence from which you use the first letter of each word to construct your password). Then, you need to follow up regularly and verify that users have created high-quality passwords that someone else can't easily guess.
You simply can't get a full password report because Windows XP, Windows 2000, and Windows NT use hash algorithms to protect passwords stored in the SAM or Active Directory (AD). Therefore, you need a password-cracking tool such as @stake's L0phtCrack. The latest incarnation of the famous L0phtCrack tool, LC3, lets you import the password hashes from AD on a Win2K domain controller (DC) or from an NT DC's SAM. (To learn more about password hashing, see "Cracking User Passwords in Windows 2000," http://www.secadministrator.com, InstantDoc ID 9186.) You can then subject those hashed passwords to a variety of cracking techniques to reveal weaknesses.
Keep in mind, however, that the purpose of requiring strong passwords isn't to defeat LC3—you can't defeat a properly designed password cracker. To defeat LC3, you must prevent intruders from getting a copy of your password hashes in the first place. (To learn more about such measures, see my article "Protect Your Passwords," http://www.winnetmag.com, InstantDoc ID 3844.) Strong passwords will help you defeat other users and attackers who try to guess the password by attempting to log on to your computers. With LC3, you can simulate the same tactics attackers use when they try to guess a password—only millions of times faster. I show you how to use LC3 to effectively audit your passwords. (You can download a 15-day evaluation copy of LC3 at http://www.atstake.com/research/lc3/download.html.)
Obtain Password Hashes
The first step in auditing your domain's password strength is to obtain a copy of your password hashes. To obtain the hashes, you'll need to install LC3 on one of your Win2K DCs (from which it's duplicated to the other DCs). Win2K automatically uses the Syskey command to encrypt password hashes, which defeats remote or file-based methods for importing password hashes. If you've enabled Syskey on your NT DCs, you'll also need to install LC3 on one of your NT DCs.
On Syskey-protected computers, you can install LC3 on one DC and use the Import from local machine command to get a copy of your domain's password hashes. This method requires administrator authority and uses sophisticated Win32 programming techniques to extract password hashes from OS memory, where they have already been decrypted. (Note: Although you use Syskey, password hashes are still stored in the clear—that is, in plaintext—in memory.)
Run LC3 on a Test Machine
Because LC3 uses undocumented APIs and DLL injection, which can be unstable, you might not want to install LC3 on a production DC. In that case, you'll need to install Win2K or NT (whichever is appropriate) on a test machine. Make the computer a DC in your domain, which will create a copy of the domain's SAM or AD database on the scratch computer. Download LC3 and unplug the computer from the network. Run l0phtcracksetup02.exe, accept all the defaults, and cancel the Password Crack Wizard. Now, in the unlikely case that LC3 crashes or corrupts your computer, you won't affect your network.
On the Import menu, select the Import from local machine option. You'll see a list of your domain's users, as Figure 1 shows. As you can see, LC3 creates separate columns for the LAN Manager (LM) and NT LAN Manager (NTLM) passwords. Win2K and NT actually maintain two hashes for each password—an LM hash for backward compatibility with NTLM clients and an NTLM hash to support NT clients. Because LM hashing is significantly weaker than NTLM hashing, LC3 concentrates on LM hashing first.
After LC3 starts cracking, the only difference between the two columns is that the LM password is simply an all-uppercase version of the usual mixed-case NTLM password. Because of one vulnerability in NTLM hashing, LC3 can immediately identify passwords that are fewer than eight characters long and display them in the <8 column. Before you proceed further, decide whether you want to see your users' passwords as they're cracked. If you simply want to know whether the password was cracked but avoid seeing sensitive passwords, clear the View Audited Passwords settings in the Auditing Options For This Session dialog box, which causes LC3 to hide both the LM and NTLM password columns.
Select a Cracking Scheme
After you have your password hashes, you can configure the cracking methods LC3 will use against your domain. To view your choices, select Session, Session Options in the LC3 interface. Figure 2 shows the default session options settings. You can use four kinds of cracks in your password audit.
The first crack LC3 attempts is simply the username for those users who've used their names as their password. (Because this crack is so fast, Figure 2 doesn't show it as an option.) The second option is the Dictionary Crack, in which LC3 hashes each word in a specified word-list file and compares it with the hashes you obtained. (To import a custom word-list file for a dictionary attack, select Session, Options, then choose a different word-list file.) LC3 can process even a large word-list file in a matter of minutes, so the dictionary attack quickly identifies any users who are using a simple word as their password. The third option is the Brute Hybrid Crack. During the hybrid crack, LC3 processes the word-list file again, but adds one to three numbers or symbols to the end of the word. The hybrid attack gleans passwords such as password! or Clemens22. Finally, LC3 subjects any remaining passwords to a Brute Force Crack that uses every possible combination of characters.