To run your first crack, click OK in the Auditing Options For This Session dialog box, then select Session, Begin Audit. LC3 proceeds through the different types of cracks, as Web Figure 1 shows. (To view this figure, go to http://www.secadministrator.com and enter InstantDoc ID 24052.) During the dictionary and hybrid attacks, you can see how far along LC3 is by looking under Dictionary Status in the interface's right pane. During brute-force cracks, LC3 displays its progress statistics under Brute Force in the right pane. As LC3 completes each password-cracking approach, LC3 checks off that type with a red check mark in the interface's bottom right corner. Whenever LC3 cracks a password, it displays the amount of time it took in the Audit Time column and displays the password in the LM Password and NTLM Password columns.
Occasionally, you'll see the last portion of a password preceded by seven question marks, such as the SavvyUser's password, which Web Figure 1 shows. Passwords can be up to 14 characters long. Because of vulnerabilities in the LM hash algorithm, LC3 can work on the first and second sets of seven characters independently. LC3 often cracks the last seven characters of a password before the first seven, which is important because those characters might offer a clue to the beginning portion of the password.
Fine-Tune the Audit
LC3 comes with two word lists: words-english and words-english-big. Words-english contains 29,157 words. Words-english-big has 235,007 words. You can add words (e.g., sports teams for your area) to these dictionaries or substitute foreign-language word lists if appropriate. LC3 can use any text file formatted with one word per line. You don't need to sort the words.
You should know about some important caveats with the hybrid attack. The hybrid attack appends only numbers and symbols to the end of passwords, not letters. Therefore, you miss passwords such as jets even though "jet" is in the word list. The hybrid attack tries only combinations of the full length specified. As Figure 2 shows, the default length is 2, which means that a default crack will miss passwords composed of a word followed by just one letter or symbol (e.g., John1). Therefore, change the Characters to vary (more is slower) setting to 1 in the Auditing Options For This Session dialog box, then run LC3 again.
The brute-force attack takes anywhere from hours to days depending on the character set you use. You can select from letters; letters and numbers; letters, numbers, and the symbols on the top row of your keyboard; or letters, numbers, and all symbols on a typical keyboard. Even the largest character set doesn't guarantee that LC3 will crack every password, because users can use the Alt key and the numeric keypad to enter the ASCII code of other characters. LC3's default character sets don't include these extended characters. (For more information about making your password-cracking sessions as efficient as possible, see the Web-exclusive sidebar "LC3's Power Features," http://www.secadministrator.com, InstantDoc ID 23945.)
To create a custom character set, open the Auditing Options For This Session dialog box, select Custom from the Character Set drop-down list, then enter all the characters you want to use in the drop-down list in order from lowest to highest (in terms of their ASCII numbers). Custom character sets also let you implement a more limited character set than those LC3 provides. The smaller the character set is, the less time a complete session will take. If you need to reboot your computer before LC3 finishes a cracking session, you can pause the audit by selecting Session, Pause Audit in the interface, then save the data to a disk. The session file will have an .lcs extension. To restart LC3, open the session file and select Session, Begin Audit in the interface.
Get Useful Results
When you use LC3, remember that you're performing an audit of password strength; you aren't cracking passwords to see whether it can be done. Given enough time, LC3 will crack any password. Therefore, when you choose which auditing options to include in your formal audit, it would be unfair to your users to use a crack method that's stronger than your published password policy.
Here's one way you might consider your password-strength audit. Always run a dictionary attack with the supplied words-english file. (You might also use another language word list if appropriate.) Next, I recommend running a hybrid crack with Characters to vary set to 1 and possibly another hybrid crack that involves two characters. Decide whether to include a brute-force crack. If your organization has specific password requirements that call for a certain variety of characters, such as letters and numbers, you can select a weaker character set such as just A through Z to find noncompliant passwords. (If passwords are supposed to include at least one letter and one number, any passwords cracked with A through Z are obviously out of compliance.)
Use the Results
After you finish your audit, you need to determine what to do with the results. An attacker is happy just to get a list of passwords, but you're auditing your passwords to strengthen security. You might decide to simply inform management what percentage of audited passwords was substandard. Make sure managers realize that you might not have identified all the substandard passwords because of gaps between your available crack methods and your password policy. Don't emphasize how little time it took to crack these passwords—that isn't the point. You aren't trying to defeat L0phtCrack but to defeat human attackers inside and outside the organization.
Depending on your management support, as your password auditing initiative matures, you might begin to provide individualized feedback to users (and perhaps to their supervisors) if they repeatedly fail to create a strong password. One company I know about resorts to assigning mandatory passwords and selecting the user account property User may not change password option in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in because users have been uncooperative. If you need to give individualized feedback, you can export the results of your audit to a tab-delimited text file that can be easily imported into Microsoft Excel or Microsoft Access for further manipulation into a report.
Protect Against L0phtCrack
LC3 is an effective password-auditing tool, but like a chef's knife, LC3 can be used for malicious purposes. To prevent LC3 from being used against you, you can take several steps. First, use Syskey to protect the SAM files on all NT computers. Win2K computers already have this protection. Next, implement NTLMv2, which effectively defeats the L0phtCrack sniffer. Implementing NTLMv2 involves making a registry change on all NT and Windows 9x computers and loading NT Service Pack 4 (SP4) on NT machines and the Directory Service (DS) client on Win9x machines. You don't need to worry about the LC3 sniffer in a pure Windows XP/Win2K environment if you use only AD domain accounts (no NT domain accounts or local users). In such an environment, Kerberos replaces NTLM on the network. If you don't have a pure environment, you can enable NTLMv2 on XP and Win2K computers with the LAN Manager Authentication Level policy in Group Policy Objects (GPOs).
For example, to enable NTLMv2 on every computer in your domain, open the MMC Domain Security Policy snap-in and maneuver to Windows Settings, Security Settings, Local Policies, Security Options. Double-click LAN Manager Authentication Level, select the Define this policy option, then select the Send LM & NTLM—Use NTLMv2 session security if negotiated check box.
You know that LC3 can be used against your system. Now, you can use LC3 to perform an audit of password strength to enforce your password policy and strengthen system security.