In-Depth

Editor's Choice: Security

<b>Winner: </b>@stake LC4<br> <br> <b>Honorable Mention:</b> <a href="#msdn">Microsoft Corp. MSDN Universal Subscription</a>

• By Roberta Bragg
• 12/01/2002

LC4 $350 per license @stake; 617-621-3500; www.atstake.com

Why would a security evangelist tap a password-cracking program as her favorite security tool? Think about it: How can I get the attention of users and techies? How can I best attack the most problematic issue in information system security? I can convince them that using strong passwords and changing them frequently are actions they can take to improve security (and that not doing so is the No. 1 reason much of their other security efforts are futile). With this tool, I can do just that—and so can you.

But before you hyperlink over to www.atstake.com, shell out the cash and proudly present the CEO with his password, download a little common sense and get permission to crack the passwords on your network domains, servers and desktops. Get it in writing. Sure, listing passwords for executives will get their attention; but, without appropriate authority, it may get you fired. Instead, learn what LC4 can do, make it part of a rational password-auditing policy for your organization and use it to strengthen security. You’ll probably never get to show the CEO this, but at least he or she won’t be showing you the door.

@stake's LC4 provides session options for the type of cracks you want to perform.

You use LC4 to extract the password hashes from a SAM database or Active Directory. Alternatively, you can capture LM and NTLM challenge/response data from a network authentication session, use a SAM file from a backup tape, or use one extracted from AD with pwdump3 (a shareware tool).

Next, set session options, then start the crack. By default, passwords are checked for usage of the user ID as well. The cracked password, which type of crack actually got the password, and the time it took to crack each password are displayed on the screen. Alternatively you can turn off the “display the password” part of the program. Cracked passwords aren’t displayed, but the time it took to crack them is. This is an excellent feature if you don’t want to expose everyone’s password but want to show the results of your audit to the widest audience.

So why bother writing strong passwords? As an LC4 audit teaches: The stronger take longer, and bigger is better. Maybe the attacker will go elsewhere or maybe you’ll have changed the password by the time they crack it. It’s a definite “must” tool in your arsenal of audit tools, and it makes a darn good teaching tool, as well.

Sometimes, the leader is so far out ahead of the pack that coming in second doesn’t matter. This time, however, it does. My runner-up security tool is my MSDN Universal subscription. What? “That’s not a security tool,” you say! I beg to differ. This little tool provides me with a copy of Visual Studio .NET and copies, for educational and testing purposes, of Windows 2000, Windows XP and Windows .NET, SQL Server, Exchange Server, ISA Server, BizTalk Server, Commerce Server, Application Center Server, SharePoint Portal Server, Visio and more. This—along with the SDK, MSDN Library, access to special newsgroups and other special offers—is something no serious Windows security researcher can afford to do without. As an added benefit, my production machines remain production machines. I can set up the test network of my dreams for one small software cost.