In part one of this series, we looked at the installation and configuration of Crack. We also looked at running Crack on a single Linux system. In this Daily Drill Down, we will cover the following topics:
- Running Crack over networks
- Establishing Crack rules
- The Crack7 brute-force password-guesser
- Using Crack to prevent password cracking by hackers
- Establishing a password policy for your network
Running Crack across the networks
Crack is easily run over networks. Crack runs may be performed on either NFS or locally mounted filesystems. When Crack runs across a network, the /usr/src/c50a/conf/network.file is used to control how Crack will operate on the various filesystems. This file enables Crack to share the workload based on the computing power (relative strength) of each system on the network, and to spawn, or create, other instances of Crack runs on individual systems.
Performing Crack via NFS, or any other shared filesystem, is preferable to running Crack locally on each system for two reasons:
- Using a shared filesystem ensures that each system will be using the same dictionaries.
- The output from the reporter will be centralized. Running Crack independently on each system means that a manual merge must be performed.
The conf/network.conf file is used to control how Crack is run across networks. The network.conf file uses the format shown in Example 1.
Example 1. Format used in conf/network.confhostname:relative power:nfs [y/n]:rsh username [options]:
Table 1 lists the function of each field.
|Hostname||The hostname of the remote system (e.g., admin-training). The same hostname may be used more than once on the same file relative power. A weighting used to assess both the CPU capability and the availability of a specific host. The higher this value, the more work Crack will send to this host. For example, a Pentium III 700-MHz system will be assigned more work than a Pentium II 300 workstation. The values for the relative power of various CPUs are listed in c50a/src//libdes.orig/times.|
|nfs||Used for Crack directories on NFS filesystems or other shared file systems. Use yes (y) if a shared filesystem is in use on this specific host, otherwise use no (n).|
|rsh username||Specifies the username to use for remote shell (rsh) purposes, if this user is not the same user running Crack locally.|
|crack directory||This is the path to the directory where Crack is stored on the remote host. Example 2 shows a typical conf/network.conf file set up to run via NFS over three hosts. In this example, NFS is used on all hosts, and Crack is run from a local directory.|
Example 2. Sample network.conf file#Format
#hostname:relative power:nfs [y/n]:rsh username [options]: crack directory
#finance - PII 200
#admin-HR Dec Alpha 3000/500
#IT Intel PII 200
Crack rules are used to set the way in which Crack modifies, or mangles, the words contained in the various Crack dictionaries. The dict/dictrun.conf file is used to establish Crack rules. When Crack executes the cracker program, cracker reads the rules in the dictrun.conf file in the order in which they occur. These rules may use any of the following three formats:
The dictionary-tag:rulefile format allows the specified dictionary to be varied according to the rules in the specified rulefile. In Example 3, all words in the dictionary identified by the dictionary tag 1 will be modified according to the rule found in the rulefile c50a/conf/rules.fast. The words in this dictionary will then be modified according to the rules in rules.basic, rules.prefix, and rules.suffix, in that order.
Example 3. An example of the dictionary-tag:rulefile format1:conf/rules.fast
The dictionary-tag:command format is shown in Example 4. In this example, Crack accounts for the value two, or 2, in all wordlists identified by dictionary 1.
Example 4. An example of the dictionary-tag:command format# use 'sed' to select and hack "two" into "2" from dict '1'
1:| sed -ne 's/two/2/gp'
Example 5 shows an example of the :command format. In this example, the perl command is used to print a comprehensive dictionary.
Example 5. An example of the : command format# Generate an exhaustive dictionary 'a' -> 'zzzzzzzz' - SLOW !
#:| perl -e '$s="a"; print $s++,"\n" while (length($s) < 9);'
The Crack distribution includes 21 rules files. These files are stored in the c50a/conf subdirectory. A rules file is not complicated. Just as every dictionary contains one word on each file, each line in a rules file represents an action to be performed on each word in the dictionary with which the rules file is associated. The default c50a/conf/rules.basic is shown below:
In the example above, the first line, !?Alp, tells the cracker program that, if a word contains no alphabetical characters, to convert all characters to lowercase, and convert the word to plural.
The syntax used for creating Crack rules is very extensive. The first set of arguments to learn is the File Class Definitions. These arguments provide a simple set of categories in which password characters may be classified. Table 2 lists the Crack File Class Definitions.
|?a or ?A||Alphabetic characters||?s or ?S||Symbols|
|?c or ?C||Consonants||?u or ?U||Uppercase|
|?d or ?D||Digits||?v or ?V||Vowels|
|?l or ?L||Lowercase||?p or ?P||Punctuation marks|
|?x or ?X||Alphanumeric characters||?w or ?w||White space|
Crack rules also use their own syntax. It isn't difficult to use this syntax, but this list is very extensive. This syntax allows administrators to create Crack rules that account for any conceivable combination of characters. Table 3 lists the syntax used with Crack rules.
|: or space||The no-operation flag. The word "space" means to use the spacebar, not the word.|
|?c||Used to specify a class.|
|^x||Character x is prefixed to the word (added to the beginning).|
|^Y||Converts password to Ypasswords.|
|$x||Character x is appended to the word.|
|$S||Converts passwords to passwordS.|
|c||Capitalize the first character in the word and convert all other characters to lowercase. pASSWORD would become Password.|
|C||Converts the first character in the word to lowercase and converts all other characters to uppercase. Password would become pASSWORD.|
|d||A copy of the word is appended to itself. password becomes passwordpassword.|
|f||The word is reversed and appended to itself. password becomes passworddrowssap.|
|l||All alphabetic characters are converted to lowercase. PaSSword becomes password.|
|r||The word is reversed. password becomes drowssap.|
|u||All alphabetic characters are converted to uppercase. PaSSword becomes PASSWORD.|
|onx||The character x is replaced with the nth character in the word. o38 would change password to pa8sword.|
|inx||The character x is inserted in the nth position in the word. i38 would change password to pa8ssword.|
|xnm||A string of m length is extracted from the word, beginning at character n.xe6 would extract ord from password.|
|=nx or n?c||The word is rejected, unless the nth character is x, or the word belongs to class c. =3h would cause password to be rejected. n?d would reject any words containing digits.|
|<n||Only words less than n characters long are accepted. <9 would reject all words 9 characters long or longer.|
|>n||Only words more than n characters long are accepted. >3 rejects words 3 or fewer characters long.|
|sxy||Every instance of character x is replaced with character y. ss8 would convert password to pa88word. s?cy substitutes every character in class c found in the word with the character y. s?Dp would cause all digits to be replaced with the character p.|
|/x or /?c||The word is rejected unless character x appears in the word, or if any of the characters in class c appear in the word.|
|/P||Rejects all words not containing uppercase P. /?d would reject words containing digits.|
|@x or @?c||All instances of character x or characters in class c are removed. @s converts password to paword. @?v converts password to psswrd.|
|!x or !?c||Words containing character x or one or more characters in class c are rejected. !p rejects the word password. !?d rejects all words containing digits.|
|[||The first character in the word is deleted. computer becomes omputer.|
|]||The last character in the word is deleted. password becomes passwor.|
|(x or (?c||The word is rejected unless the character is the first character, or if a member of class c is the first character. (p rejects the word password. (?d rejects any word beginning with a digit.)|
|)x or )?c||The word is rejected if the last character is not x, or if the last character belongs to class c. )s rejects password. )?v rejects any word not ending with a vowel.|
|*||The word is converted to its original (unmangled) state.|
|`n||The word is truncated to n characters. `5 truncates password to passw.|
|%nx or %n?c||The word is rejected if it does not contain n instances of character x or of characters in class c. %3s rejects any word not containing three lowercase s. %3?d would reject any word not containing 3 digits.|
Crack rules also use their own syntax to express numerical arguments. These arguments are listed in Table 4.
|0,1,2,3,4||The numbers from 0 to 9.|
|A, B, C,?.||The numbers from 10 to 36.|
|*||Represents the value of the largest cleartext password. This is determined by the PLAINTEXTSIZE value, which is established in c50a/src/util/elcid.c.|
|+||Represents *+1. This value is 17 for MD5 hashing, 17 for bigcrypt, and 9 for DES.|
|-||Resolves to * - 1. This value is 15 for MD5, 15 for bigcrypt, and 7 for DES.|
Before you create any new rules, check the existing rules file to see if these rules are already in place. Any new rule should always be tested. Follow these steps to test new rules:
- Build a Crack dictionary with only a few words that are relevant to your new rules.
- Configure dictgrps.conf to read only the new dictionary.
- Configure dictrun.conf to use only the new rules against the new dictionary.
- Create some accounts on the system with passwords that should be guessed by the dictionary using the new rules.
There is one more rule file to discuss—the globrule.conf file. This is a special file in that it contains only two rules. The first is the no-operation (no-op) character, represented by a colon (:). This rule ensures that every word is processed in its original state.
The second rule is applied after the current rule has been applied to each. The second rule is:
Remember, the ` character implies truncation, so this rule applies to passwords of any length. If you are sure that no users are using short passwords, you may insert a rule like the following:
This means all words are truncated to six or more characters.
Dealing with cracked passwords
The Crack script may be run with the -mail option to inform users when their passwords have been cracked. Running the command:
./Crack -mail /root/passwords
results in the message contained in c50a/scripts/nastygram being sent to the user. The nastygram message should be edited to reflect the policy in place on your network.
Crack7 is a brute-force password-guessing program. This means it will try every possible arrangement of alphanumeric characters up to eight characters in length.
Crack7 is just a Bourne-shell script, and it is easily edited to check for passwords of any length. The default script packaged with Crack has the options to guess 6, 7, and 8-character passwords commented out. Crack7 uses the libdes hashing engine. To use libdes with Crack7, you will first need to compile libdes, as described in part one of this series. If you don't want to use libdes, cd to the c50a/extra subdirectory and comment out any reference to libdes. Next, uncomment any references to crypt. Once the Makefile is edited, run the command:
This builds the program. Crack7 is then run using the command:
where <cipher-text> represents a hashed value for a password. Crack7 is best run against one hashed value, instead of a complete file of hashed passwords. The number of combinations Crack7 will attempt when running makes it impractical to use against a large number of passwords.
Preventing password cracking
To ensure password security, the administrator first needs to ensure that a password policy is in place on the network. The next step is to perform regularly scheduled Crack runs to enforce the password policy. Here are some tips to keep in mind when you create your own password policy:
- Don't allow users to use personal information in their passwords. License plate numbers, telephone numbers, and birthdays are too easy to guess.
- Don't use any common words. If the password is in any English or foreign language dictionary, it is also in a Crack dictionary.
- Use characters with mixed-case characters.
- Use passwords with nonalphabetic characters.
- If your users have good passwords, don't force them to change. Changing passwords too often will make users switch to passwords they can easily remember or write the password down.
This Daily Drill Down concludes a two-part series on the Crack password-guessing utility. Crack is a powerful and flexible tool that every administrator should be comfortable using.
In part one of this series, we covered the installation, configuration, and running of Crack. In part two, we have covered the procedures required to run Crack over a network. We also discussed the syntax used when creating rules for controlling how Crack guesses passwords and had an example of that syntax in use. Next, we looked at the Crack7 brute-force password-guesser. Finally, we covered some advice for implementing a password policy on your system.
Crack is found in every hacker's arsenal. The best way to prevent intruders from using Crack to guess passwords on your system is to know how to use Crack yourself.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.