He guys,
I just checked the site on atstake and saw theres a new version out of this wonderfull md5 cracker. See this Press Release. For the lazy ones in here
Pre-Computed Password Tables - Audits in Minutes, Not Hours
Traditional password auditing tools use one or more of three basic techniques for password auditing and recovery: dictionary, hybrid and brute force. Dictionary tools scan for words while hybrid tools scan combinations of both words and numbers. The brute force method, which can take days to run, scans an almost inconceivable number of letters, numbers and character combinations to root out passwords.
"One of the unique differentiators of this release of LC 5 Administrator Edition is the inclusion of pre-computed passwords," said Charles Kolodgy, research director for security products at IDC. "Normally brute force audits to discover weak passwords can take days, with only a small portion of the total number of passwords being checked. Now with @stake providing an immense library of pre-computed passwords, it is possible to emulate brute force password audit techniques, but conduct them in a fraction of the time. LC 5 can conduct traditional brute force scans as well, and includes foreign language dictionaries and character sets, allowing companies to scan for password vulnerabilities across the global enterprise."
I think this means there's a possibilty to generate tables first, or there are tables included. Who knows but this is a good development.
Any comments?
Btw Unix is now supported!
They'll require username/password (which you have to pay for) in order to run a query/crack. They'll enforce this policy through a similar method that Half-Life uses for HL key and WONids.
Basically, you're not going to get access to it. Unless it actually lets you generate the tables on your own. Which will take weeks to do. Months if done for some of the harder passwords.
The trial version of l0pht comes with just dictionary and hybrid options allowed.
There are several different versions of l0pht now, from simple one (can crack passwords) to more complex ones which will allow you to act upon the passwords that are weak in your domain (disable them etc).
The new tables option is indeed just like rainbowcrack, but it does offer a nice GUI and the ease of use that Rainbow crack doesnt have perhaps.
If you think about it, with a good dictionary and Rainbow tables enabled your cracks can be performed much better. However, a small warning, large numbers of passwords its actually slower to use tables than brute force (This is mentioned on the @stake site). I discovered this myself trying to rainbow crack 20'000 passwords was VERY slow.
Overall its a very impressive improvement, adds what needs to be added.
As to whether its faster... well, it does appear to run slightly faster (removed about 16hours off a limited symbol/alphanumeric crack - from about 9.5days to just under 9 on my machine). I also noticed nice things that were new:
<> A result of the cracks, saying how weak passwords were, how they were cracked and so forth
<> The ability to delete accounts from the list you put in (Like I removed my admin account, its pointless checking that against each new hash it generates when I know it wont be broken by that crack, I'm sure others have similar problems, small things like this help it speed up/more convient)
<>Pretty? Newer GUI
<>Better options
Regarding cracks, who knows... buy it if you want to use it legally... however I don't believe it uses a Half-life like system. It has a unique ID for each machine, however it does not authenticiate with the l0pht homepage (no outbound network conenctions detected by my firewall) so I guess a simple keygen or stolen key would work.
Final note is that it supposedly has the ability to remotely run itself on other clients, I didn't get a chance to test this, interested to know if it works (It crashed on my machine when I tried to run it and I wasn't too bothered - I might not have the licence to be fair)
i suggest checking out rainbow tables, its pretty cool.. blows l0phtcrack away if you have the entire table
Quote
In short, the RainbowCrack tool is a hash cracker. While a traditional brute force cracker try all possible plaintexts one by one in cracking time, RainbowCrack works in another way. It precompute all possible plaintext - ciphertext pairs in advance and store them in the file so called "rainbow table". It may take a long time to precompute the tables, but once the one time precomputation is finished, you will always be able to crack the ciphertext covered by the rainbow tables in seconds.
supposedly only one person has compiled the entire rainbow table[ie. they can crack windows passwords in seconds no matter HOW COMLPICATED it may be]...
Im also working with another company who is abut 90% completed with the rainbow table, the final result of the table is expected around 120gb, which is a big ass table, but it will be a great tool to bring into corporations during security audits..
Final note is that it supposedly has the ability to remotely run itself on other clients, I didn't get a chance to test this, interested to know if it works (It crashed on my machine when I tried to run it and I wasn't too bothered - I might not have the licence to be fair)
I think you mean the option to retrieve pwdumps of remote machines with this tool.
If you install it, it will deliver the md5 hash to the lopthcrack5 program, i think.
Good review thouh!
i suggest checking out rainbow tables, its pretty cool.. blows l0phtcrack away if you have the entire table
perhaps you don't understand - l0phtcrack uses the rainbow tables (Or can make its own) and so just adds a GUI to the rainbow tables you've already made (Or are about to make)
Then:
Quote
I think you mean the option to retrieve pwdumps of remote machines with this tool.
If you install it, it will deliver the md5 hash to the lopthcrack5 program, i think.
Good review thouh!
There is an option in the file menu "Create remote agent", which, I am guessing will do a similar task to the distributed programming before, ie create a .exe file which can be run on a remote computer to crack tables. I'd have to RTFM more before I could say that for certain tho :P
seein as there are many ppl here wanting the rainbow tables.. it would be easy for us all to band to gether to make small parts each and then send them to one central server for the others to get.
If the hosting is a problem i can host on my web server (100mbit US) or on a few smaller servers in sweeden (10mbit BBB).
seein as there are many ppl here wanting the rainbow tables.. it would be easy for us all to band to gether to make small parts each and then send them to one central server for the others to get.
Everyone have LC5 crack files (crack 15-day trial) ?
====
LC 5 offers many new features, including:
Automated and Schedulable Password Scanning
Windows and Unix Support
Remote System Scans from multiple domains
Multiple Assessment Methods
Rapid Processing with Pre-computed Password Tables
Multiple Dictionaries and International Characters
Password Quality Scoring
Enhanced Reporting
Remediation Options
Sign In
Register
Help
MultiQuote
