Password auditing and recovery is often described with a very unfortunate catchall: cracking. The problem with calling it that is that it does not come close to correctly encapsulating an absolutely necessary and invaluable practice for network administrators.

Like most practices related to security, this coin is a double-sided one. This reality is demonstrated in the kinds of tools used by security professionals; you'll often see tools developed for malicious hacking used in legitimate security audits just as you'll often see legitimate security tools used for dubious purposes.

But like it or not, businesses can't afford to assume their passwords are secure. In fact, many businesses are now legally obligated to find out for sure.

Words of warning

First and foremost, any tool you might use for password auditing and recovery may be illegal. No matter how useful and commonplace these tools are, they may not be legal as a result of how they were developed. This is largely because such tools couldn't have been created without performing reverse engineering that possibly violated a license agreement.

Secondly, the circumstances that surround the use of these techniques may be illegal. Even in a professional setting, state and federal laws may override the desires of a client or employer. I can tell you from experience that you will occasionally stumble onto things you didn't anticipate. Besides that, once you know someone else's password, you will necessarily become a suspect when something naughty is traced back to that person's account.

Third, some of the tools used for these acts will come from questionable sources. Most require administrative rights and/or physical access to the systems involved (and if they don't you may have a huge problem), therefore accidental damage to these systems or opening new security risks is a distinct possibility. So check your sources and verify them.

To sum these warnings up, I simply advise you to tread lightly. Cover your ass by documenting and verifying beyond what you think you could ever possibly need. I'm telling you this now so that I don't have to qualify every other sentence in this article. Consider yourself warned.

Why would anyone ever need to do this?

Auditing

You might be surprised to learn that cracking passwords is sometimes not just a need but a requirement. HIPAA and similar legislation requires passwords to be audited by health care providers, for example.

By auditing, we are talking about testing just how weak the passwords are. Having uncrackable passwords is arguably not practical in certain cases. On the other hand, having easily crackable passwords is usually a no-no. Where the passwords you or your business should fall on that continuum is policy issue rather than a demonstrable fact.

Auditing doesn't tell you what should be done. Rather, it lets you or your business know what is being done and how secure it is by demonstrating whether a password can be cracked in seconds, hours, weeks, or years. This is important for management to understand because any password – given enough time, processing power, and access – can be cracked.

Recovery

In addition to auditing, there are times when password recovery is the optimal solution. One case may be when a new network administrator takes over and there is no password list to be found; after all, there shouldn't be that many floating around anyway.

Having an administrator leave is a good time to change everyone's passwords, of course. That said, it probably isn't the most practical thing to do for your first day on the job. It's also not something that anyone would want to do at the start or end of them month or those other times that businesses are at their most hectic.

Most of the time, merely reseting a user's password is the easiest thing to do. But when you are fixing a workstation at midnight when everyone is gone and there is no reasonable and confidential way to alert the proper people to the new password this may be the cleanest solution.

Tools you will need

There are plenty of programs out there that will perform these audits and recoveries for you. Personally, I look for software that is free and will as little overhead as possible.

I also like using tools that don't look too suspicious. For example, if a client happens to look over my shoulder and see what I'm doing, I'd rather be running something that doesn't look like something a script kiddie or criminal would use. But that's just me.

Here are a few of the tools I have used. All are free.

• Pwdumpn – There is a whole array of "Pwdump" software. My favorite is Pwdump2, but some administrators prefer others since this one requires physical access (sort of). These programs are used to make Windows dump a list of password hashes that can later be cracked.

• Cain & Abel – This is a "password recovery" tool. Actually, it's a large collection of tools that use a variety of methods to discover passwords ranging from brute force to packet sniffing. It has more bloat than I like, but it works quickly out of the box.

• John the Ripper – This is probably the gold standard of password cracking tools. It runs from the command line and will run on not only Windows but Unix-based operating systems. While it looks very plain at first, those who are adept at its use swear by it.

There are plenty of other options if you don't like any of these. What you use naturally depends on personal preference, cost, and of course your preferred operating system.

The procedure

My preferred way to recover and audit passwords is using the combination of Pwdump2 and Cain & Abel. Using this procedure involves two parts: generating password hashes and cracking them.

Generating password hashes

Pwdump2 can be used to dump password hashes from any NT-based system. This includes not only standalone systems but Active Directory servers. Essentially, wherever passwords are stored by a modern Windows operating system, you can use this.

The process is pretty simple. Put a copy of pwdump2.exe somewhere on the drive of the computer you are using. Then drop to the command line and execute the following:

C:\pwdump2>pwdump2.exe

This will (quickly) spit out a list of usernames and password hashes.

Guest:501:a0e150c75a17008eaad3b435b51404ee:823893adfad2cda6e1a414f3ebdf58f7:::

joesmith:1001:56ab046a034464b5aad3b435b51404ee:362cb8dbaf3029bf08503f644a533eed:::

To store these password hashes, all we need to do is introduce some piping.

C:\pwdump2>pwdump2.exe > hashes.txt

Now the hashes are stored in a file called hashes.txt.

Incidently, pwdump2 won't work over Microsoft's Terminal Services, so you can't use Remote Desktop to do this. There are some tricks that you can do to perform this remotely, but if that's what you need then consider using pwdump3 or something else instead.

Cracking the hashes

An impressive Windows-based solution for cracking password hashes is Cain & Abel, as I mentioned above. It's actually very easy to use but the interface is a bit cluttered. With that in mind, I'll guide you through this one closely.

Once we have opened up Cain, we'll need to locate the tabs near the top of the screen. We'll then find the one labeled "Cracker" and click it.

From there, we will right-click on the grid to the right and select "Add to list." We'll then choose "Add Hashes from a text file" to open hashes.txt, which holds our dumped hashes.

Once we have the hashes loaded, we can start cracking using various techniques. Two common "attacks" for password cracking are brute force (guessing every possible combination) and dictionary (using a combination of dictionary words and trailing numbers).

We'll try cracking joesmith's password first by right-clicking and choosing "Brute Force Attack" and "LM Hashes."

Using the default character set and a top password length of seven, we'll usually have guessed everything in that keyspace within a few hours. This naturally will vary with processor speed (splitting the load among multiple computers can help). If the password is a member of the keyspace we define, we'll be sure to find it.

Keep in mind that this is one of the most processor-intensive activities your computer is capable of. If you need to do something else while brute forcing, you may want to pause Cain for a while.

Once the password hash is cracked, the brute force attack will stop and the results will be displayed.

Next we'll go after the guest account except this time we'll use a dictionary attack instead. We do this by right-clicking on Guest and choosing "Dictionary attack" and "LM Hashes."

Normally, any password cracking tool will allow users to select their own dictionary file. There are many resources on the Web where you can find these. For this demonstration we'll simply use the one that comes with Cain.

There are more settings to choose with a dictionary attack such as adding digits to all the words, going through all case permutations, and trying words both forwards and backwards. These settings will drastically increase the total time the attack might take.

We'll the click start and let Cain get to work.

Once again, when Cain guesses the correct password for our hash it will notify us of the results.

Once we exit the dictionary attack screen, Cain will list all the passwords we've cracked thus far.

This list of results isn't really print-friendly and won't let you copy and paste. If you need to print a list of these passwords, it's handy to open LMNT.LST (located in the Cain program folder) with a standard text editor.

To make an even more readable list for printing, I like to import LMNT.LST into a spreadsheet program. By choosing ";" as the delimiter, the cells containing the hashes and any information I no longer need can be cleared.

Conclusion

In closing this article, I'll spare you the obligatory warnings since I already made you (hopefully) aware of them. This is normally the kind of article that I don't publish since the last thing I want to do is encourage illegal behavior. But living in a world where privacy is not only a concern but a guarantee for so many businesses, it's important not only to know what they are supposed to be auditing but why those passwords may need to be better than they are currently.