P1: JDW
WL040C-01 WL040/Bidgoli-Vol III-Ch-01 June 24, 2003 10:39 Char Count= 0
6 PASSWORDSthe tool saves the session and then works on the capt-
ured file.Recovering Windows NT Passwords
Or, why physical security is still important. Norwegian
software developer Petter Nordahl-Hagen has built a re-
source (“The Offline NT Password Editor”) for recovering
Windows passwords on workstations. His approach by-
passes the NTFS file permissions of Windows NT, 2000,
and XP by using a Linux boot disk that allows one to reset
the Administrator password on a system by replacing the
hash stored in the SAM with a user-selected hash. His
program has even been shown to work on Windows 2000
systems with SYSKEY enabled. An MS-DOS version also
exists, as does a version that boots from CD-ROM instead
of floppy disk.
Thus, physical access to the workstation can mean in-
stant compromise, unless, perhaps the system BIOS set-
tings are also password-protected and do not allow a user
to boot from floppy or CD-ROM (however, several attacks
against BIOS settings have also been published).Types of Password-Cracking Tools
Password-cracking tools can be divided into two
categories—those that attempt to retrieve system-level lo-
gin passwords and those that attack the password pro-
tection mechanisms of specific applications. The first
type includes programs such as L0phtcrack, Cain & Abel,
and John the Ripper. Some sites for obtaining password-
cracking tools for various platforms, operating systems,
and applications are included in the Further Reading sec-
tion at the end of this chapter.
The Russian company ElcomSoft has a developed a
range of programs that can crack passwords on Microsoft
Office encrypted files, WinZip or PKZip archived files, or
Adobe Acrobat (PDF) files. The U.S. federal government
charged ElcomSoft with violating the Digital Millennium
Copyright Act of 1998 for selling a program that allowed
people to disable encryption software from Adobe Sys-
tems that is used to protect electronic books. The case
drew attention after ElcomSoft programmer Dmitry Skl-
yarov was arrested at the DefCon 2001 convention in July,
2001 (US. ElcomSoft & Sklyarov FAQ, n.d.).PASSWORD SECURITY ISSUES AND
EFFECTIVE MANAGEMENT
Enforcing Password Guidelines
The FBI and the Systems Administration and Networking
Security (SANS) Institute released a document summa-
rizing the “Twenty Most Critical Internet Security Vulner-
abilities.” The majority of successful attacks on computer
systems via the Internet can be traced to exploitation of
security flaws on this list. One of items on this list is “ac-
counts with no passwords or weak passwords.” In general,
these accounts should be removed or assigned stronger
passwords. In addition, accounts with built-in or default
passwords that have never been reconfigured create vul-
nerability because they usually have the same password
across installations of the software. Attackers will look
for these accounts, having found the commonly knownpasswords published on hacking Web sites or some other
public forum. Therefore, any default or built-in accounts
also need to be identified and removed from the system
or else reconfigured with stronger passwords.
The list of common vulnerabilities and exposures
(CVE) maintained by the MITRE Corporation (http://
http://www.cve.mitre.org) provides a taxonomy for more than
2000 well-known attacker exploits. Among these, nearly
100 have to do with password insecurities, and another
250 having to do with passwords are “candidates” cur-
rently under review for inclusion in the list. The following
provides a few samples:Some Sample Password Vulnerabilities in the CVE List
CVE-1999–0366: “In some cases, Service Pack 4 for Win-
dows NT 4.0 can allow access to network shares using
a blank password, through a problem with a null NT
hash value.”
CVE-2001–0465: “TurboTax saves passwords in a tempo-
rary file when a user imports investment tax informa-
tion from a financial institution, which could allow lo-
cal users to obtain sensitive information.”
CVE-2000–1187: “Buffer overflow in the HTML parser for
Netscape 4.75 and earlier allows remote attackers to
execute arbitrary commands via a long password value
in a form field.”
CVE-1999–1104: “Windows 95 uses weak encryption for
the password list (.pwl) file used when password
caching is enabled, which allows local users to gain
privileges by decrypting the passwords.”
CVE-2000–0981: “MySQL Database Engine uses a weak
authentication method which leaks information that
could be used by a remote attacker to recover the pass-
word.”
CVE-2000–0267: “Cisco Catalyst 5.4.x allows a user to gain
access to the ‘enable’ mode without a password.”
CVE-1999–1298: “Sysinstall in FreeBSD 2.2.1 and ear-
lier, when configuring anonymous FTP, creates the ftp
user without a password and with/bin/date as the shell,
which could allow attackers to gain access to certain
system resources.”
CVE-1999–1316: “Passfilt.dll in Windows NT SP2 allows
users to create a password that contains the user’s
name, which could make it easier for an attacker to
guess” (Common Vulnerabilities, n.d.).SANS suggests that to determine if one’s system is vul-
nerable to such attacks, one needs to be cognizant of all
the user accounts on the system. First, the system security
administrator must inventory the accounts on the system
and create a master list. This list should include even in-
termediate systems, such as routers and gateways, as well
as any Internet-connected printers and print controllers.
Second, the administrator should develop procedures for
adding authorized accounts to the list and for removing
accounts when they are no longer in use. The master list
should be validated on a regular basis. In addition, the ad-
ministrator should run some password strength-checking
tool against the accounts to look for weak or nonexistent
passwords. A sample of these tools is noted in the Further
Reading section at the end of this chapter.