policy-based password cracker

December 4, 2005

Hi all,

I am looking for a brute-force password cracker that
can be configured based on password policies. For
example, I am trying to audit a system that I know the
security policy on (min/max pw length, complexity
rules, etc) What I want is to only brute-force
passwords that fit that policy. Obviously, min and
max is not the issue, but I can not seem to find
anything that will only test passwords that meet
complexity requirements (lowercase alpha, uppercase
alpha, number). Something that generates this into a
rainbow table would be even better…..

Anyone aware of such a tool?

Thanks in advance,
Chris

- hydra from THC…
It even provides a tool called pw-inspector to modify your wordlists.
In the TODO is an entry that bf was added in the 5.x release (not
confirmed by me).

There Bugs in Hydra but it’s working..

Kind regards

- John the Ripper might have all you want, if you have a closer look at
the rules in john.conf and use bruteforce-mode only.
Be warned – fiddling around with johns ruleset might lead to anything
from sleepless nights to insanity.

cheers,

tom

- Dear Chris Costantino,

The Answer is (among others) : John the ripper.
Get used to write rules for it though.

- Hi Chris,

You can give Lepton’s Crack a try, depending on the algorithm you need
you’ll need either the main branch from http://usuarios.lycos.es/reinob/
or Piero Brunati’s version from http://www.nestonline.com/lcrack/. Both
versions support defining min/max pw length and charset, and they also
have a very powerful REGEX mode.
Lepton’s Crack currently doesn’t generate nor support rainbow tables,
but it comes with a small utility to produce precomputed “tables” that
are a slightly similar concept…
Cheers,

Miguel

- Rainbowcrack supports customized charsets, so you can easily create
your own character set and place it in the charset.txt file.

custom = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]

(It’s useful to note that if you’re cracking LANMAN hashes, the
charset only needs to include uppercase alpha and not lowercase due to
how LM hashes are stored…)

Cain (http://www.oxid.it) can be configured to use a customized
character set for brute-force attacks and might even be a little bit
easier to use than John the Ripper…

- Depending upon the specific policies, you may not save a significant amount
of time by limiting the brute-force attack. For instance, consider a policy
that required at least one upper, one lower and one number in all passwords.
Let’s first assume that the possible character set for passwords is
upper/lower/number. For four character passwords, 19% of the possible
password checks can be eliminated due to the policy. For five character
passwords, only 9% would be eliminated and the percentage would continue to
drop as the length increases. If the possible character set included
upper/lower/number/special characters, the policy would only eliminate 3% of
the possible 4 character passwords and 1% of the possible 5 character
passwords. Since the vast majority of the time for a brute-force attack is
spent on the largest length checked and since the number of tests that can
be eliminated due to the policy declines with length, I suspect that
limiting the brute-force attack due to policy might only be worthwhile for
some highly specific policies.

Also, most brute-force attacks are very fast. One would need to test the
speed of eliminating a password vs. the speed of testing a password. If you
needed code to determine whether a password passed the policy, the overhead
of this code on all passwords might eliminate any savings vs. just testing
all of the passwords. This would have to be benchmarked on a case-by-case
and policy-by-policy basis. Obviously, if the password testing is against a
remote server/resource and the testing is slow, then the savings of not
testing even a small number of passwords would more than make up for the
overhead in the code. However, brute-force attacks against remote and slow
servers is not very practical to begin with.

Bob Weiss
Password Crackers, Inc.

Posted in Q & A