nt-part2_86
Analysis of the Security of Windows NT
1 March 1999
86
D Utility Programs
In this appendix, we will present some utilities that we believe could be useful for an
NT administrator. Some of them were used during our study. We categories them
according to the structure presented in section 6.
D.1 Security Analysis Programs
D.1.1 L0phtcrack
L0phtcrack (pronounced loftcrack), is as far as we know, the most popular password
cracking program for NT, which can be used to recover both the Lan Manager pass-
word and the NT password, stored in the SAM database. Version 1.x of this program
takes as input a file with user information, including both the username and the pass-
word. Such a file can be created by the PWDump utility, see appendix D.2.3.
L0phtCrack can optionally take a dictionary file as input. This type of attack is often
referred to as a dictionary attack. Alternatively, L0phtCrack gives the attacker the
capability to apply a brute force attack on the entire key space. The utility is distributed
with both a graphic and a character user interface.
Recently, a new version, 2.x, of this program has been announced. The creators have
tuned version 1.x as well as added new functionality. First, L0phtCrack takes advan-
tage of multiprocessor machines. Second, version 2 is able to retrieve password hashes
from the network. Third, the new version even accepts the SAM database as input.
Forth, it has become a commercial product.
D.1.2 Crack for NT
The very popular UNIX password cracking program, called Crack, is nowadays ported
to, and freely available for, NT. However, we have not used it in our experiments,
because we have been fully satisfied with the functionality offered by L0phtCrack.
D.1.3 C2CONFIG
The C2 configuration tool can be used to compare the current configuration of an NT
system with the C2 level security requirements, see [65]. C2CONFIG is shipped on
Microsoft's Windows NT Resource Kit, which is available in bookstores.
D.1.4 DumpACL
The DumpACL utility reports various security information about a particular NT
installation. A trail version of this program is available at Somarsofts Web site, see
appendix E.
DumpACL offers a number of features, including:
Dumps permissions for file systems, shares, Registry and printers.
Dumps policies, rights and trusts.
Dumps users and groups.