Backtrack contains several flexible and powerful password brute-forcing tools, including Rainbowcrack, Hydra, Medusa, and John the Ripper.
John the Ripper (jtr) is very easy to use, but first we need some hashes to crack.
There are a several ways of getting the hashes, here are some examples of methods I have successfully used in pentests.
- Pwn a system with Metasploit, and use the "use priv" and "hashdump" commands to obtain the local password hashes
- Use pwdump.exe to dump the local password hashes of a system
- Use fgdump.exe to dump all domain passwords remotely from a domain controller (having already pwned a domain administrator password)
c:\ fgdump.exe -h hostname -p password -u username
This is a very flexible tool, and more advanced options for fgdump.exe are available here http://www.foofus.net/~fizzgig/fgdump/fgdump-usage.htm
Whichever of these ways is used you will get a hash-dump file, this file will typically have a format which looks something like this:
As you can see, we have two types of hashes here, an LM hash (starting E52C) and an NTLM hash (starting A4F4)
Many Antivirus products will block tools such as fgdump.exe and pwdump.exe as "hacking tools", which can prevent basic users from using these tools on their systems Strong password policies and regular audits can prevent easy dictionary words being used as passwords, and enable regular password changes Disabling LM hashes makes hash cracking more timeconsuming from the attackers perspective Long NTLM passwords are very timeconsuming to attack with brute force