Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to History of L0phtCrack
Similar to History of L0phtCrack (20)
Recently uploaded
Recently uploaded (20)
History of L0phtCrack
- 1. THE STORY OF FROM 1997 TO 2015 Yes, L0phtCrack can drink legally now.
- 3. HOBBIT'S CIFS RESEARCH PAPER JANUARY 1997
- 4. Jeremy Allison released pwdump on 3/24/1997 Inspired to reverse engineer for Linux to NT interoperability for SAMBA Can dump password hashes from Windows NT registry but not crack Jonathan Wilkins released NTCrack on 3/28/1997 Can crack LANMAN hashes only Mudge released L0phtCrack on 4/11/1997 Cracks both LANMAN and NTLM hashes Origins of L0phtCrack
- 5. For each user, LANMAN hashes stored alongside NTLM for backwards compatibility. LANMAN Passwords uppercased and split into two 7 character passwords for hashing. This scheme persisted until Windows Vista shipped Jan 2007! Windows NT Password Hash Refresher
- 6. L0PHTCRACK 1.0 4/11/1997 • Core engine written by Mudge • GUI version written by Weld Pond • Imports hashes from Jeremy Allison's PWDUMP • Microsoft responds with SYSKEY on 5/15/1997 in NT4 SP3
- 7. • Windows administrators need a GUI • Put the tools for password cracking in one program L0phtCrack 1.5 Pivots from POC to Administrator/Pen Tester Tool
- 8. L0PHTCRACK 1.5 7/12/1997 • GUI update to fix Brute Forcing bugs • Challenge/Response hash cracking added • Built-in hash dumping • Shareware license • U.S. Government Accounting Office becomes first paying customer
- 9. L0PHTCRACK 2.0 2/16/1998 • Built-in sniffing for challenge/response • Ability to import SAM registry hive added • First commercial version with 14-day trial license
- 10. L0PHTCRACK 2.5 1/13/1999 • DilDog joins L0pht as to work on L0phtCrack full- time. • DES core rewritten with optimized assembly algorithm. • Hybrid dictionary/brute attack added
- 11. January 2000
- 12. L0PHTCRACK 3.0 (PRE) 1/24/2000 • Never Released • Last Version with L0pht branding • Added session-based interface • Added L0phtCrack Wizard • Added import from remote registry
- 13. LC3 (SST) 4/6/2001 • Released by "Security Software Technologies" • Added 'distributed' cracking • SST not allowed to use L0pht name on L0phtCrack, 'LC' used instead.
- 14. LC3 (@stake) 5/18/2001 • Three versions: Professional, Admin, and Consultant
- 15. LC4 (@stake) 5/14/2002 • Rob Cheyne added to team • GUI improvements: sorting, exporting, SCBS code pages • Hybrid mode improved to use more combinations • Multiple dictionary support
- 16. LC5 (@stake) 9/2/2004 • Ian Melven added to team, uncredited • Windows 2003 update, better packet sniffer • Rainbow Tables added • Audit Scheduling • Windows Domain Remediation • Support Options
- 20. L0phtCrack 6 3/11/2009 • Original development team, DilDog, Weld Pond, Mudge, purchase LC back from Symantec. • UI Modernization • 21 Service releases and updates through to 2015 • Support for 64-bit, Windows Vista, and Windows 7, and Windows Server up to 2012r2 • Basic Unix Hash Support
- 21. Goals Of L0phtCrack Today • Put all the tools for password auditing in one program • Make it easy for the enterprise to adopt with remediation and reports • Support modern hardware, operating systems, and hash formats • Support more than just Windows • Include more of the security community!
- 22. Challenges • Better ways to extract hashes. • Remote extraction is more difficult these days, remote UAC, firewalls • Sniffer out of date • GPU challenges: Keeping the GPU fully busy. Not all GPUs are that fast, CPU can be faster!
- 24. L0phtCrack 7 Early 2016 • Complete code overhaul by DilDog. 100% new codebase. • Converted from MFC to Qt for eventual portability • New cracking engine based on John The Ripper • Multi-GPU OpenCL, CUDA and CPU multi-core • SSSE3, SSE4.1, AVX, XOP, AVX2 optimizations,
- 25. L0phtCrack 7 Early 2016 • JtR complex wordlist rules • Full Unicode and character set support • Queue-based operation • Completely overhauled scheduler • Full Unix support for Linux, Solaris, BSD and AIX hashes w/ssh remote extraction. • Automatic update notification
- 26. L0phtCrack 7 Early 2016 Calibration selects which hardware and algorithms fastest
- 27. Completely Pluggable API • Open Source API allows third-party plugins to work with L0phtCrack. Beginning of a software ecosystem • All features in L0phtCrack are implemented as plugins using the API. • API is beta, will be released shortly after launch, available on GitHub. • Non-core features to be moved to plugins Pluggable Units of IBM 604 calculator from 1948. Ran at 50 kHz.
- 28. Future Directions • Mac OS X support. • Port GUI to OS X and Linux • Support for other cracking engines. • Hint: hashcat and oclHashcat now open source • Enterprise reporting/analytics • More import modules, such as creddump, mimikatz, volume shadow copy, etc. • Wireshark plugin for sniffing • Database hashes • More than just password cracking! • Add support for Nmap • Network inventory
Editor's Notes
- Personal intro Its been a bit of a cat and mouse game with Microsoft over many years. Surprisingly L0phtCrack has been owned by 5 organizations over the years.
- I saw this sign on my way home from the pub last night in Cambridge so of course I had to use it.
- Many think windows password crackers started with Jeremy Allison but Hobbits research was a precursor. Dan Farmer’s pwc which was part of COPS in 1990 and Alec Muffet’s crack (1993) were the first password crackers for Unix.
- NTLM is easy once you have the LANMAN as you can just cycle through all the casing posibilities.
- Microsoft had originally claimed it would take years to crack. Even though they used no salt. Reverse engineering and attack tools are a requirement for assessing security. Making the theoretical practical.
- SYSKEY of course was just security theater. It took 10 years for microsoft to remove lanman hash by default
- Creating a GUI enabled another class of users. Windows administrators.
- Samdump functionality. Of course the licensing was cracked right away.
- Revenue from selling L0phtCrack now allows some of the L0pht members to become full time employees.
- Didn’t sell any tools or technology. Just the people and brand.
- Not allowed to use the l0pht brand.
- You can see from the look and feel it is losing its underground edge. And frankly it was falling a bit behind the state of the art. John the ripper had better wordlist rules.
- This almost doomed L0phtCrack. A funny thing happened along the way. McAfee started flagging lc5 as a malicious tool!
- Symantec End of Lifes LC5. We approach Symantec and purchase the technology and name.
- L0phtCrack gets its name back! In the transaction we also got the l0pht name back.
- So I am happy to say L0phtCrack is alive and well today and we are still developing it.
- So you can tell from the investment we are making in L0phtCrack 7 that we think passwords in Windows and Unix will be around for a long time. It was 10 years before Microsoft felt safe removing LM hash.