L0phtCrack was one of the original and greatest hacking and auditing tools of the 90’s, essentially creating the modern LM/NTLM password auditing landscape. L0pht Heavy Industries – the creators of the tool – were instrumental in raising awareness of both the ease of cracking passwords as well the obviousness of how poorly people choose passwords.
It was easily the most visible password cracking and auditing tool of its time, and was responsible for many administrators and hackers alike raising awareness of password issues to management-types. It ranked high on Fyodors Top 100 Network Security Tools list multiple times.
It was a very sad day when Symantec bought out atstake.com in 2004, who owned the rights to the venerable cracker and shortly thereafter killed it.
But L0phtcrack is now back in the capable hands of the original creators, after an extended absence and presumably much pain wrangling it back from the monolithic Symantec corporation.
Version 6.0 came out last year, and the new updated 6.0.10a dropped last week.
Security Admins, Penetration Testers, Script Kiddies and CISSP types now have a sweet new tool in their arsenal.
This is what it looks like
Thing’s I like:
- Nice friendly wizard helps n00bs
- 64 bit target support
- Rainbow Tables support
- GPU acceleration
A few gripes I’ve got about it:
- Could use more reporting. I’d like to be able to create custom reports detailing passwords under a certain length, passwords meeting complexity requirements or not, and other issues I’m concerned about.
- Can’t export reports.
- It’s Windows only 🙁
Overall this is a great tool if you’re a sysadmin or security geek at a large corporation and have some bucks to spend. Weak passwords continue to be one of the easiest ways an attacker or unauthorized user gains access to critical systems. With a decent password cracking tool at your disposal it is much easier to bring this very real risk to your boss or internal security groups attention.
For the Linux and and Open Source fans, Ophcrack has a fair amount of the same functionality without the price tag. It does have some shortcomings but most can be overcome with some creative scripting and post-processing of the actual crack.