KBTAG: kben10000041
URL: http://www.securityportal.com/lskb/10000000/kben10000041.html
Date created: 03/07/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Programs for brute forcing passwords in
Linux
Keywords: System/Passwords, Users/Passwords
In Linux the passwords are stored in a hashed format, however this does not make them irretrievable, chances are you cannot reverse engineer the password from the resulting hash, however you can hash a list of words and compare them. If the results match then you have found the password, this is why good passwords are critical, and dictionary words are a terrible idea. Even with a shadow passwords file the passwords are still accessible by the root user, and if you have improperly written scripts or programs that run as root (say a www based CGI script) the password file may be retrieved by attackers. The majority of current password cracking software also allows running on multiple hosts in parallel to speed things up.
http://www.securityparadigm.com/defaultpw.htm - List of default passwords for various systems
John the ripper
An efficient password cracker available from: http://www.openwall.com/john/
Crack
The original widespread password cracker (as far as I know), you can get it at: http://www.users.dircon.co.uk/~crypto/.
VCU
VCU (Velocity Cracking Utilities) is a windows based programs to aid in cracking passwords, VCU attempts to make the cracking of passwords a simple task for computer users of any experience level.. You can download it from: http://www.wilter.com/~wf/releases.htm.