[Dshield] Password Cracking Software

Darren Spruell phatbuckett at gmail.com
Sat Feb 24 00:14:41 GMT 2007

On 2/23/07, David Taylor <ltr at isc.upenn.edu> wrote:
> To add a bit more information to this so folks get an understanding at what
> I am trying to get at.  A while back we were looking at having IT folks here
> at Penn use password cracking software against various systems as part of a
> security assessment.  L0phtCrack was a legitimate application (legit in this
> case means Symantec didn't detect it as evil). We were planning on talking
> to @Stake about a site license. If we are going to make recommendations of
> specific software to use in reality it can't be one that would be detected
> by AV software by default.
> Since Rainbow Tables is the big thing now I downloaded Ophtcrack and as soon
> as I began the install it pwdump was detected by Symantec. So, if we
> recommend software to our Penn IT Community we really can't tell them they
> need to stop the AV software from detecting it.  If that makes sense.

It kind of makes sense, but it's a shallow kind of sense. Not using
great tools like these because some security vendor classifies them as
"potentially unwanted" is dumb. :)  AV vendors are notorious for
considering some security applications evil and others "legit", and it
seems the legit ones correspond to companies that have some capital
behind them to schmooze their way into AV vendors' good graces.
There's nothing saying that you might select an application which this
week is on the friends list and 6 months down the road doesn't end up
on the bad list for your AV vendor.

There's no difference in essence between l0pht and pwdump+john or C&A
running on a system, so the opinion of your AV vendor doesn't matter.
l0pht (or any other "legitimate password cracker) could just as well
be run by an attacker, and pwdump can be run just as easily by an
authorized user (as you're trying to do.) Just make the policy
decision to use what ever fits your requirements and budget best; if
your AV app alerts on it, that gives you an audit trail anyway that
you can use to see if only the authrorized audits are occurring.


More information about the list mailing list