Jim Miller wrote: > Last I heard, mostly from this list, L0phtcrack version 2, which was free, was >doing the job, but version 3, which costs money, was having problems cracking on time. Noone seems to have adressed the time problem yet. atstake recently sent out a mail to their customers saying: An updated release of LC3 (version 3.02) boosts performance in the Dictionary and Hybrid audits. We encountered and fixed a bug that slows the Dictionary and Hybrid audits, and in certain cases, caused the Hybrid to seemingly grind to a crawl. The NTLM cracking process was being unnecessarily invoked in these cases. 3.02 also resolves an issue in which launching LC3 from a session saved on a drive other than the one where LC3 is installed could revert a registered version of LC3 to Trial mode. I haven't tested this in depth yet, though, to say if there's a solid improvement. > Has the situation changed? Is LC3 now a stable product? Is it worth the cost of > oftware, the cost of installation and the cost of the learning curve? It's still an enabling tool, rather than a supporting tool: you get the tools for collecting passwords, and cracking them from dictionary etc., but the tools are separate, and may not work together well enough to make your particular job easier. A comprehensive password crack will require using a number of passwords lists in some specific order, typically: passwords cracked in earlier sessions, other 'well-known' passwords, names of people, various other names (products, places, characters, etc), and full dictionaries, before the brute force session starts. LC3 gives you only one dictionary -- so it's hand reconfiguration to switch password dictionaries, and that upsets the session concept of LC3. John the Ripper is easier to tailor in this respect, but it also has some shortcomings: you get only two word transformation rule sets, and only one of those can be applied to word lists. To get approximately the same functionality as with LC3, JtR needs to be complemented with pwdump (or one of its later incarnations pwdump2 or pwdump3). I'm not sure of JtR will do both Lan Manager hashes and NT hashes, like LC3. It does Lan Manager hashes, though. Furthermore LC3 does not seem to make it possible to export password hashes in text form as earlier versions of L0phtcrack did -- thus, you get rather locked into the program. I still use LC3, but I find I'm using the JtR/pwdump combo more and more. -- Anders Thulin Anders.X.Thulinat_private 040-661 50 63 Telia ProSoft AB, Carlsgatan 6, SE-201 20 Malmö, Sweden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 10:18:54 PDT