Password Auditing with Style
Posted by Josh Abraham
Passwords are often the first line of defense for networks, databases, servers and applications. Are you actively testing your passwords?
In my last post, I announced that our team has been developing an easy-to-use password cracking tool with advanced features. Our initial goal for the project was to create something that made password auditing easier for our services team. However, after several internal discussions we’ve decided to share our work with the security community in order to see if this tool has value beyond what we had initially envisioned.
We’ve even talked about opening up a private, invite-only Beta to let others get some hands-on time with the tool. I encourage you to learn more about the tool and leave feedback/comments below (it may increase your chances of receiving an early invitation).
The application supports password hashes from Windows and Linux operating systems, MSSQL Server, MySQL Server and various other formats (MD5, SHA1, SHA256 and SHA512). The application auto-detects hash formats during the upload process. Cracking can be performed on-demand or scheduled to be done at a later date. Once passwords are cracked, they can be viewed, exported and/or deleted from the application. The front-end control panel leverages dynamic table sorting and live search, which makes projects with a large quantity of hashes easy-to-manage.
We also introduced the concepts of “projects” and “companies” to make managing our workflows even easier. Each project has a list of hashes associated with it and a company can have multiple users assigned to various projects. Users are also granted certain privileges for each project. For example, role  users could crack and delete hashes, role  users could read and upload hashes, role  users may read only, and so on…
A major feature we have already built out is Metasploit integration. The integration includes a plugin that can be loaded into Metasploit to monitor the database for new hashes. If new hashes are found, they are automatically uploaded to the password auditing web application and the cracking process starts automatically. There are also options to allow manual hash uploading and the ability to wait for scheduling instructions before cracking. Using the Metasploit plugin would make it easier for pentesters since they could just log in to the web interface after finishing an assessment and export the results, instead of needing to log in to a web application manually — automation is key!
The current roadmap for the project includes adding the ability to crack hashes with NVIDIA and ATI GPUs, supporting systems in the cloud, rainbow tables, hash prioritization/re-prioritization, and more.
Next week I’ll share a new screencast that demonstrates the Metasploit integration — so stay tuned!
We Need Your Help!
Have any thoughts? We are looking to the security community for feedback. We need your help to determine which direction to take this project. Please let us know your thoughts in the comment section below — Big thanks!
Here are some questions to think about:
- In general terms, what you do you think about the tool?
- What feature(s) would you like to see included that we haven’t talked about yet?
- What type of reporting metrics would be most useful?
- Would this tool be helpful in awareness programs to educate users about the risks within IT systems?
- What additional integrations would be helpful?