UNCLASSIFIED
Windows Server 2003 Checklist 4.0.0 - 22 April 2005 Field Security Operations
Appendix D Defense Information Systems Agency
D Password Strength Verification - Standard Operating Procedures
This appendix contains procedures for running “John the Ripper” password integrity software. This utility should be run against a Domain Controller in each WIN2K/W2K3 domain being reviewed.
The use of this utility should be briefed at any in-briefing and permission should be obtained to run it.
The “John the Ripper” password cracking utility is scripted using a batch file command
script and runs locally on the system being checked. The script, pwchk.cmd, and
supporting files can be used from a CD-ROM or zip disk.
The script must be run with an account having administrator rights.
· To run the script, open the command prompt (Start > Run > enter ‘cmd.exe’ > <OK>).
· Change to the drive containing the script (e.g. CD E:) and enter ‘pwchk’ at the command prompt, then press enter.
· Reply to the prompt that asks if this is a WIN2K server.
· The reviewer will be prompted to save the output to floppy (Y/N), to insert a floppy into the A drive, and then press any key to continue. If the reviewer selects yes and inserts a floppy disk, the output files are copied to A. If the reviewer selects no, the output is saved to C:\temp\srr\output and no option to remove the output is provided.
If the reviewer selected to save to the A drive, they will then be prompted to remove the output from the hard drive (Y/N). If the reviewer selects yes, the output is sent to the recycle bin. If the reviewer selects no, then the output is maintained in the C:\temp\srr\output directory. (Normally, this data would not be left on the machine)
The disk containing the output from the script should be left with the site ISSO.
The output consist of four files:
1. Dumpfile.txt – contains the local SAM file. Sample below:
Admin_adm:500:889A4539E10382A0B79AE2610DD89D4C:9C04FA584DF117EF6810876AB32FC4AF:::
NoGuest:501:31309487CCD5F39583C718A6B039ABEA:C3BAC902800BD42D36B72DD84A4EA61D:Built-in account for guest access to the computer/domain::
userid:1002:A697C60564044E121D71060D896B7A46:CC9B3C45AA25E01C7AC37BCAFA6CD7CF:::
Administrator:1010:354E4E3FB86CB1F2AAD3B435B51404EE:C0D41476A50E8D7CA4A0874C3DCE5FBC:Built-in account for administering the computer/domain::
Note: the following indicates the absence of an LM Hash and not that the account has no password: ”xguest:501:NO PASSWORD*********************:FAC6E6762E6D5611AD1C46198E86227D:::”
Note: the following indicates the absence of a password: ”xguest:501:NO PASSWORD*********************: NO PASSWORD:::”, and would be a finding.
2. Easycheck.txt – contains a list of passwords where one or more characters were easily discovered. Sample below:
0 passwords cracked, 7 left
Note: the following indicates the absence of an LM Hash and not that the account has no password: ”xguest:NO PASSWORD:501:FAC6E6762E6D5611AD1C46198E86227D:::”
Note: the following indicates the absence of a password: ”xguest:NO PASSWORD:NO PASSWORD:::”, and would be a finding.
3. Hybridcheck.txt – contains a list of passwords where one or more characters were discovered using the rules and/or dictionary. Sample below:
Admin_adm:???????Y:500:9C04FA584DF117EF6810876AB32FC4AF:::
userid:???????2:1002:CC9B3C45AA25E01C7AC37BCAFA6CD7CF:::
2 passwords cracked, 5 left
Note: the following indicates the absence of an LM Hash and not that the account has no password: ”xguest:NO PASSWORD:501:FAC6E6762E6D5611AD1C46198E86227D:::”
Note: the following indicates the absence of a password: ”xguest:NO PASSWORD:NO PASSWORD:::”, and would be a finding.
4. John.pot – contains the hash and the character(s) of the passwords that were cracked. Note: Open this file using Notepad. Sample below:
$LM$B79AE2610DD89D4C:Y
$LM$1D71060D896B7A46:2
The ISSM should review the “easycheck.txt” and “Hybridcheck.txt” files, and instruct users, with weak passwords, to use stronger passwords.
Note: The data in these files may contain sensitive password information and should be secured against loss or unauthorized access.
The reviewer only needs to obtain a count of how many passwords were cracked. DO NOT bring any password files back with you. Leave any output with the IAO.
Note: The Easycheck.txt and Hybridcheck.txt output reflects passwords as being cracked, even if only one character has been identified. The reviewer should review the output and consider a password cracked only if a recognizable portion of the password has been identified.
D-4
UNCLASSIFIED
UNCLASSIFIED
Windows Server 2003 Checklist 4.0.0 - 22 April 2005 Field Security Operations
Appendix D Defense Information Systems Agency
This page intentionally left blank.
D-4
UNCLASSIFIED