WingNews logo WingNews GitHub [2]
top | item 28900615

L0phtCrack Is Now Open Source

439 points| rbanffy | 4 years ago |l0phtcrack.gitlab.io | reply

142 comments

order
[+] px43|4 years ago|reply
Shame what happened to Terrahash (previous owner of L0phtCrack). As someone who has purchased several Brutalis cracking rigs, those things were the most badass machines on the market.

Looks like they sold and committed to a bunch of cracking rigs before sourcing enough GPUs right before prices skyrocketed, and were suddenly on the hook for a lot more than they could realistically pay for. Hopefully Jeremi manages to pull through. It's a fantastic company that makes a fantastic product. I'd love to buy some new rigs when they get their supply chain issues figured out.

https://terahash.com/letter-from-ceo

[+] Invictus0|4 years ago|reply
Wow, that is an extraordinary letter. A real case study in communication with customers.
[+] _wldu|4 years ago|reply
That's disappointing. They have some great systems. I hope they come through it OK.
[+] throwaway984393|4 years ago|reply 

         _   _                                        
        ((___))                                       
        [ x x ]           __________________________
         \   /        _ _/      Thanx DilDog!!      \
         (' ')           \__________________________/
          (U)
[+] loxias|4 years ago|reply
If yoU were a teenager at the right time, the L0pht, et al. were crUcial in nUdging the next decades of yoUr life.

I'm sUre I'm not alone in having fond memories seeing this. :)

PS: (2 decades since Boston madness!)

[+] arminiusreturns|4 years ago|reply
Thanks cDc for being an inspiration all my years of computing.
[+] hexman|4 years ago|reply 

  ...         DilDog is this you?
[+] Communitivity|4 years ago|reply
I haven't thought about Mudge in a long time. If you've ever worked cybersecurity for the government, or in general, you owe him, Brian Oblivion, Space Rogue and the other members of L0pht for opening the door. They were pioneers of responsible disclosure, and brought the problem to light when they testified to Congress in 98 that in 30 minutes they could shut down the Internet. He and the others had uncovered DoS, specifically a BGP DoS that would automatically cascade across the Internet.

Mudge was a musical prodigy and an alum of BBN, one of the key players in creating ARPAnet. His bio is fascinating, and you can find a good treatment of it here: https://www.cybersecurityeducationguides.org/peiter-zatko/

[+] brainwipe|4 years ago|reply
I don't work in infosec or gov but after reading that bio, I think we all owe him. Thanks for the tip.
[+] teleforce|4 years ago|reply
L0phtCrack was featured in the Phrack Magazine (53) inside an article written by Aleph1 on attacking PPTP, one of the oldest VPN protocols [1]. Prior to that, Aleph1 has written arguably the most famous article in Phrack Magazine (49) to date [2].

[1] The Crumbling Tunnel:

http://phrack.org/issues/53/12.html

[2] Smashing The Stack For Fun And Profit:

http://phrack.org/issues/49/14.html

[+] dagw|4 years ago|reply
Aleph1 has written arguably the most famous article in Phrack Magazine

Given the number of people, including myself, who consider reading that article a truly formative experiences, you might argue it's one of the most famous/influential articles in programming.

[+] someperson|4 years ago|reply
> L0phtCrack is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables.

- Wikipedia

[+] sam345|4 years ago|reply
Thanks. Wonder why they can't put a description on the GitHub page?
[+] Ajedi32|4 years ago|reply
So it's a hash cracking tool? How does it compare to Hashcat? Any notable distinguishing features?
[+] brandonarnold|4 years ago|reply
Nostalgia factor is kicking into high gear on this one, as I haven't thought of L0phtCrack since the early 2000s.
[+] passwordreset|4 years ago|reply
I remember that the binary for L0phtCrack had some sort of software protection included with it, and it took a 1-bit change to be cracked, itself -- a 0x74 to 0x75, iirc (or 0x74 to 0xEB if you're a stickler for doing it right). I don't remember exactly what the protection was, maybe there was some sort of password count limit or time limit. It was a long time ago. I just remember being a little disappointed that it was that easy.
[+] weld|4 years ago|reply
The idea behind the weak license protection was hackers could crack it but it would keep the govt and corps honest.
[+] 0x0nyandesu|4 years ago|reply
I got expelled from high school because of this program.

I'm a millionaire now though so shrug

[+] skhm|4 years ago|reply
I was a hair's breadth away from expulsion too - exfiltrated .sam files from a PC in the library on a 3.5" floppy. Seems to be quite common experience judging by this thread.

Why did we all get caught? Smart enough to figure that out in your teens, dumb enough to think you can get away with it...

In my case I was operating with a dumbass friend who left a "calling card" on one of the compromised machines.

[+] nirv|4 years ago|reply
I didn't get caught.

But as a result of my demonstrative flexing cyber-security activity — I was granted with 'root' credentials on the school's SUSE Linux server… Which apparently at the same time was used as an ISP router for an entire city block.

This granted responsibility, unsurprisingly, turned out to be an extremely effective step to cool my eagerness to hack into all things.

[+] girvo|4 years ago|reply
They tried to expel me for this (among other) reason(s) too, though the Vice Principal went to bat for me and instead I was banned from using any computers on school property for the last couple years of high school instead.
[+] hbn|4 years ago|reply
Congrats, how did you do it?
[+] vptr|4 years ago|reply
Dang this does bring back the memories. What was the other tool I used a lot for reversing. Something ice something... softice debugger. That was also a piece of art.
[+] lostlogin|4 years ago|reply
Thought you were summoning the mod for a minute there.
[+] DeathArrow|4 years ago|reply
I went from John the Ripper to L0phtCrack to Hash Cat. Now I want a Quantum computer because for some type of passwords even running Hash Cat on a big GPU farm is too slow because of hashing algorithms.
[+] isitdopamine|4 years ago|reply
Bad news is: a quantum computer will not crack hashes faster.
[+] AdrianB1|4 years ago|reply
I used it in ~ 1999-2000 to check password strength in the company I worked for; it was running for 1 minute, for any password that was recovered the owner got a notice to change it immediately. Initially 50% of the passwords were the username and more than 50% were up tp 5 characters long. At that time an 8 char min length was "safe enough" for a company that had no sensitive data other than the payroll.
[+] lvs|4 years ago|reply
At last, some actual hacker news!
[+] Svperstar|4 years ago|reply
Back in like 1998 or 1999 I used L0phtCrack to get the admin password to the PCs in the computer lab. Good times :)
[+] weq|4 years ago|reply
Combine this with a IIS3 exploit and a ip scanner you coded for fun and you make that labs all around the world :)
[+] poopsmithe|4 years ago|reply
Ah yes, the trusty info site and code repository with no explanation of what the software does.
[+] claytongulick|4 years ago|reply
For many HN readers l0phtCrack is iconic, and so needs no introduction.

FYI though, it was a password brute force tool that many of us used for various (mostly innocent) myschevios purposes 15-20 years ago.

[+] beermonster|4 years ago|reply
L0phtCrack is a password auditing and recovery application originally produced by Mudge.
[+] mydeskistoosm|4 years ago|reply
Is it even really relevant anymore?
[+] GekkePrutser|4 years ago|reply
Yeah I thought hashcat pretty much superseded it, especially with its amazing GPU acceleration.

Nevertheless, nice of them to open source it.

[+] rhexs|4 years ago|reply
No. They seem to have been doing a few puff PR pieces recently. Can’t imagine anyone under 30 knows or cares about them.

I guess their main claim to fame was being the first “hacker” group to do PR moderately well and transition into decent careers. Not really even an interesting footnote in history.

[+] short12|4 years ago|reply
I wonder what the reasoning for open sourcing it now. And why not from the get go instead of decades later. Licence choices are obviously up to the authors. But at this point it is more a museum relic than anything practical
[+] mike_d|4 years ago|reply
The rights to L0phtCrack were purchased about a year ago by a company that made password cracking rigs for large companies to audit their employees passwords. They filed bankruptcy due to the GPU shortage changing their COGS overnight. When payments stopped being made the license reverted back to the author and he open sourced it.
[+] kortilla|4 years ago|reply
This is the reason:

> at this point it is more a museum relic than anything practical

[+] zuminator|4 years ago|reply
I remember the app but never knew how to pronounce it -- it sounded like (record-scratch)-Crack, or maybe Bill the Cat, in my head. Light? Loft? Lowpft?
[+] derwiki|4 years ago|reply
“Loft” per the CDC book I recently read.
[+] Zenst|4 years ago|reply
I recall running this on a dual core Celron (BP6 dual socket motherboard) over-clocked back in the day to get 1Ghz `testing` power. Fun times.
[+] dagw|4 years ago|reply
Ah I remember that setup. The fact that 'normal' people could actually afford a 1Ghz computer was mind blowing.
[+] hestefisk|4 years ago|reply
Ahhh yes, this is a classic tool. Together with John the Ripper this forms the basis of lost sleep in my teenage years.
[+] Havoc|4 years ago|reply
I loved their choice of names.