Original developers invite OS community to develop further capabilities
L0phtCrack – the venerable Windows system password auditing tool – has been released as an open-source utility.
Christien Rioux (DilDog), one of the original authors of L0phtCrack while a member of hacker collective L0pht Heavy Industries more than 20 years ago, first said he planned to release an open source version of the tool in early August, around the time of the DEF CON conference.
The release of L0phtCrack as an open source software utility this week follows the successful resolution of business-related obstacles.
Terahash purchased the password auditing tool in April 2020 but the financing of the deal fell through and the technology fell back into the hands of Rioux and his colleagues as previous owners in June 2021.
No updates or even bug fixes were released during Terahash’s 15-month stewardship of the project, The Daily Swig is informed.
Viable, but niche
A decision was taken by Rioux and his former hacker colleagues at L0pht Heavy Industries not to find an alternative buyer but instead to develop the technology further as an open source project.
The technology still had a future despite being difficult to support commercially as a standalone project.
Rioux told The Daily Swig: “It was still a commercially viable product, but niche enough to not warrant further investment on the part of the development team. There’s a big difference between ‘will people pay for it’ vs ‘are people willing to spend their time supporting it’”.
Chris Wysopal (WeldPond), a former member of L0pht, added: “The original team found it took too much time to support part-time but not enough revenue was there to hire full-time employees or even contract employees.”
Auditing Active Directory passwords was the most common use of L0phtCrack. It also can import and crack passwords from Linux, BSD, Solaris, and AIX (Unix-based systems).
Wysopal has big ambitions for the technology, now that L0phtCrack 7.2.0 has been released to the open source community:
- That people to step in to assist with maintenance and project leadership
- That the plugin system and API are formalized and support for multiple cracking tools such as HashCat are added
- That support for new versions of Windows and other operating systems continues
- And for integrations with more hash collection mechanisms such as Responder
More than just password cracking
Wysopal told The Daily Swig: “I could hope that an organization such as OWASP or similar could assist with getting motivated people involved. I think this could be a framework for more than just password cracking eventually, rather the general automation of commonly performed ‘security audit’ tasks.”
Rioux has been involved in writing code for L0phtCrack for more than 20 years, so the time has come for him to step back and let other developers take the lead while still being around to mentor the development of the project.
L0phtCrack has a flexible plugin architecture that could potentially be extended over time to support better reporting and possible integrations with services such as Have I Been Pwned.
It might be possible to ‘plug in’ nmap scanning and other vulnerability scanners with some effort, to schedule password and network audits on a recurring basis, and to generate reports in the background.
The possibilities are myriad, but whether they will be realized or not depends on if the project can capture the interest of the open source community.
Wysopal concluded: “The fact that Dil[Dog] has been developing and maintaining a commercial security tool for 20+ years is pretty unprecedented. It is time for others to code.”
YOU MAY ALSO LIKE Bugs in malware create ‘backdoors’ for security researchers
Source: The Daily Swig