ClearNet Security

A while back, I knew a couple friends in a somewhat compromised situation. They had been breaking the rules and running LC5 at work and were running the risk of getting caught, being sued and maybe worse. Due to some scheduling mishaps, they found themselves with a program running on a machine they no longer had access to clean up. I won’t get into the specifics just: don’t do that. It’s unethical and once you’re upset enough to do something like that at work you should just quit because you’re not going to learn anything that will make you happy. Worse, rather than control your own destiny you risk getting terminated and like I said before, maybe a lot worse and there is no way having that on your record or in your past makes you a more desirable IT professional to employ. . 

LC5 is Symantec's password cracker, originally developed by l0pht which was acquired by @stake and then eventually @stake was bought by Symantec.  LC5 is frightening, it can sniff LM hashes off the wire and crack them at frightening rate. If you don't have the 10 to 20 hours to wait for the brute force on an old computer, you can pay to use someone's rainbow tables or create your own and "recover passwords" much much more quickly. There is nothing terribly complex or difficult to understand about how LC5 works, it has a set of tools for capturing windows password hashes either from the local machine or as they cross the network and then it has a set of tools for finding a password that creates the same hash either by brute force or by looking it up in a database. There are free tools that are similar for cracking password hashes, such as ophcrack.  

A more captivating problem is how do you actually capture the password hashes in the first place and do so undetected. Now this is all hypothetical but how difficult is it to capture a stream of data which may contain password hashes and then replay it back through LC5?

Screenshots of LC5: