Every now and then, we get questions about password crackers. Usually, these questions are something like, why do you detect these password crackers? They’re not malicious! Well, now is as as good a time as any to address the topic.
Obviously, password-cracking programs are not terribly malicious. Unless they have been trojanized or manipulated somehow, they just… crack passwords. Usually, given a password-protected file, they try different possibilities to recover that pesky password you forgot. I’m the first to admit that even though it might not be the best use of your computing power, it’s not terribly bad either.
However, there is a catch. Password-crackers and other software made for network administrators are often seen as part of attacks. This applies to other administration tools as well.
We have seen everything being used as tools in the attacker’s arsenal: from remote session helpers to file server programs and, yes, password crackers. Often times, a trojan will spearhead the attack and once it’s into the victim’s network, it will download other tools to help it further its objectives. For instance, if the attacker stumbles upon a password-protected file, he might think that’s precisely where the interesting stuff is, and use… a password cracker.
This brings me to the second (though admittedly similar) malicious use of admin tools: targeted attacks. These usually allow the attacker to connect remotely to the victim and then move laterally inside the network looking for information to steal. In this mission, the attacker might drop in several reconnaissance and offensive tools. Among these – yes, you guess it – password crackers.
A targeted attack is not just about the “tools” used, even if they are legitimate. It is about who is carrying out the attack. Just because a particular tool started out as a legitimate product does not mean it is always used that way.
Because of how password crackers are abused in the wild, it makes perfect sense for us to detect them and prevent our customers from running them on their machines. At the end of the day, our customers are masters of their own machines – they can always create an exception for a password cracker if they have a legitimate use for it on their networks.
We don’t think the freedom of letting common hacker’s tools loose in your network is worth the risk they involve. Dynamite has good uses too, but we try not to store it in our homes.