Reunited
When Windows NT was launched, Microsoft established a new method that remedied some of the weak points in LanManager: NT LanManager (NTLM). Here, the password is still adjusted for 14 bytes, but now the string is converted into Unicode to retain lowercase and uppercase letters. With the MD4 hash algorithm, a 16-byte (128-bit) NTLM hash is generated and stored in one piece. But this approach also has some weak points: NT fills out passwords that are too short with zeros, and hashes can be precalculated because no random values are yet used to generate the hash. For reasons of compatibility, NT also continues to generate and save the LM hash. Both the LM hash and the NTLM hash are stored locally, generally as a Registry entry in the Security Account Manager Database (SAM) (HKEY_LOCAL_MACHINE\SAM\SAM) or in the Active Directory on W2K/2003 domain controllers.
Because Windows generates both hashes, the advantages of the improved NTLM encryption are lost. An attacker would first attempt to crack the simpler LM hash in order to calculate the password from it. Depending on the computing power and quality of the password, attacks on LM hashes can take only a few seconds or as much as a few weeks -- NTLM hashes take a lot longer to crack. While the storage of the LM hash can be disabled as of Windows 2000 SP2, if you do this on a domain controller you will no longer be able to log on with a Windows 98 client.
![image 2 [400 x 37 Pixel @ 27,1 KB]](/security/imgs/46/3/7/1/0/3/1/51d2e07ac6cf48f7.jpg){kind=small}
NT generates single NTLM hashes.
Cracking the nut
The best-known tool to crack hashes is L0phtCrack Version 4.0 (LC4) [1]. For 350 dollars, you get a graphical Universal tool to test the quality of Windows passwords or to "remind" you of a password you have forgotten. Naturally, this tool can also be misused for attacks as long as you can get the LM and NTLM hashes. Only the SYSTEM account can access the SAM when launched; all other access is blocked, such as from the registry editor. LC4 nonetheless has a couple of tricks up its sleeves to access SAM, provided an administrator account is being used. Otherwise, you can also access the backup copy of SAM in the repair folder or boot with Linux or NTFS-DOS to access the hashes. Microsoft has reacted to this problem with the SYSKEY tool. Access to the hashes is still possible with it, but SYSKEY adds another 128-bit key to them. However, LC4 tools such as pwdump2 [2] can also crack this encryption, but at least you have added another hurdle.
LC4 initially attempts a dictionary attack against the hashes by reading through a list of words. Weak passwords can thus be determined in a relatively short time. If this dictionary attack does not work, LC4 launches a brute-force attack: as the words get longer, all possible combinations of alphanumeric characters, including special characters, are tried out. Such attacks naturally take much longer, especially if the passwords were selected carefully. In a hybrid attack, LC4 combines elements from the word list with additional characters.
Other tools, such as John-the-Ripper [3] and Cain & Abel [4] have similar functions that crack hashes. Both of them are free, and both of them are very powerful.
![image 3 [289 x 284 Pixel @ 32,6 KB]](/security/imgs/46/3/7/1/0/3/1/40e078d345515390.jpg)
With L0phtcrack, you can even determine the source of the hashes.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
