See the weakness inherent in LANMAN hashes? Since the two halves of the password are hashed separately, if the password is 7 or less characters in length, the last half is always the same hash - the result of operating on 0000000. People are lazy about such matters. Unless forced, they will use short passwords. Thus a hacker only has to work on a 8byte hash. To add insult to injury, LANMAN passwords are all forced to upper case. This eliminates half of the possible passwords (if non-alpha characters are not required). This makes the lanman hash very vulnerable to brute force dictionary guessing attacks.
NT-type passwords are derived by converting the user's password to Unicode, and using MD4 to get a 16-byte one-way hash. The MD4 algorithm is in public domain. Its used by NT & most unix variants. The algorithm for LANMAN hash created is presented above.
One-way hashes are named one-way because they can not be reversed. This has been mathematically proven. So you get a copy of the SAM database and extract the one-way hashes. You can't reverse the process to get the hash converted back to the original password string. You don't have to do something so difficult. Since you know the algorithm, take a dictionary, feed the words through a hash making program developed from these algorithms and compare the hashes from the SAM with the hashes you are creating from your word list. Or use one of the many programs downloadable from the Internet.
This reveals the weakness in 'NT' passwords. What would you do to make this less vulnerable?
- Use alt-characters. These may be unbreakable.
- Eliminate LANMAN hashes. Great if you are allowed to mandate only NT workstations.
- OPPS. Even then LAN hashes are generated. Microsoft has introduced keys to
strengthen NT's hashes and eliminate LANMAN hashes when desired.
See NTLMv2 and embedded references.
- Encrypt the one-way hashes in the SAM. Admins rarely take appropriate security precautions with the ERD (emergency repair disks) and backup tapes which have the security db on them - keeping them in their office or other low-security locations. A post SP2 hot-fix, syskey carried forward in later SPs, gives admins much more protection. Syskey independently encrpts the hashes so that physical access to the server, tapes, or ERDs is only first step to cracking the passwords. They have to break through the 128-bit encryption used by syskey before they can attempt brute force dictionary attacks on the hashes. Sniffer capturing of hashes transmitted over the network are still a major danger unless you are using stronger versions of NTLMv2.
ERD Related Tips:
- NT ERD - never there when you need it
- Contents of NT ERD
- Steps Performed by the Emergency Repair Disk
- Disable a Service or Device that Prevents Windows NT from Booting
- Cracking Windows NT passwords
- Using the Emergency Repair Disk to Fix Windows NT Problems
- Repair Disk Secrets Reduce Downtime
- Patch Available for RDISK Registry Enumeration File" Vulnerability
Also see tip: Recover Lost Windows NT Administrator Password
A vulnerability was discovered in Syskey and Microsoft has provided a patch.