Cracking Windows NT passwords

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Passwords are not stored in the SAM security hive, per se. What is stored there is a one-way hash of the password. In fact, until very recently, two separate one-way hashes were always stored on the server - a Lan Manager hash required by Win3.x, Mac clients, & OS/2 clients; and a NT hash which could be used by NT workstations only. Lan Manager clients (Microsoft & IBMs legacy network operating systems - preNT) support a max 14-character password. Any password less than 14 characters is concantenated with 0's (ie jim becomes jim00000000000). It is converted to upper case (jim00000000000 becomes JIM00000000000), and split into two parts. An 8 byte odd parity DES key is constructed from each 7 byte half. Each 8 byte DES key is encrypted with a magic number (0x4B47532140232425 encrypted with a key of all 1's). The results of the magic number encryption are concantenated into a 16 byte one way hash value. This value is the Lan Manager password .

See the weakness inherent in LANMAN hashes? Since the two halves of the password are hashed separately, if the password is 7 or less characters in length, the last half is always the same hash - the result of operating on 0000000. People are lazy about such matters. Unless forced, they will use short passwords. Thus a hacker only has to work on a 8byte hash. To add insult to injury, LANMAN passwords are all forced to upper case. This eliminates half of the possible passwords (if non-alpha characters are not required). This makes the lanman hash very vulnerable to brute force dictionary guessing attacks.

NT-type passwords are derived by converting the user's password to Unicode, and using MD4 to get a 16-byte one-way hash. The MD4 algorithm is in public domain. Its used by NT & most unix variants. The algorithm for LANMAN hash created is presented above.

One-way hashes are named one-way because they can not be reversed. This has been mathematically proven. So you get a copy of the SAM database and extract the one-way hashes. You can't reverse the process to get the hash converted back to the original password string. You don't have to do something so difficult. Since you know the algorithm, take a dictionary, feed the words through a hash making program developed from these algorithms and compare the hashes from the SAM with the hashes you are creating from your word list. Or use one of the many programs downloadable from the Internet.

This reveals the weakness in 'NT' passwords. What would you do to make this less vulnerable?

  • Use alt-characters. These may be unbreakable.
  • Eliminate LANMAN hashes. Great if you are allowed to mandate only NT workstations.
  • OPPS. Even then LAN hashes are generated. Microsoft has introduced keys to strengthen NT's hashes and eliminate LANMAN hashes when desired.
    See NTLMv2 and embedded references.
  • Encrypt the one-way hashes in the SAM. Admins rarely take appropriate security precautions with the ERD (emergency repair disks) and backup tapes which have the security db on them - keeping them in their office or other low-security locations. A post SP2 hot-fix, syskey carried forward in later SPs, gives admins much more protection. Syskey independently encrpts the hashes so that physical access to the server, tapes, or ERDs is only first step to cracking the passwords. They have to break through the 128-bit encryption used by syskey before they can attempt brute force dictionary attacks on the hashes. Sniffer capturing of hashes transmitted over the network are still a major danger unless you are using stronger versions of NTLMv2.

ERD Related Tips:

Also see tip: Recover Lost Windows NT Administrator Password

A vulnerability was discovered in Syskey and Microsoft has provided a patch.

See Also

Featured Links