Password Cracking – What is a password hash?
All computers hash a password as a security measure, to prevent them being stored on the computer in plain text. There are many “hashes” or hashing algorithms, which are like different languages. You need to know the hashing algorithm, in order to crack the password, just as you need to know the language in order to translate a document. Hash Killer will hash your passwords and salts in real-time, so that you can see how they change. http://www.hashkiller.co.uk/hash-a-password.aspx http://www.tobtu.com/lmntlm.php – great for just LM or NTLM hashes So lets see this happen in real time.
Windows and Security – two terms seldom found in the same sentence!
Step 1 – Select a password
Step 2 – Get the hashed results of the password
Hash Killer will show the hashes for several hashing algorithms. Kali Linux uses SHA512. The last hashing algorithms reveal combinations of passwords and salts eg: MD5(Password, Salt) or MD5(Salt, Password) Windows stopped using LM hashing – as it was too weak. There were fatal flaws in the design of the LM hash.
- It will only accept a maximum of 14 characters. So a password was restricted to 14 characters or less.
- Next it converted all lowercase characters into uppercase characters. (groans – as this makes cracking much easier).
- Then it null pads shorter passwords to 14 bytes.
- Alas, LM splits the original password into 2 halves of 7 characters each, and hashes each half separately.
- As you will know by now, the shorter the password the faster it is to crack, in addition desktops are capable of cracking 7 character passwords.
Windows replaced the LM hash with NTLM. There are 2 NTLM versions – currently NTLM v2 is used. However, here comes the next fatal flaw. Many Windows Operating System offer backwards compatibility with LM hashes for legacy systems. This leads us to the next security flaw.
Step 3 – LM Hashes are created in stealth
https://cyberarms.wordpress.com/2012/02/29/l-hash-flaw-windows-passwords-under-15-characters-easy-to-crack/ The LM based hashes can be cracked with SSD based tables in about 5 seconds. The NTLM version of the password hash is more secure and can take significant time to crack. The solution then is simple, disable LM password hashing.
Sounds simple doesn’t it? Well, the problem is, it doesn’t work. Even when you tell Windows to not store the less secure LM hash of the password, it still does.
Mike Pilkington posted an exceptional article today on this at the SANS Computer Forensics Blog. In his article, “Protecting Privileged Domain Accounts: LM Hashes — The Good, the Bad, and the Ugly“, Mike shows that even when Windows policy is set to disable LM hashes, the hashes are still created!
The interesting thing is that the lower security hashes are not present on the SAM stored on the hard drive. But when the security accounts are loaded into active RAM, Windows re-creates the LM hashes!
According to Mike’s article, the LM Hash can be pulled from active RAM using the Windows Credential Editor (WCE).
What is the solution then? Make your passwords at least 15 characters! The LM Hash only supports passwords of 14 characters or less, so if your password is over 14 characters, Windows can not create the less secure hash.