LM Hash flaw: Windows Passwords Under 15 Characters Easy to Crack

Solid State Drive (SSD) based cracking programs have really been a hot topic over the past few years. They are fast, very fast. I did an article a while back on using SSD based look up tables to crack 14 character Windows passwords in 5 seconds.

The blazing speed is possible because of the characteristics of the LM based password hashes that Windows stores along with the stronger NTLM based hashes. The LM based hashes can be cracked with SSD based tables in about 5 seconds. The NTLM version of the password hash is more secure and can take significant time to crack. The solution then is simple, disable LM password hashing.

Sounds simple doesn’t it? Well, the problem is, it doesn’t work. Even when you tell Windows to not store the less secure LM hash of the password, it still does.

Mike Pilkington posted an exceptional article today on this at the SANS Computer Forensics Blog. In his article, “Protecting Privileged Domain Accounts: LM Hashes — The Good, the Bad, and the Ugly“, Mike shows that even when Windows policy is set to disable LM hashes, the hashes are still created!

The interesting thing is that the lower security hashes are not present on the SAM stored on the hard drive. But when the security accounts are loaded into active RAM, Windows re-creates the LM hashes!

According to Mike’s article, the LM Hash can be pulled from active RAM using the Windows Credential Editor (WCE).

What is the solution then? Make your passwords at least 15 characters! The LM Hash only supports passwords of 14 characters or less, so if your password is over 14 characters, Windows can not create the less secure hash.

Why would Windows do this? Some older programs still use LM based security, so most likely Windows creates it even when you tell it not to for backwards compatibility.

For more information, check out Mike’s article.

Crazy Fast Password Recovery with Hashcat

I have been playing with Hashcat a little bit today and I am just stunned on how fast it is. Hashcat is an all purpose password cracker that can run off of your GPU or your CPU. The GPU version, OCLHashcat-plus is touted as the world’s fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker.

Hashcat is a multi-threaded cracker, so if your CPU can run several threads, it will use them. But the real speed comes into play when using the horsepower of a GPU. If your GPU can run hundreds of threads, all of this power is used to break passwords.

But just how fast is it?

I took just a simple password: “fred” and fed the NTLM password hash into Hashcat. I used just the slower CPU version and the Bruteforce option. The password was recovered as soon as I hit run:

It was so fast, the estimated and elapsed time didn’t even register.

You can also use password dictionaries to use as a guideline for Hashcat. For the next test, I downloaded the “RockYou.txt” password list. This is a list of actual passwords that have been sanitized (usernames removed). I pulled 4 random plain text passwords from RockYou and converted them to Windows NTLM passwords:

elizabeth1 – 6afd63afaebf74211010f02ba62a1b3e
francis123 – 43fccfa6bae3d14b26427c26d00410ef
duodinamico – 27c0555ea55ecfcdba01c022681dda3f
luphu4ever – 9439b142f202437a55f7c52f6fcf82d3

I placed the 4 password hashes into a file called hashes.txt, added in the RockYou plain text password list and fed them into Hashcat:

Hashcat recovered all five passwords in about the same amount of time it took to create the display screen, a second, maybe 2:

Remember that these are the NTLM hashes, not Window’s simpler LM hashes.

Add in the GPU version, advanced rules, attack methods, and Hybrid Masks and you really have a powerful tool to recover almost any password.