Letters-Only LM Hash Database 237
Peter Clark writes "Disk storage has increased tremendously in the past 5 years and the blatant insecurities in the antiquated LM hashing technique have not gone away; though functionality has been added to disable LM hashes, this is not set by default. With some help from Elcomsoft, simple flat files have been created that hold every combination of LM hash for letters only passwords. Jesko has coded a server application which allows you to access this database. Simply telnet to: beginningtoseethelight.no-ip.org on port 2501 and paste in a LM hash. So how does this differ from Rainbow tables? Well this will return a password 100% of the time, using minimal processor power, in approximately less than 0.2 seconds."
Re:Someone explain? (Score:5, Informative)
You telnet to it, feed it the hash, and it replies with the word.
LM hashes are how a lot of passwords are 'encrypted'
Excuse the fuzzy description... Crypto is not my strong point.
Re:What is an LM hash? (Score:1, Informative)
Re:What is an LM hash? (Score:5, Informative)
The LM hash is relatively weak compared to the NT hash, and it is therefore prone to fast brute force attack.
Source: http://support.microsoft.com/default.aspx?scid=KB
Re:Please explain (Score:4, Informative)
Re:Someone explain? (Score:5, Informative)
Re:Someone explain? (Score:5, Informative)
Re:Non sequitur? (Score:5, Informative)
- you have a password hash you want to crack
you can either:
- brute force your way through a long list of possible passwords to find one that matches the hash; everytime you do this, it takes a lot of time and processing power
- or you can go through all possible passwords ONCE and save the resulting hashes; subsequent cracking jobs are very fast, but you wasted a lot of space to store all possible hashes.
thus, if disk space is cheap and you can afford to keep a couple of gigs in pre-computed hashes around, you have a very fast way of cracking weak hashes. a couple of years ago, this was not possible due to hard drives being like 200MB large.
Re:Someone explain? (Score:5, Informative)
In simple terms, a hash is a sort of "one-way" function. Passwords are often saved as hashes. THe password is fed in one end, and the hash comes out the other. The hash is saved in a file. When one logs in and types in one's password, the system feeds what you typed in through the hash function and checks if the result matches the hash of your password. Since there is no way to reverse the hash process, it's been considered fairly safe to leave these hashes moderately unprotected. This database is, presumably, a sorted collection of the possible hashes from all letters-only passwords up to a certain length. The hash can't be reversed to get the password it came from, but a huge database of all possible hashes and their originating passwords certainly makes that irrelevant.
Re:Someone explain? (Score:2, Informative)
They're not used much anymore because they're ludicrously insecure yet windows still makes a LM hash of all passwords by default. You can easly get someone's (administrator) password from these hashes, and the hashes aren't hard to get from a computer.
They're not used and can give others your password, and now there's a site that'll give you any letters only password from it's hash in seconds.
Re:What is an LM hash? (Score:4, Informative)
I used to piss off the admins where I last worked by runnig L0hptCrack over their tightly secure network and telling them the admin password every time they changed it
You can and should switch this off unless you're using just a home LAN (beats me why it isn't off by default). Even better upgrade all your network to at least Win2k then disable NTLM entirely and use kerberos (samba 3 can be a full kerberos domain member).
(FYI: See:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\con
A value of 0 (the default) means you have no security.
Change it to 3 on your clients, or 5 on your Domain controller)
lookup table vs computation (Score:3, Informative)
Instead of using the brute-force computing approach of generating hashes and comparing them to the known hash (looking for a match), this process uses an already created list or table of passwds and their associated hashes. Creating the table is computationally and storage[ally] non-trivial, but once it is in place cracking a passwd is as easy as grep-ing through the list/table to find the known hash.
Nutshell:
cracking passwds individually: no up front work and extremely variable cracking time
creating the database: lots of work up front but dramatically reduced cracking time
The lookup approach is extremely helpful for large numbers of hashes; if you have only one or two hashes, the brute-force method probably makes more sense.
Re:of course... (Score:3, Informative)
Not really -- good hashes act random.
Re:What is an LM hash? (Score:5, Informative)
hash = a way of storing passwords without leaving the password on the disk. You encrypt the password into a hash code and store that instead. You can't unencrypt it to derive the password but you can check a password guess by encrypting the guess the same way. If the guess hash == the password hash, you get in.
The best part is, you don't have to keep the hash code a secret, because it's not the hard part. You're not asked to provide the hash value; you're asked to provide something that hashes to the value. So you can store it on the disk and even send it out over the LAN where it can be sniffed.
That's very convenient: you can cache the hash code on every computer without having to trouble the central server to do the work. You don't want to send the password over the network (where it could be sniffed); nor is sending the hash code to the server for verification (because that could be spoofed). You distribute the hash to each computer, then let it decide if the password guess is correct. The password never goes across the network.
That works as long as you can't decrypt the hash. But if you work long enough you can just brute force it: just run all the passwords until you come up with the one that hashes to the same value. And you can do it offline: you take the hash code back to your own computer(s) and do the brute force there. You're not sitting in front of the computer you want to hack.
The old LM hash code was relatively short; ten years ago when it was developed disk drives were much smaller. Now a combination of big disks and big processors (and clever algorithms) make it possible to brute-force it.
The thing is, Windows NT and later use NT hashes instead, which are more secure. But for compatability with Windows 95 and 98, by default they also store the LM hash code. Which means that your password is sitting on a visible place on the disk, encrypted in a way which is readily reversible to modern hackers.
That's been true for a while, but this new hack makes it trivial to decrypt; it used to take hours.
Disable LM Hash (Score:5, Informative)
http://support.microsoft.com/default.aspx?scid=KB
Re:Someone explain? (Score:4, Informative)
Actually, last time I checked, most versions of windows that used LanManager hashes split the password string into a new hash every 7 characters (yes, that is incredibly stupid). In other words, if your password was 8 characters long, there would be two hashes for your password: one that covered the first 7 characters, and one that covered the last 1 character.
So, I would assume the folks here have done every letter combination for up to 7 character long passwords, since that's all they'd need to do.
Re:My passwords (Score:5, Informative)
Normally, yes. But the LM method converts everything to uppercase before hashing. So your 8 character password, that had 10^14 combinations has just been reduced down to (26+10)^8... combinations or 2.9*10^12. Now, you might be saying "That was only a factor of four drop, no big deal, still 10^12 combos left. Realize though, that this DB currently has all possible passwords of a maximum length of 15 characters. This is 2.8*10^13 combos. This is less than the 10^12 possibilities that your password has. Consider that it searches in 0.2 seconds, and your password is not so safe.
Re:My passwords (Score:2, Informative)
Re:My passwords (Score:5, Informative)
You're okay for about 2 hours and 34 minutes: that's how long it takes to traverse every possible alphanumeric input on the author's test rig. Additionally, the article suggests that tables including every possible LM hash for [A-Z0-9] would occupy only 1.2 TB of space, meaning that these lookups could be done in a matter of milliseconds instead.
Re:Someone explain? (Score:4, Informative)
That is untrue. Any hash can be reversed in the sense that you can generate an input that will result in a specific output. However the input may not be the only one generating that output and it may be computationally infeasible to do this for sufficiently random original inputs to the hash. The property of a (theoretical) perfectly secure hash is that you have to try possible inputs and hash them until you are lucky.
In other cases you might actually be able to reverse the algorithm itself and do without trying a lot of inputs. A hash were this is possible with significantly less effort is usually called "broken".
So what someone has done here is pre-hashed an entire dictionary, and created a word=hash lookup system.
Yes, that is called a "Dictionary Attack", and the dictionary is a function reversing the hash and given in the form of a table. Quite an old technique. But since LM hashes are not very secure, the possibility to do this is not surprising to anybody in the field.
Re:Someone explain? (Score:5, Informative)
Actually by default all passwords shorter than 14 characters are stored as BOTH LMv2 AND LMv1 hashes in the registry and both are valid for authentication if they are present. This is true for both Windows Server 2000 and Server 2003. You CAN disable the storage of LMv1 hashes but that does not remove any existing hashes from the SAM, you would also need to force LMv2 authentication and even then someone who could steal the SAM file could get the plaintext.
Re:Someone explain? (Score:4, Informative)
C:\WINNT\system32\config\SAM for Windows 2000
There are tools out there like PWDUMP from SAMBA that can extract the hash from a SAM file.
That is NOT "reversing a hash" (-1, Misinformed) (Score:5, Informative)
That is untrue. Any hash can be reversed in the sense that you can generate an input that will result in a specific output.
That is NOT reversing the hash: this should be painfully bloody obvious since the process you describe runs the same hash in the same manner.
Reversing a hash - meaning you start w/ the hash and work backwards to recreate the original data - is impossible. Bits are lost during the hash process, and there is no data in the hash that will allow those bits to be reconstructed. Read _Applied_Cryptography_ by Bruce Schneier, or at least read any of the many crypto/hash FAQs available on the web. NIST [nist.gov] has some good papers available.
Re:Someone explain? (Score:2, Informative)
Note that the hash is not sent over the wire.
That's important, because (large databases and rainbow tables aside) you don't need the original password. The hash is computed with no salt, so it is completely password-equivalent. Someone with access to the above documentation and the LM or NTLM hash has all they need in order to fake a login.
Chris -)-----
Re:Someone explain? (Score:3, Informative)
Basically, you want the security policy "Network security: Do not store LAN Manager hash value on next password change." in Group Policy->Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options.
Or you can set the registry value the policy sets directly: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
Note that on 2000 and earlier, this prevents only the creation of new LM hashes; it does not delete old ones. The registry key on XP and 2003 clears all LM hashes.
This will also break connections to 9x machines unless they have the Active Directory Client update installed.
Here's how (Score:5, Informative)
See this [microsoft.com] page for this and related policies.
This [microsoft.com] for an overview of LM, NTLM and NTLMv2.
And here [microsoft.com] to see how to prevent storage of LM hashes.
It doesn't matter. Really. (Score:5, Informative)
If you have the LM Hash, and the server accepts LM Authentication, you don't need the password. At all.
Likewise, if you have the NTLM Hash, and the server accepts NTLM, NTLMv2, or LMv2 authentication, then you don't need the password.
The hashes are password equivalent.
I've written it all up in my online book [ubiqx.org] (slashdot review [slashdot.org]), but...
Basically, the hashes are generated with no salt...nothing to obfuscate them. The algorithm used to log in is challenge/response:
So... The hash is not exposed on the wire. It has to be reversed from the challenge and response. That's possible (and fairly easy with LM Auth), but it's got little to do with the password/LM Hash database.
The only way to use the LM Hash database to reverse the challenge/response is to use it as a hash dictionary.
Chris -)-----
Re:Someone explain? (Score:2, Informative)
The LM Hash is used when performing LM challenge/response.
The NTLM Hash is used when performing NTLM, LMv2, and NTLMv2 challenge/response. Note that LMv2 is simply a degenerate case of NTLMv2.
I've written a book with a whole whoppin' big section on LM and NTLM auth: http://ubiqx.org/cifs/SMB.html#SMB.8 [ubiqx.org].
Scroll down for information on specific auth protocols.
Chris -)-----
Re:Someone explain? (Score:2, Informative)
Kind of. If I understand it correctly, for every LM hash someone has computed an input such that the hash of that input is the hash in question. This is different from what you're proposing in that with a dictionay attack, not every hash is guaranteed to be covered. In this case, someone has "computed" the reverse hash. That is to say that given an arbitrary hash value as input, you can get a value that hashes to that back as output.
Re:of course... (Score:2, Informative)
Lacie portable 1TB drive [lacie.com]
Sooner than you expected, wouldn't you say?