Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

[ lm2ntcrack ] A simple tool to crack instantly Microsoft Windows NT Hash (MD4) when the LM Password is known.

From: Yannick HAMON <yannick.hamon () xmcopartners com>
Date: Fri, 17 Oct 2008 21:17:25 +0200
Hi everybody,
I want to share with you a simple tool that I have developped : "lm2ntcrack". I hope that it will help some guy... 

http://www.xmcopartners.com/lm2ntcrack/index.html
This tool provides a simple way to crack instantly Microsoft Windows NT Hash (MD4) when the LM Password is known. 

It is entirely written in perl, so its easily ported and installed.

This program must be used with the password cracker "John the Ripper"
http://www.openwall.com/john/

* Why lm2ntcrack ??
I've often encountered a problem during Windows penetration testing and password assessment.
On the one hand, launching my favorite password cracker during few minutes on the dumped Windows passwords hashes, permits to crack many LM passwords but cracked password cannot be used as is (uppercase version of the Windows password). On the other hand, password cracking on NT hash is quiet long and after few days it cracks only some password.
Here is my big deal. I've got the LM password but it is only in UpperCase because LM Hashes are not case sensitive. So, these passwords cannot be reuse in this form. 

* Example: Password cracker output for "Administrator" account :
=> LM password is ADMINISTRAT0R.
=> NT password is ?????????????.
I'm not so lucky because the case-sensitive password isn't "administrat0r" or "Administrat0r". So I cannot use this to connect on the audited Windows system.
This password contains 13 characters but launching my password cracker on the NT hash is a waste of time and there is a poor chance of success. 

* Note :
13 characters : 1 number + 12 case-sensitives letters => 2^12 = 4096 choices (DAMN IT, I cannot test them all manually)
... I need a TOOL !!!! Not a magic one but a simple tool which can do this task for me.
In this example, "lm2ntcrack" will generate the 4096 possibilities for the password "ADMINISTRAT0R" and, for each one, the associated NT MD4 hash. Then, search for matching with the dumped hash.
Estimated time : < 2 seconds to crack more than 1200 NT Hashes (it is very fast instead of Perl !!! lol) 

Enjoy !!!!

* Example :
[yann@xmcopartners:~/lm2ntcrack]$ time perl lm2ntcrack.pl -v - l="AZERTY123$" -n="81CD1A1C4CBCE05C0F8D411ACEC7587F" 
############################################################################
# NT Password cracker from LM password
# Version : 0.5a - Oct 2008
# By Yannick HAMON <yannick.hamon () xmcopartners com>
# Homepage : http://www.xmcopartners.com
############################################################################
[INFO] : "AZERTY123$" has 10 character(s) but contains 4 special(s) char(s) and/or integer(s) 
[INFO] : => 64 words will be generated ...... OK !!
[INFO] : Crack NT password from "AZERTY123$" and NT HASH "81CD1A1C4CBCE05C0F8D411ACEC7587F" 
[CRACKED] AZERTY123$ => azERTy123$


real    0m0.033s
user    0m0.025s
sys     0m0.007s


* NB :
Recently, after developped this fabulous TOOL, I've found an old post on "openwall mailing-list" : 
http://www.openwall.com/lists/john-users/2006/07/08/2
This post explains how to crack NT hash from LM password with john-the- ripper (need to modify john's configuration file to use [List.Rules:NT] section and stop running john on the LM hashes). 
        john -show pwfile | cut -d: -f2 > cracked
        john -w=cracked -rules -format=nt pwfile
        john -show -format=nt pwfile
One known problem with this approach is that it'll fail for passwords containing colons (':' is cut delimiter).
This problem does not impact "lm2ntcrack" and you can use "lm2ntcrack" while john is cracking LM hashes. 

--
Yannick Hamon <yannick.hamon () xmcopartners com>
IT Security Consultant
Xmco Partners | Security Research Labs
http://www.xmcopartners.com






------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: