RE: auditing nt hash

["dave kleiman" <dave () isecureu com>]

Ryan,

You have to reboot and reset the password after setting the nolmhash value
to 1.  If you do not the LM hash still exists.

Regards,


__________________________________________________
Dave Kleiman, CAS,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE

www.SecurityBreachResponse.com
 



> -----Original Message-----
> From: Ryan Sebastian [mailto:Ryan.Sebastian () comcast net]
> Sent: Thursday, October 06, 2005 20:38
> To: security-basics () securityfocus com
> Subject: auditing nt hash
>
> I'm trying to figure out the nt hash vs lm hash. I'm using
> pwdump2 and john.
>
> The OS is Windows XP pro (non-domain computer).
>
> I dump the hash with pwdump2 and then run John against it.
> All passwords are
> 4-8 characters and it finds the passwords relatively quickly.
>
> I went and set the nolmhash value to 1 and re-dumped the
> hash.  The hash is exactly the same as before? I thought
> setting nolmhash was supposed to prevent storage of
> passwords?  I'm guessing pwdump2 can still pull nthash?
> The password cracking seems to take the same amount of time.
>
> Can pwdump2 still pull the nt hash?
> Can john crack nt hashes or just lm?
> What am I doing incorrectly?
>
> Thanks
> dissolved