L0phtCrack 2.5 Manual

Introduction

L0phtCrack is an NT password auditting tool. It will compute NT user passwords from the cryptographic hashes that are stored by the NT operation system. The operating system does not store the user passwords in their original clear-text form for security reasons. The actual user passwords are encrypted into hashes because they are sensitive information that can be used to impersonate any user, including the administrator of the operating system. L0phtCrack computes the password from a variety of sources using a variety of methods. The end result is a state of the art tool for recovering the passwords users use.

There are many uses for computing user passwords. First and for most is for a system administrator to audit the strength of the passwords that their users are using. There are password filters for NT but how do you know how well you have chosen a filter. Without testing the passwords generated by users against a real world password cracker you are guessing at the time it will take an external attacker or malicious insider to uncover the passwords. Other uses include recovering a forgotten password, retrieving the password of a user in order to impersonate them, or migrating NT users to another platform such as Unix.

Installation

L0phtCrack 2.5 is distributed in a self-installing executable distribution file. When you run the installation file it will create a directory named \Program Files\L0phtCrack, put its and add a L0phtCrack start menu item. You can then select L0phtCrack from the Start Menu to run it. That's it.

Registration

You must register the product after the 15 day trial period to continue using it. L0phtCrack is licensed per machine. Each machine will have a unique L0phtCrack serial number. We offer online, telephone and fax registration. When you register you will receive the unique unlock code for your machine. You enter this code in the L0phtCrack Registration dialog to unlock the product. In the event you need to move your license to a new machine or OS contact l0phtcrack@l0pht.com and we will send a new unlock code.

If you are already a registered user of L0phtCrack 2.0 your registration key will work with 2.5 as long as you install L0phtCrack 2.5 on the same machine that you installed 2.0 on. You shouldn't even see the registration dialog box or need to enter in the key.

Lightning Fast Instructions for the Impatient

Load the sample password hash file that comes with L0phtCrack by using the File Open Password File command and open the file pwfile.txt. Then choose the Tools Run Crack command. You are now off cracking passwords! Let that run as you read on about how to crack your own password hashes.

Lets Get Cracking

L0phtCrack can recover passwords directly from the registry, from the file system and backup tapes, from repair disks, or by recovering the passwords as they traverse the network. L0phtCrack first extracts the password hashes. This is the way the OS stores the encrypted passwords. Then it goes to work computing the passwords, which is called cracking. It uses three different methods.

The fastest method for cracking the passwords is a dictionary attack. L0phtCrack tests all the words in a dictionary or word file against the password hashes. When it finds the correct password it displays the result. L0phtCrack ships with a small but effective word file. Larger world files can be more effective and can be found by searching the Internet.

The second method L0phtCrack uses is called a hybrid crack method. This builds upon the dictionary method by adding numeric and symbol characters to dictionary words. Many users choose passwords such as "bogus11" or "Annaliza!!". These passwords are just dictionary words slightly modified with additional numbers and symbols. The hybrid crack rapidly computes these passwords. These are the types of passwords that will pass through many password filters and policies yet still are easily crackable.

The final and most powerful cracking method is the brute force method. This method will always recover the password no matter how complex. It is just a matter of time. Really complex passwords that use characters that are not directly available on the keyboard may take so much time that is not feasible to crack them on a single machine using today's hardware. But most complex passwords can be cracked in a matter of days. This is usually much shorter than the time most administrators set their password policy expiration time to. Using a real-world cracking tool is the only good way to know what time one should set for password expirations.

How To Get the Password Hashes

Registry

L0phtCrack must first retrieve the password hashes to start the cracking process. If you have administrator rights you can use the Tools Dump Passwords from Registry command on the L0phtCrack menu to retrieve the hashes. You can dump the password hashes from you local machine or over the network if the remote machine allows network registry access. Enter the NT machine name or IP address into the Dump Passwords from Registry dialog box and press OK. The usernames and password hashes are now loaded into L0phtCrack. If this is the way you have retrieved the password hashes you may now proceed to crack the password hashes.

NOTE: L0phtCrack 2.5 is limited to dumping and opening 65K users. In addition, large numbers of users can take a long time. Be prepared to wait a few minutes for greater than 10,000 users.

SAM File

The second method is to access the password hashes from the file system. Since the operating system holds a lock on the SAM file where the password hashes are stored on the file system it is not possible to just read them from this file while the operation system is running. Sometimes a backup of this file is made on tape or on an Emergency Repair Disk or in the repair directory of the system hard drive. Also, another operating system such as DOS can be booted from a floppy and the password hashes can be read directly from the file system. This is especially useful if you have physical access to the machine and it has a floppy drive.

You load the password hashes from a "SAM" or "SAM._" file into L0phtCrack by using the File Import SAM File menu command and specifying the filename. L0phtCrack will automatically expand compressed "SAM._" files on NT.

NOTE: If you are running on Windows 95/98 you will need to expand the "SAM._" file to "SAM" using the expand utility on an NT system. The command is expand sam._ sam.

SMB Packet Capture

The final method L0phtCrack offers is to capture the encrypted hashes over the network. Your machine must have 1 or more Ethernet devices to access the network. Use the Tools SMB Packet Capture command to bring up the SMB Packet Capture window. You will now be capturing any SMB authentication sessions that you network device can capture. If you are on switched network you will only see sessions originating from your machine or connecting to your machine.

As SMB session authentications are captured they are displayed in the SMB Packet Capture window. The display shows source and destination IP addresses, the user name, the SMB challenge, the encrypted LANMAN hash and the encrypted NTLM hash, if any. The capture can be saved at any time using the Save Capture button. To crack these hashes you must save the capture and then open the captured file using the File Open Password command. You can capture and crack other passwords at the same time.

PWDUMP2

Todd Sabin has released a free utility that can dump the password hashes on a local machine if the SAM has been encrypted with the SYSKEY utility that was introduced in Service Pack 3. This utility is available at http://www.webspan.net/~tas/pwdump2/. Follow the instructions on the web page to retrieve the password hashes. You can then load the hashes into L0phtCrack using the File Open Password File command.

 

How To Crack the Password Hashes

Dictionary Attack

The first method L0phtCrack uses to crack passwords is called a dictionary attack. This method tries to encrypt each word in a dictionary or word file. It then tests each encrypted word against the password hash. If it gets a match it knows the user's password is that dictionary word. L0phtCrack comes with a nice 25,000-word file named words-english that contains many common words. This file or another word file is loaded into L0phtCrack using the File Open Wordlist File menu command. The default dictionary file is the words-english file.

Next select Tools Run Crack on the menu to start the cracking process. The default options for cracking are to run a dictionary attack, then a hybrid attack, and then the brute force attack. L0phtCrack runs these attacks on the password hashes in succession by default. You can select more details about the cracking attack in the Tools Options dialog box.

During any crack attack the L0phtCrack window displays status information to show the progress of the attack. During dictionary attacks the number of dictionary words tried is displayed along with the percentage complete.

Hybrid Attack

After the dictionary attack is completed the hybrid attack begins. The hybrid attack uses simple patterns that users use when creating passwords from common words. By slightly modifying dictionary words the way users do, L0phtCrack is able to make educated guesses to decide which passwords to try. An example would be to try 'BOGUS11'. Many users just append a few numbers or symbols to a dictionary word in an attempt to make it a non-guessable password. L0phtCrack can guess these passwords quickly. In much less time than it would take for a brute force attack. L0phtCrack 2.5 checks to see if any number of number and symbol characters are appended to each word in the word file you have selected. The default number of number and symbol characters is 2. This can be changed using the Tools Options command.

Brute Force Attack

After the dictionary and hybrid attacks have completed the brute force attack begins. Brute force can take a long time but it usually takes far less time than most password policies specify for password changing. This makes passwords found during the brute force attack still too weak. You may configure the character set that the brute force attack uses with the Tools Options command. The default character set is all the alphanumeric characters and the numbers 0 through 9.

You can expect the brute force attack to take of 24-72 hours on machines with CPUs ranging from Pentium II/450 to Pentium 166.

Command Reference

File

Open Password File

This command opens the file containing the password hashes. This file can be in either L0phtCrack format (*.lc) or in the format that programs such as PWDUMP create.

Open Wordlist File

This command opens the file containing all of the words to be used in the dictionary attack. This type of file is also referred to as a dictionary file. The default dictionary file that comes with the L0phtCrack distribution is a file named words-english. You should open this file unless you have your own custom dictionary file you want to use.

Import SAM file

This command opens a SAM file and loads the password hashes from it. If the file is a compressed file named SAM._ then it will be automatically expanded on NT. If you are running on Windows 95/98 you will need to expand the sam._ file to sam using the expand utility on an NT system. The command is expand sam._ sam.

Save and Save As

The Save and Save As commands save the current state of the passwords, whether they are uncracked, partially cracked or cracked. The file is saved in the L0phtCrack (*.lc) format. This is an ASCII file that can be edited or imported into various editors and database programs. This file can later be reloaded into L0phtCrack and continue to be cracked by continuing an interrupted cracking session or by restarting a new crack session with different crack options.

Exit

Exit terminates the crack session if any and exits the program.

Edit

The Edit menu is not used.

Tools

Dump Passwords from Registry

This commands opens a dialog box which accepts an NT computer name or IP address. The computer specified is queried through remote registry calls to dump the password hashes contained in the SAM section of the registry. Administrator privileges and remote registry access is required to dump the password hashes in this way.

SMB Packet Capture

This command launches the network packet capture window. SMB packet capture promiscuously monitors your ethernet for SMB network authentication packets. When it captures an authentication session it will display the authentication parameters: username, challenge, and hashes in the window.

The contents of the window can be saved at any time to a *.lc file using the Save Capture button or they can be cleared using the Clear Capture button. When you close the window or press Done the capture session is terminated.

Run Crack

This command starts the cracking engine going to work on the password hashes you have loaded. A progress display shows the status.

Stop Crack

This stops a current cracking session. It can be restarted at any time.

Options

The options dialog contains all the different settings for modifying how L0phtCrack tries to crack the password hashes. The default configuration is a compromise between yielding most complex passwords vs. taking significantly more time. Most people will not need to modify the Options util they have tried out the default settings.

Dictionary Attacks are enabled by checking the LANMAN and NTLM checkboxes. These are checked by default.

Dictionary/Brute Hybrid Enabled is checked by default and will yield many simple dictionary and number symbol combinations. The default number of numbers and symbols to try concatenated to each dictionary word is 2. This number can be increased but it will take significantly longer to crack.

The Brute Force Attack is checked Enabled by default. The default character set is the alphanumeric characters. You can select one of 4 predefined character sets ranging from alpha only to all alphanumeric plus all symbol characters. The larger character sets take a significantly longer time when chosen. You can also enter in your own custom character set in the combo box by typing each character in. This custom set is saved with the *.lc file.

Window

Minimize to tray

This command minimizes the program to a small icon in the system tray. The program window is reactivated by clicking on the small icon. This is useful when you are intending to crack for several days.

If the SMB Packet Capture window is open it is minimized also.

Hide, Ctrl+Alt+L so show

This command hides the program window completely. It does not sow up as a program in the task manager. You can make the program visible again using the Ctrl+Alt+L key combination. If the SMB Packet Capture window is open it is hidden also.

Help

About L0phtCrack

This command shows the program version information, serial number, and registration code if any.

L0phtCrack Website

This command launches your browser and brings you to the L0phtCrack website where you can find updates an additional program information when it becomes available.

L0pht Website

This command launches your browser and brings you to the L0pht home page where you can find out about other L0pht Products, search our archives, and read our security advisories.

Appendix A - Registry Settings

AdminGroupName

If you use a non-english language version of NT you will need to modify the registry with regedit so that you can you dump the password hashes from the registry. The registry key to modify is:

HKEY_CURRENT_USER\Software\L0pht\L0phtCrack\AdminGroupName

The default is "administrators". Change this to your language version for the administrators group.

Appendix B - Technical Details About Network SMB Capture

Now, let's rip apart why it is so trivial to go through the LM hash on the network. And then talk about why the NT hash doesn't matter.

-------------------------- -----------------------------

| 16byte LM hash | | 16byte NT hash (md4) |

-------------------------- -----------------------------

 

We already know that you only have to go through 7 characters to retrieve passwords (up to 14 chars in length) in the LM hash, and that since thereis no salting being done, constants show up all over the place giving away too much information and speeding up attacks tremendously.

-------------------------------------------------

| 1st 8bytes of LMhash | second 8bytes of LMhash |

-------------------------------------------------

1st 8 bytes are derived from the first seven characters of the password and the second 8 bytes are derived from the 8th through 14th characters of the password. If the password is less than 7 characters then the second half will always be: 0xAAD3B435B51404EE. Let's assume for this example that the users password has a LM hash of 0xC23413A8A1E7665fAAD3B435B51404EE (which I'll save everyone the nanosecond it would have taken for them to plug this into L0phtcrack and have it tell them the password is "WELCOME").

Here's what happens to this hash on the network:

-------- --------

| A | <______________| B |

| | | |

-------- --------

B sends an 8 byte challenge to A. (assume 0x0001020304050607) Machine A takes the hash of 0xC23413A8A1E7665fAAD3B435B51404EE and adds 5 nulls to it, thus becoming

0xC23413A8A1E7665fAAD3B435B51404EE0000000000. The string 0xC23413A8A1E7665fAAD3B435B51404EE0000000000 is broken into three groups of 7:C23413A8A1E766 5fAAD3B435B514 04EE0000000000 The 7 byte strings are str_to_key'd (if you will) into 8 byte odd parity des keys.Now we have :

| 8byteDeskey1 | | 8byteDeskey2 | | 8 byteDeskey3 |

8byteDeskey1 is used to encrypt the challenge 0x0001020304050607. Let's assume the result is 0xAAAAAAAAAAAAAAAA. 8byteDeskey2 is used to encrypt the challenge 0x0001020304050607. Let's assume the result is 0xBBBBBBBBBBBBBBBB. 8byteDeskey3 is used to encrypt the challenge 0x0001020304050607. Let's assume the result is 0xCCCCCCCCCCCCCCCC. The three 8byte values are concatenated (dumb!), and the 24 byte response of 0xAAAAAAAABBBBBBBBCCCCCCCC is returned to the server. The server does the same thing to the hash on it's end and compares the result to the

24 byte response. If they match, it was the correct original hash. Why this is boneheaded:

7 char or less passwords

-------------------- -------------------- --------------------

| C23413A8A1E766 || 5fAAD3B435B514 || 04EE0000000000 |

-------------------- -------------------- --------------------

The first thing we check is to see if the users password is less than 8 characters in length. We do this by taking the 7 byte value of 0x04EE0000000000, turning it into an 8 byte odd parity DES key, and encrypting it against the 8 byte challenge of 0x0001020304050607. If we get the result of 0xCCCCCCCCCCCCCCCC then we are pretty sure it's < 8 chars in length. In order to be sure we can run through 0x??AAD3B435B514 (ie 256 possible combinations) to see that 5f shows us the result is 0xBBBBBBBBBBBBBBBB, proving that the password is less than 7 characters and also giving us

the last byte of the first half of the LM hash. From this point, even assuming we're just joyriding and not worried about optimizing the way this is done (believe me, there are much more effective ways to do this that reduce the amount of time needed even further... this whole this is just showing that even a simplistic

attack works against this implementation), it's no different than how a tool like L0phtcrack attacks the hashes in the registry.

8 char or greater passwords.

-------------------- -------------------- --------------------

| C23413A8A1E766 || AC435F2DD90417 || CCD60000000000 |

-------------------- -------------------- --------------------

The first thing to check is whether the password is less than 8 characters in length. Deriving the 8 byte odd parity des key from 0x04EE0000000000 and encrypting against 0x0001020304050607 does not, in this case, give us 0xCCCCCCCCCCCCCCCC, so we know that the password is 8 characters or greater.

It takes us, in a worst case scenario, 65535 checks to figure out that the 2bytes that are used in the last third are 0xCCD6. Even approaching this in a completely brain-dead fashion (hey, turn-about is fair play), you can go through your 7 digit combinations of characters for the first third the same way you would the LM hash from the registry. This will yield not only the first third of the response, but also the

first byte of the second third. Keep in mind that you already have the last two bytes that made up the third. You could approach the middle third in the same fashion. (note: this whole method that MS is doing screams for a precompute table lookup attack - which given the small enough potential values

is not impossible by any means) Thus, the challenge response is completely brute-forcable for the LM-hash. MS made the "oversight" of still sending the LM-hash response along with the NT response even when SP3 was installed. Thus it was a moot point as to how tough or well done the NT hash might or might not be. Since installing the LM-fix precludes continued use of windows 95 machines in regards to talking to NT machines, it is still a moot point as to how tough or well done the NT hash might or might not be. The LM hash is incredibly weak and your more secure NT hash is brought down to the lowest common denominator.

Thus, the challenge response is completely brute-forcable for the LM-hash. MS made the "oversight" of still sending the LM-hash response along with the NT response even when SP3 was installed. Thus it was a moot point as to how tough or well done the NT hash might or might not be. Since installing the LM-fix precludes continued use of windows 95 machines in regards to talking to NT machines, it is still a moot point as to how tough or well done the NT hash might or might not be. The LM hash is incredibly weak and your more secure NT hash is brought down to the lowest common denominator. It would have been nice if you could type a password greater than 14 chars into the UserManager app

 

----------