Re: Using hashes, not text credentials...?

From: Ben Greenbaum (
Date: 07/24/01

Date: Tue, 24 Jul 2001 09:26:58 -0600 (MDT)
From: Ben Greenbaum <>
To: Todd Sabin <>
Subject: Re: Using hashes, not text credentials...?
Message-ID: <Pine.GSO.4.30.0107240922570.23901-100000@mail>

On 23 Jul 2001, Todd Sabin wrote:

> Ben Greenbaum <> writes:
> > Exactly what you describe is possible with LanMan hashes
> This is not really correct.
> If 'caught using l0pht for instance' means sniffed off the wire, then
> what you've got is not technically the password hash, it's a
> challenge/response pair. That can be cracked, assuming the password
> is weak enough, but you can't do anything else with it.

Thanks Todd. I should have been more clear.

> If you've got an actual password hash, as from dumping the SAM, then
> yes, you can use that directly without having to crack it. The tools
> required to do so are not available publicly, AFAIK. There's a
> write-up by Hernan Ochoa about how you would do it. Do a search for
> "Modifying Windows NT logon credentials".

Sorry about the long URL, but that paper can be read at:

Ben Greenbaum
Director of Product Development - SIA/VulDB