Re: No LM Hash - no really

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 08/22/04 

Date: Sun, 22 Aug 2004 08:16:04 -0400

"Ian Boyd" <admin@SWIFTPA.NET> wrote in message
news:%23gQTDq%23hEHA.3348@TK2MSFTNGP12.phx.gbl...
> How do you REALLY disable the generation of Lan Manager password hashes.
>
> i have set the group policy on the domain controller (Windows 2000), and
> added to the domain controller's registry the NoLMHash = 1 DWORD.

Is there only one DC? If not, can you try making the change to all DCs? If
there is, would it be wise to have a second server configured to act as a DC
for fault tolerance?

How about making the change in the Group Policy MMC instead of the registry?
Also, is there any chance you could have a Group policy setting that is
changing the registry value back to the default?

> Then i go to a workstation and reset the password of my domain account.
>
> i can then go back to the domain controller, dump the AD password hashes.
i
> then crack it and confirm that the LM Hash exists, and contains my new
> password.

Maybe run a second cracking tool to confirm there really is an LMHash? I
notice the cracked LMHashes you posted are all in lower case. This is
strange, because I believe LMHashes convert all the characters to uppercase.

I would prefer to use a tool that shows you whether there is an LMHash
*before* you run a crack, just to be sure. L0phtCrack is one tool that does
this.

Relevant Pages