Re: No LM Hash - no really

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 08/22/04 

Date: Sun, 22 Aug 2004 15:01:54 +0200

Ian,

> Both your shows Guest and Administrator accounts there have no LM
password.
> The others do.

Administrator does not have an empty password. Empty password would have
hash value

aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

but it has LM "Hash" and not NTLM hash.

91c7ae7122196b5eaad3b435b51404ee:22315d6ed1a7d5f8a7c98c40e9fa2dec:::

> Yet i change my password to some uber shocking non-sense, and in 2 minutes
i
> can have it cracked because the LM Hash is still being stored.

It is a poor design of LM "Hash". When L0pht Crack will attack it it will
actually attack first 7 characters separately from second 7 characters (LH
"passwords" are always 14 characters long. If users will create a password
that is 8 characters long computer will add 6 NULL characters) . This makes
things much easier and faster. As Karl pointed out the characters that it
has to attack are quite limited since password is converted to all capital
letters before "hash" is created.

Even with NTLM hash you will still need password complexity -- NTLM does no
magic. If your users will use simple passwords L0pht Crack will have no
problem figuring out what the password is. It can still use dictionary
attach and pre-computed NTLM Hashes that you can buy on the internet.

You mentioned that you have the policy set at Default Domain Policy. Set
this policy also in Default Domain Controller Policy since passwords are
stored there. Yes also your clients need the same policy since they use it
to locally store the passwords. Use GUI to make the change.

Note, by default Windows will cache passwords (in LM "Hash"). If you want to
get read of old cache you will have to disable it first (set the policy
"Interactive logon: Number of previous logons to cache" to 0) and make users
change their passwords. After they change it you can set this policy back
(you really should) to e.g. default value (10) or some other value... Even
locally cached passwords will now be stored as NTLM...

Mike

Relevant Pages

  • Re: Password hashing in Windows 2003.
    ... If you use passwords shorter then 14 characters for your password then it ... then it will automatically use NTLM Hash. ... policy) and set server and your clients to use only NTLM. ... NTLM hashes are much more secure, but still relay on password complexity. ...
    (microsoft.public.windows.server.general)
  • Re: Password hashes
    ... There are only LM and NTLM hashes. ... There is an NTLMv2 hash but it is not stored. ... authenticating to the network. ... Auditing and reviewing the security logs ...
    (microsoft.public.windowsxp.security_admin)
  • Re: technetID KB321728: NO kerberos support for proxy servers
    ... you're not replacing your password hash in your XP ... My personal suggestion would be to implement the mainframe sync from AD - I ... microsoft is still incorperating NTLM ... here it is- our PROXY server using NTLM won't work as ...
    (microsoft.public.isa)
  • Re: Base36
    ... static string tokens = ... But - I don't think you want all those silly characters in the product key. ... I should be able to recalc the hash at the client ... > conversion to long so I can pass each long to the BaseXX converter to get ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: How to omit blank spaces in the text?
    ... Set adoPrimaryRS = New Recordset ... you're best to read the characters one by one and ... When the password is first created you calculate the hash and store ... then it is almost certain the entered password is correct. ...
    (microsoft.public.vb.general.discussion)