21 October 2008 | 42,550 views

lm2ntcrack – Microsoft Windows NT Hash Cracker (MD4 -LM)

Check Your Web Security with Acunetix

We have covered quite a lot of Password Cracking tools and it’s not often a new one comes out, this one is for quite a specialised purpose (not a general all-purpose password cracker like John the Ripper or Cain & Abel), although you do need to use it alongside JTR.

This tool is for instantly cracking the Microsoft Windows NT Hash (MD4) when the LM Password is already known, you might be familiar with LM Cracking tools such as LCP.

The main problem is you’ve got the LM password, but it’s in UPPERCASE because LM hashes are not case sensitive, so you need to find the actual password for the account.

Example : Password cracker output for “Administrator” account

  • LM password is ADMINISTRAT0R.
  • NT password is ?????????????.

We aren’t lucky because the case-sensitive password isn’t “administrat0r” or “Administrat0r”. So you cannot use this to connect to the audited Windows system.

This password contains 13 characters but launching my password cracker on the NT hash is a waste of time and there is a poor chance of success.

Note :

  • Password length : 13 characters.
  • Details : 1 number + 12 case-sensitives letters.
  • Possibilities : 2^12 = 4096 choices.

In this example, lm2ntcrack will generate the 4096 possibilities for the password ADMINISTRAT0R and, for each one, the associated NT MD4 hash. Then, search for matching with the dumped hash.

Execution time : < 2 seconds to crack more than 1200 NT Hashes.

You can download lm2ntcrack here:

lm2ntcrack-current.tgz

Or read more here.



Recent in Hacking Tools:
- Radare – The Reverse Engineering Framework
- ZMap – Fast Open-Source Network Scanner
- Arachni v1.0 Released – Web Application Security Scanner Framework

Related Posts:
- Pass-The-Hash Toolkit v1.4 Released for Download
- Pass-The-Hash Toolkit v1.1 Available for Download
- HashTag – Password Hash Type Identification (Identify Hashes)

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,874,171 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,067,907 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 626,921 views

Low-cost VPS Hosting

8 Responses to “lm2ntcrack – Microsoft Windows NT Hash Cracker (MD4 -LM)”

  1. Fischer 21 October 2008 at 12:07 pm Permalink

    RainbowCrack does this as well, though I’m not sure how to make it crack just the NT hash. But when I task it to find an LM hash password, if I provide them both in the pwdump format, it will give the NT hash for every LM hash it cracks.

  2. Lavr 21 October 2008 at 2:37 pm Permalink

    Cain does this as well.

  3. Vin 21 October 2008 at 7:38 pm Permalink

    LC4/LC5 does this as well.

  4. therealdonquixote 21 October 2008 at 10:27 pm Permalink

    I like this tool. Especially its intriguing focus on NT hashes. Getting an LM pass cr@cked is usually pretty easy (just run SAM inside or some other run of the mill pass cracker) the NT pass is always a pain in the McCain. As for its speed, less than 2 seconds is pretty darn good for a brute force attack. I bet the specialization in just NT hashes has something to do with the speed up. Anyone know if this would have any success at cracking an NT hash for a Window$ machine that uses a domain specific login and pass? I guess I should look that up.

    RainbowCrack is the pretty much the best cr@cker out there when it comes to hashes, but it can take alot of work to get it humming depending on which distro you are using. Also, HUGE rainbow tables are a must with RC.

    This new tool could lighten the load in my naughty little toolbox.

  5. Fischer 22 October 2008 at 2:08 am Permalink

    Huge tables, I will grant you that. I’ve got a 64GB set from the Shmoo group, for all printable characters. But RainbowCrack for windows is cake to run. Probably could use some performance tweaking, but the longest I’ve ever had it run on an LM hash is about 15 minutes, and it returns the NT hash as well.

    You should look at the Pass the Hash toolkit. One tool in there, whosthere, will dump LM hashes for any user logged in to a system, including domain logins, provided LM hashes haven’t been disabled by policy. These domain LM hashes can be cracked just like any other LM hash.

  6. John 20 December 2008 at 10:38 am Permalink

    This tool doesn’t seem to work? It gives a wrong password. Haven’t looked at the code closely as to why…but the tool returns errnous NT hash given an LM hash.

  7. John 20 December 2008 at 10:43 am Permalink

    above, i meant to say returns a wrong password given an LM password and NT (it’s late here…getting tired)

    anyway, people who think that cracking password is so 2 years ago, sometimes you want to gain access to things other than windows logon. This means that you need actual password to see if the passwords are reused.

    People who think that rainbow tables are so much better. Password cracking tools like JtR will crack certain passwords in a matter of seconds (dictionary based word with simple letter in the back…something like “Rainbow1″)…whereas rainbow table based cracking will still take you about 10-15 minutes (depending on your table). So you need to run both to crack the passwords that are easy to crack with JtR, with JtR, then crack the uncracked ones with rainbow tables.

  8. John 24 December 2008 at 8:52 pm Permalink

    And I must bash a little bit. The author must not have taken basic CS courses? Creating an array full of all the permutation before you do any hash computation/comparison is a huge waste of time and memory (and causes really messy codes). Use DFS on a binary tree, where each branching depends on case (and obviously the char that doesn’t need different case, you don’t branch). A few simple recursions, fewer lines of code, much faster, and much more elegant.