We have covered quite a lot of Password Cracking tools and it’s not often a new one comes out, this one is for quite a specialised purpose (not a general all-purpose password cracker like John the Ripper or Cain & Abel), although you do need to use it alongside JTR.
This tool is for instantly cracking the Microsoft Windows NT Hash (MD4) when the LM Password is already known, you might be familiar with LM Cracking tools such as LCP.
The main problem is you’ve got the LM password, but it’s in UPPERCASE because LM hashes are not case sensitive, so you need to find the actual password for the account.
Example : Password cracker output for “Administrator” account
- LM password is ADMINISTRAT0R.
- NT password is ?????????????.
We aren’t lucky because the case-sensitive password isn’t “administrat0r” or “Administrat0r”. So you cannot use this to connect to the audited Windows system.
This password contains 13 characters but launching my password cracker on the NT hash is a waste of time and there is a poor chance of success.
Note :
- Password length : 13 characters.
- Details : 1 number + 12 case-sensitives letters.
- Possibilities : 2^12 = 4096 choices.
In this example, lm2ntcrack will generate the 4096 possibilities for the password ADMINISTRAT0R and, for each one, the associated NT MD4 hash. Then, search for matching with the dumped hash.
Execution time : < 2 seconds to crack more than 1200 NT Hashes. You can download lm2ntcrack here: lm2ntcrack-current.tgz
Or read more here.
Fischer says
RainbowCrack does this as well, though I’m not sure how to make it crack just the NT hash. But when I task it to find an LM hash password, if I provide them both in the pwdump format, it will give the NT hash for every LM hash it cracks.
Lavr says
Cain does this as well.
Vin says
LC4/LC5 does this as well.
therealdonquixote says
I like this tool. Especially its intriguing focus on NT hashes. Getting an LM pass cr@cked is usually pretty easy (just run SAM inside or some other run of the mill pass cracker) the NT pass is always a pain in the McCain. As for its speed, less than 2 seconds is pretty darn good for a brute force attack. I bet the specialization in just NT hashes has something to do with the speed up. Anyone know if this would have any success at cracking an NT hash for a Window$ machine that uses a domain specific login and pass? I guess I should look that up.
RainbowCrack is the pretty much the best cr@cker out there when it comes to hashes, but it can take alot of work to get it humming depending on which distro you are using. Also, HUGE rainbow tables are a must with RC.
This new tool could lighten the load in my naughty little toolbox.
Fischer says
Huge tables, I will grant you that. I’ve got a 64GB set from the Shmoo group, for all printable characters. But RainbowCrack for windows is cake to run. Probably could use some performance tweaking, but the longest I’ve ever had it run on an LM hash is about 15 minutes, and it returns the NT hash as well.
You should look at the Pass the Hash toolkit. One tool in there, whosthere, will dump LM hashes for any user logged in to a system, including domain logins, provided LM hashes haven’t been disabled by policy. These domain LM hashes can be cracked just like any other LM hash.
John says
This tool doesn’t seem to work? It gives a wrong password. Haven’t looked at the code closely as to why…but the tool returns errnous NT hash given an LM hash.
John says
above, i meant to say returns a wrong password given an LM password and NT (it’s late here…getting tired)
anyway, people who think that cracking password is so 2 years ago, sometimes you want to gain access to things other than windows logon. This means that you need actual password to see if the passwords are reused.
People who think that rainbow tables are so much better. Password cracking tools like JtR will crack certain passwords in a matter of seconds (dictionary based word with simple letter in the back…something like “Rainbow1”)…whereas rainbow table based cracking will still take you about 10-15 minutes (depending on your table). So you need to run both to crack the passwords that are easy to crack with JtR, with JtR, then crack the uncracked ones with rainbow tables.
John says
And I must bash a little bit. The author must not have taken basic CS courses? Creating an array full of all the permutation before you do any hash computation/comparison is a huge waste of time and memory (and causes really messy codes). Use DFS on a binary tree, where each branching depends on case (and obviously the char that doesn’t need different case, you don’t branch). A few simple recursions, fewer lines of code, much faster, and much more elegant.