lm2ntcrack – Microsoft Windows NT Hash Cracker (MD4 -LM)

Outsmart Malicious Hackers


We have covered quite a lot of Password Cracking tools and it’s not often a new one comes out, this one is for quite a specialised purpose (not a general all-purpose password cracker like John the Ripper or Cain & Abel), although you do need to use it alongside JTR.

This tool is for instantly cracking the Microsoft Windows NT Hash (MD4) when the LM Password is already known, you might be familiar with LM Cracking tools such as LCP.

The main problem is you’ve got the LM password, but it’s in UPPERCASE because LM hashes are not case sensitive, so you need to find the actual password for the account.

Example : Password cracker output for “Administrator” account

  • LM password is ADMINISTRAT0R.
  • NT password is ?????????????.

We aren’t lucky because the case-sensitive password isn’t “administrat0r” or “Administrat0r”. So you cannot use this to connect to the audited Windows system.

This password contains 13 characters but launching my password cracker on the NT hash is a waste of time and there is a poor chance of success.


Note :

  • Password length : 13 characters.
  • Details : 1 number + 12 case-sensitives letters.
  • Possibilities : 2^12 = 4096 choices.

In this example, lm2ntcrack will generate the 4096 possibilities for the password ADMINISTRAT0R and, for each one, the associated NT MD4 hash. Then, search for matching with the dumped hash.

Execution time : < 2 seconds to crack more than 1200 NT Hashes. You can download lm2ntcrack here: lm2ntcrack-current.tgz

Or read more here.

Posted in: Password Cracking

, ,


Latest Posts:


snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.


8 Responses to lm2ntcrack – Microsoft Windows NT Hash Cracker (MD4 -LM)

  1. Fischer October 21, 2008 at 12:07 pm #

    RainbowCrack does this as well, though I’m not sure how to make it crack just the NT hash. But when I task it to find an LM hash password, if I provide them both in the pwdump format, it will give the NT hash for every LM hash it cracks.

  2. Lavr October 21, 2008 at 2:37 pm #

    Cain does this as well.

  3. Vin October 21, 2008 at 7:38 pm #

    LC4/LC5 does this as well.

  4. therealdonquixote October 21, 2008 at 10:27 pm #

    I like this tool. Especially its intriguing focus on NT hashes. Getting an LM pass cr@cked is usually pretty easy (just run SAM inside or some other run of the mill pass cracker) the NT pass is always a pain in the McCain. As for its speed, less than 2 seconds is pretty darn good for a brute force attack. I bet the specialization in just NT hashes has something to do with the speed up. Anyone know if this would have any success at cracking an NT hash for a Window$ machine that uses a domain specific login and pass? I guess I should look that up.

    RainbowCrack is the pretty much the best cr@cker out there when it comes to hashes, but it can take alot of work to get it humming depending on which distro you are using. Also, HUGE rainbow tables are a must with RC.

    This new tool could lighten the load in my naughty little toolbox.

  5. Fischer October 22, 2008 at 2:08 am #

    Huge tables, I will grant you that. I’ve got a 64GB set from the Shmoo group, for all printable characters. But RainbowCrack for windows is cake to run. Probably could use some performance tweaking, but the longest I’ve ever had it run on an LM hash is about 15 minutes, and it returns the NT hash as well.

    You should look at the Pass the Hash toolkit. One tool in there, whosthere, will dump LM hashes for any user logged in to a system, including domain logins, provided LM hashes haven’t been disabled by policy. These domain LM hashes can be cracked just like any other LM hash.

  6. John December 20, 2008 at 10:38 am #

    This tool doesn’t seem to work? It gives a wrong password. Haven’t looked at the code closely as to why…but the tool returns errnous NT hash given an LM hash.

  7. John December 20, 2008 at 10:43 am #

    above, i meant to say returns a wrong password given an LM password and NT (it’s late here…getting tired)

    anyway, people who think that cracking password is so 2 years ago, sometimes you want to gain access to things other than windows logon. This means that you need actual password to see if the passwords are reused.

    People who think that rainbow tables are so much better. Password cracking tools like JtR will crack certain passwords in a matter of seconds (dictionary based word with simple letter in the back…something like “Rainbow1”)…whereas rainbow table based cracking will still take you about 10-15 minutes (depending on your table). So you need to run both to crack the passwords that are easy to crack with JtR, with JtR, then crack the uncracked ones with rainbow tables.

  8. John December 24, 2008 at 8:52 pm #

    And I must bash a little bit. The author must not have taken basic CS courses? Creating an array full of all the permutation before you do any hash computation/comparison is a huge waste of time and memory (and causes really messy codes). Use DFS on a binary tree, where each branching depends on case (and obviously the char that doesn’t need different case, you don’t branch). A few simple recursions, fewer lines of code, much faster, and much more elegant.