Blog: How Tos

Efficient Password Cracking Where LM Hashes Exist for Some Users

Jamie Riden 17 Oct 2014

Efficient Password Cracking

Sometimes you end up with a great many Windows domain passwords that need cracking – either because you have compromised the domain controller and exported them yourself, or because the client has asked you to perform a password audit and has supplied the database to you themselves.

As you know, LM hashes are insecure, and there is a very good way of cracking these (Ophcrack). However, there will also be passwords that cannot be cracked using the standard tables, or maybe the LM hash is not present in the dump at all. In this case, we’ll need to attack the NTLM hash with another tool – in this case a GPU cracker known as Oclhashcat.

In this case we have a large (something like 6,000 entry) pwdump format file, with LM and NTLM hashes. Because the LM hashes have various weaknesses in the cryptography, we can crack a lot of passwords using Ophcrack – but in some cases only NTLM hashes are present. In this case we can use a hybrid approach.

First, start Ophcrack going on your pwdump format file – that’s fairly quick to recover original passwords where LM hashes exist.

In parallel with that, take the pwdump format output and feed it through cut like this, to get Oclhashcat format:

$ cat myhashes.txt | cut -f 1,4 -d’:’
USER1:a738f92b3c08b4xxx89a9cce60
USER2:48c7950xxx36f017ba9f43b75f
…$ cat myhashes.txt | cut -f 1,4 -d’:’ > oclhashes.txt

Then do an incremental crack (with default mask) :

C:\cudaHashcat-1.30>cudaHashcat64.exe –username -m 1000 -a 3 -i oclhashes.txt

And also run with your standard massive dictionary – mine is called “combined.txt”:

C:\cudaHashcat-1.30>cudaHashcat64.exe –username -m 1000 -a 0 oclhashes.txt c:\combined.txt -r rules\best64.rule

…until bored, or Ophcrack finishes.

Once Ophcrack has finished, you can then feed your cracked passwords from that into a custom dictionary, and use that in conjunction with rules. I exported all fields from Ophcrack, using “;” as separator, so I could make use of any full or partial cracks it had managed.

$ cat my-ophcrack-out.txt | cut -f 8 -d’;’ | sort -u > extradict.txt

C:\cudaHashcat-1.30>cudaHashcat64.exe –username -m 1000 -a 0 oclhashes.txt extradict.txt -r rules\best64.rule

This means that the Oclhashcat run will get at least all the passwords that the Ophcrack run got.

You can also try a hybrid attack like this – for each dictionary word, try that word followed by each possible trailing character.

C:\cudaHashcat-1.30>cudaHashcat64.exe –username -m 1000 -a 6 oclhashes.txt c:\combined.txt ?a

Or try several of the half LM passwords from Ophcrack where the full password hasn’t been recovered – remember you’ll need one of the rules where it will try every possible combination of upper/lower case, because the LM password is case insensitive.

$ cat my-ophcrack-out.txt | cut -f 6 -d’;’ | sort -u > lm-left-only.txt

C:\cudaHashcat-1.30>cudaHashcat64.exe –username -m 1000 -a 0 oclhashes.txt lm-left-only.txt –r rules\InsidePro-PasswordsPro.rule

Once you’re happy you’ve got as many as you can, dump out the eventual results like this:

C:\cudaHashcat-1.30> cudaHashcat64.exe –username oclhashes.txt –show

USER1:48c79504fc424cccxxxxxba9f43b75f:password1
USER2:e7def634283a9c58xxxbdf1c0d5d65e:password2

In summary this method is based on a phased password cracking approach against databases containing LM hashes which involves:

  • Crack LM hashes using pre-computed hash tables – pass #1;
  • Run a dictionary attack using GPU assisted software and any useful dictionaries – pass #2;
  • Take the output of pass #1 and #2, feed it to a dictionary and run a brute forcing pass using GPU assisted software with default mangling rules – pass #3;
  • (optional) Take each entry of the output of pass #1 and try all variations where a trailing character is added using GPU assisted software – pass #4;
  • (optional) Take each entry of the output of pass #1 which only yielded the first half of the password and try those using GPU assisted software + mangling rules + case sensitive rules (because LM hashes are case insensitive) – pass #5;
  • Run an incremental brute force attack against any uncracked hashes using GPU assisted software – pass #infinite (I would not wait for this one to finish…);

For what it’s worth, we recovered 5,120 out of 6,000-odd passwords in day on a normal sort of laptop; the password policy wasn’t terribly good though, which helped us a lot.