Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 17 Oct 2008 20:49:15 +0200
From: Yannick HAMON <yannick.hamon@...opartners.com>
To: john-users@...ts.openwall.com
Subject: [ lm2ntcrack ] A simple tool to crack instantly Microsoft Windows NT Hash (MD4) when the LM Password is known.

Hi everybody,

I want to share with you a simple tool that I have developped :  
"lm2ntcrack". I hope that it will help some guy...

http://www.xmcopartners.com/lm2ntcrack/index.html

This tool provides a simple way to crack instantly Microsoft Windows  
NT Hash (MD4) when the LM Password is known.

It is entirely written in perl, so its easily ported and installed.

This program must be used with the password cracker "John the Ripper"
http://www.openwall.com/john/

* Why lm2ntcrack ??
I've often encountered a problem during Windows penetration testing  
and password assessment.

On the one hand, launching my favorite password cracker during few  
minutes on the dumped Windows passwords hashes, permits to crack many  
LM passwords but cracked password cannot be used as is (uppercase  
version of the Windows password).
On the other hand, password cracking on NT hash is quiet long and  
after few days it cracks only some password.

Here is my big deal. I've got the LM password but it is only in  
UpperCase because LM Hashes are not case sensitive. So, these  
passwords cannot be reuse in this form.

* Example: Password cracker output for "Administrator" account :
=> LM password is ADMINISTRAT0R.
=> NT password is ?????????????.

I'm not so lucky because the case-sensitive password isn't  
"administrat0r" or "Administrat0r". So I cannot use this to connect on  
the audited Windows system.

This password contains 13 characters but launching my password cracker  
on the NT hash is a waste of time and there is a poor chance of success.

* Note :
13 characters : 1 number + 12 case-sensitives letters => 2^12 = 4096  
choices (DAMN IT, I cannot test them all manually)

... I need a TOOL !!!! Not a magic one but a simple tool which can do  
this task for me.

In this example, "lm2ntcrack" will generate the 4096 possibilities for  
the password "ADMINISTRAT0R" and, for each one, the associated NT MD4  
hash. Then, search for matching with the dumped hash.

Estimated time : < 2 seconds to crack more than 1200 NT Hashes (it is  
very fast instead of Perl !!! lol)

Enjoy !!!!

* Example :
[yann@...opartners:~/lm2ntcrack]$ time perl lm2ntcrack.pl -v - 
l="AZERTY123$" -n="81CD1A1C4CBCE05C0F8D411ACEC7587F"
############################################################################
# NT Password cracker from LM password
# Version : 0.5a - Oct 2008
# By Yannick HAMON <yannick.hamon@...opartners.com>
# Homepage : http://www.xmcopartners.com
############################################################################
[INFO] : "AZERTY123$" has 10 character(s) but contains 4 special(s)  
char(s) and/or integer(s)
[INFO] : => 64 words will be generated ...... OK !!
[INFO] : Crack NT password from "AZERTY123$" and NT HASH  
"81CD1A1C4CBCE05C0F8D411ACEC7587F"
[CRACKED] AZERTY123$ => azERTy123$


real	0m0.033s
user	0m0.025s
sys	0m0.007s


* NB :
Recently, after developped this fabulous TOOL, I've found an old post  
on "openwall mailing-list" :
http://www.openwall.com/lists/john-users/2006/07/08/2

This post explains how to crack NT hash from LM password with john-the- 
ripper (need to modify john's configuration file to use  
[List.Rules:NT] section and stop running john on the LM hashes).
	john -show pwfile | cut -d: -f2 > cracked
	john -w=cracked -rules -format=nt pwfile
	john -show -format=nt pwfile

One known problem with this approach is that it'll fail for passwords  
containing colons (':' is cut delimiter).

This problem does not impact "lm2ntcrack" and you can use "lm2ntcrack"  
while john is cracking LM hashes.

--
Yannick Hamon <yannick.hamon@...opartners.com>
IT Security Consultant
Xmco Partners | Security Research Labs
http://www.xmcopartners.com

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ