Home > windows > Understanding Password Hashes

Understanding Password Hashes

Normally in windows operating systems the password we enter is hashed(obfuscated) and stored in c:\windows\system32\config\sam

Security Accounts Manager is the abbreviation of SAM…(Don’t try to open it when in windows it won’t allow you to do so 😛 )

But people circumvent the operating system (using linux boot disk) and copy this sam..

Also don’t forget to copy the file named “system” from the same directory, which contains the “syskey”.

syskey is used to encrypt the sam…..

Windows XP uses two type of hashes LM hashes and NTLM hashes..LM hashes (LM stands for LAN manager) NTLM is more secure than LM hashes. However, even computers that use NTLM (i.e) windows 2000 and above also store their passwords in LM hashes. So the password is stored twice, as NTLM and as LM Hashes. This is because very often we still need to connect with machine that used LM hashes(i.e) windows 98 going back.

LM hashing method:

Let me explain it with an example, take the password as 123456abcde

Initially the password is converted into all upper case letter 123456ABCDE

Then the password is padded with NULL (blank) character, in order to make it 14 character long.

Now the 14 character long password is split into half like 123456A and BCDEF__.

Each string is individually encrypted and the results are concatenated:

123456A = 6BF11E04AFAB197F
BCDEF__ = F1E9FFDCC75575B15
The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15

Problems with LM hash:

  • If the password is greater than 14 character then LM hash is disabled and NTLM hash is used.
  • Can cracked easily.

Password cracking methods:

  • Dictionary attack
  • Brute force
  • cryptanalysis (rainbow table)

Rainbow tables:

With rainbow tables the password combinations are pre-computed and stored in disk.

This rainbow tables are searched for a particular hash, and the password can be cracked with in minutes.

In LM hash generation the password is split into two and encrypted (see LM hashing method)

This design fault leads to creation of Half LM rainbow tables which are used to crack one half

of the password ..Thus it reduces the time taken for cryptanalysis…

Prevention:

  • Disabling the LM hashes (In windows vista LM hashes are disabled by default)( see links section for more details on LM hash disabling methods)
  • Using passwords that have more than 14 characters.
  • Don’t use dictionary words
  • changing the passwords frequently

There is nothing in this world that cannot be breached, all we can do is make it harder to the attacker.

Links:

See the wikipedia entry about LM hashes here

Download a simple password cracker saminside from here (however i don’t use it anymore i use cain for these purposes)

Download ophcrack from here (It comes with free rainbow tables i recommend it for begginers)

Download LM hash rainbow tables from here

Download the Rainbow table generator from here

Get the instructions to disable LM hashes from here

Advertisements
Categories: windows
  1. Lourdhu Sagaya Jayakumar J
    June 29, 2008 at 7:58 pm

    Thank u, this was highly informative…. 🙂

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: