XMCO : We deliver security expertise

  LM2NTCRACK


   The fastest Microsoft NT hash cracker !


What is LM2NTCRACK ?

lm2ntcrack is Free and Open Source software, it is also part of the MetaSploit Framework.
LM2NTCRACK is written in Perl, so its easily ported and installed.

Latest stable release (v1.2) :


NEW - Win32 Executable (BETA):
(.NET Framework v2 is required)




lm2ntcrack must be used with the password cracker John the Ripper

lm2ntcrack example
Example 1 : Crack a single NT hash

> Introduction

I've often encountered a problem during Windows penetration testing and password assessment.

On the one hand, launching my favorite password cracker during few minutes on the dumped Windows passwords hashes, permits to crack many LM passwords but cracked password cannot be used as is (uppercase version of the Windows password).
On the other hand, password cracking on NT hash is quiet long and after few days it cracks only some password.

Here is my big deal. I've got the LM password but it is only in UpperCase because LM Hashes are not case sensitive. So, these passwords cannot be reuse in this form.

Example : Password cracker output for "Administrator" account

  • LM password is ADMINISTRAT0R.
  • NT password is ?????????????.

I'm not so lucky because the case-sensitive password isn't "administrat0r" or "Administrat0r". So I cannot use this to connect on the audited Windows system.

This password contains 13 characters but launching my password cracker on the NT hash is a waste of time and there is a poor chance of success.

Note :

  • Password length : 13 characters.
  • Details : 1 number + 12 case-sensitives letters.
  • Possibilities : 2^12 = 4096 choices. (DAMN IT, I cannot test them all manually)

... I need a TOOL !!!! Not a magic one but a simple tool which can do this task for me.

In this example, lm2ntcrack will generate the 4096 possibilities for the password ADMINISTRAT0R and, for each one, the associated NT MD4 hash. Then, search for matching with the dumped hash.

Execution time : < 2 seconds to crack more than 1200 NT Hashes (it is very fast instead of Perl !!! lol)

Enjoy !!!!

lm2ntcrack example
Example 2 : Crack a single NT hash

NB :

Recently, after developped this fabulous TOOL, I've found an old post on openwall mailing-list.

This post explains how to crack NT hash from LM password with john-the-ripper (need to modify john's configuration file to use [List.Rules:NT] section and stop running john on the LM hashes).


  • john -show pwfile | cut -d: -f2 > cracked
  • john -w=cracked -rules -format=nt pwfile
  • john -show -format=nt pwfile

One known problem with this approach is that it'll fail for passwords containing colons (':' is cut delimiter).

This problem does not impact lm2ntcrack and you can use lm2ntcrack while john is cracking LM hashes.

> Dependencies

This software should work out-of-the-box, although only tested with Perl 5.8.8 (Mac OS X 10.5.5)


lm2ntcrack only require the Perl module Digest::MD4:

http://search.cpan.org/dist/Digest-MD4/

> Usage

Help :

perl lm2ntcrack.pl [-v|-q] [-h] [-p] < -l=Clear_LM_Password -n=MY_NT_HASH > | < -f=MY_JOHN_OUTPUT_FILE >

-h, --help                             : This (help) message Optionnal
-v, --verbose                        : Verbose output Optionnal
-q, --quiet                            : No output debug Optionnal
-p, --print                            : Print generated DICO from LM PASSWORD Optionnal

-l=Clear_Text_LM_Pwd, --lmpass=Clear_Text_LM_Pwd     : Cracked LM password
-n=hash, --nthash=hash                                                  : NT hash to CRACK Mandatory with -l option

-f=file, --file=file                    : Full path to "John the ripper" output file john --show dumpfile > myFile


Examples :

  • Multi NT password cracking :
    perl lm2ntcrack.pl -f="./<JOHN-THE-RIPPER OUTPUT FILE>"

  • Single NT password cracking :
    perl lm2ntcrack.pl -v -l="AZERTY123$" -n="81CD1A1C4CBCE05C0F8D411ACEC7587F"

  • Only print generated dictionary (No NT cracking) :
    perl lm2ntcrack.pl -v -l="AZERTY123$" -p

> Complete Exploitation

  1. Dump Microsoft Windows LM and NT hashes (ex: http://en.wikipedia.org/wiki/Pwdump)

  2. Crack dumped LM hashes with John-the-Ripper (ex: john --format=LM myDumpFile)

  3. Then, once LM hashes have been cracked (few minutes/hours), NT hashes will be cracked with lm2ntcrack.pl and john's LM export result :

    john --show --format=LM ./myDumpFile > ./johnOutputLMcrackedPass && perl ./lm2ntcrack.pl -f=./johnOutputLMcrackedPass

> Remediations

Prevent Windows from storing a LAN Manager (LM) HASH


References : Microsoft Technet

> Greetings

For debugging and testing :

  • Adrien Guinault <adrien.guinault@xmcopartners.com>
  • Frederic Charpentier <fcharpentier@xmcopartners.com>

For algorithmic optimization / CPU and Heat consumption :

  • Marc Behar

> Copyright and Licence

THIS SOFTWARE IS MADE AVAILABLE "AS IS", AND THE AUTHOR DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

--
Copyright (C) 2008 Yannick Hamon <yannick.hamon@xmco.fr>
XMCO | Security Research Labs