L0phtCrack 2.0 FAQ Last updated 2/16/98 1a. Can I use a custom character set? You can define your own character set for L0phtCrack to use for brute forcing. There is no user interface to do this however. You must first load the password password file into L0phtCrack and then do a file save to save it in .lc or L0phtCrack format. Open the .lc file in a text editor. You will see something like this: LastBruteIteration=0 CharacterSet=ABCDEFGHIJKLMNOPQRSTUVWXYZ Administrator:"":"":LANMANHASH:NTHASH . . . You can edit the CharacterSet to whatever you like. If you add the space character make sure it is not the last character. There is a small bug that will be soon fixed that requires you to set change LastBruteIteration=0 to something like LastBruteIteration=A unless you have 0 in your CharacterSet. 1b. Can I start L0phtCrack brute forcing at a certain password? Yes. Maybe you know the first character of a certain password you are looking to crack. Just follow the instructions in question #1 and set LastBruteIteration to start with the first character you are looking for with the number of digits you want to start with. For example if you know the password starts with C and is 7 chars or longer you would use: LastBruteIteration=CAAAAAA Don't put in any characters that are not in the CharacterSet, always use uppercase, and never put in more than 7 characters. One caveat is that if the password is longer than 7 characters you will miss some of the possibilities for the second half. You should run L0phtCrack starting from scratch to discover the second half once you know the first. Unles the password is 14 characters long finding the second have should be quick. 2. Cracking sniffer dumps seems to take a long time. Is this right? Cracking the captured challenge/response hashes from a network capture takes a bit longer for one password than its counterpart gotten from a registry dump. The big slowdown with the network capture cracking is that each hash is encrypted with a unique challenge so that the work done cracking one password cannot be used again to crack another. This means that the time to completion scales linearly as you add password hashes to crack. 10 network challenge/response hashes will take 10 times longer to crack than just one. Ouch, that could take a long time. This type of cracking really needs to be targetted towards particular passwords to be effective. 3. I get "cannot open adapter" when I try to run the readsmb sniffer. What's wrong? Make sure you have followed the instructions in the readme.txt file to install the network driver required to do promiscuous reading of the network. This usually requires power user or administrator group privileges on the machine. If you have 2 NICs and the sniffer doesn't seem to work disable the binding of the 'Nds 3.0 Packet Driver' to one of NICs. If you also have the ISS packet driver or Asmodeus packet driver loaded there may be some conflict. You may need to remove those drivers to use the l0phtcrack driver.