L0phtCrack 2.0 Manual Introduction L0phtCrack is designed to recover passwords for Windows NT. NT does not store the actual passwords on an NT Domain Controller or Workstation. Instead it stores a cryptographic hash of the passwords. L0phtCrack can take the hashes of passwords and generate the cleartext passwords from them. Password are computed using 2 different methods. The first, a dictionary lookup, called dictionary cracking, uses a user supplied dictionary file. The password hashes for all of the words in the dictionary file are computed and compared against all of the password hashes for the users. When there is a match the password is known. This method is extremely fast. Thousands of users can be checked with a 100,000 word dictionary file in just a few minutes on a PPro 200. The drawback to this method is that it only finds very simple passwords. The second method is the brute force computaion. This method uses a particular character set such as A-Z or A-Z plus 0-9 and computes the hash for every possible password made up of those characters. This method will always compute the password if it is made up of the character set you have selected to test. The only downside to this method is time. It is a very computation intensive and the larger the character set the longer it takes. The character set A-Z takes about 24 hours on a PPro 200. A-Z and 0-9 takes about 10 days. Many of L0phtCracks features are designed to make these long brute force computations feasible. It takes advantage of multiprocessor machines and runs with lower than normal priority so you can use it on servers that have idle CPU. It can save and restore its state during a brute force computation so that previously computed work is not lost. L0phtCrack will automatically save its state every 5 minutes in case of power loss or reboots. The saved .LC file is in ASCII so it can be inspected over the network to check on progress. Installation Unzip the distribution archive, lc2exe.zip into a directory. Create a shortcut to the executable l0phtcrack.exe (or l0phtcrack95.exe for Win95) and you are done unless you want to use the network sniffing feature. To do network sniffing you need install an NDIS network driver. This driver will only work on ethernet network devices. Go to the Network settings in the Control Panel. Select the Protocols tab and press the Add.. button. Press Have Disk... and specify the directory where you installed L0phtCrack. This is where the Oemsetup.inf file is. You will need to restart before the new driver takes effect. Accessing the Password Hashes Before the passwords can be computed you need to retrieve the password hashes. There are 3 main methods to get the password hashes: from the registry directly, from a SAM file on disk, or by sniffing the network. Dumping From the Registry If you have administrator priviledges you can get the password hashes using the 'Tools Dump Passwords form Registry' command. Specify a computername or IP address in the format \\computername or \\ipaddress. NT can be configured to disallow access to the registry remotely over the network so you may need to be on the local machine if this is the case. Microsoft introduced the SYSKEY utility in NT SP3. If SYSKEY is running the password hashes are encrypted and cannot be retrieved in this manner. If you are using a non-english language version of NT your version may use a different word for Administrators. If so you need to modify a registry key to get Dump Passwords to work. Run regedit.exe and edit the value of the key: HKEY_CURRENT_USER\Software\LHI\L0phtCrack\AdminGroupName Set it to your language version of 'Administrators'. Extracting From a SAM File The next method is new for L0phtCrack 2.0. You can retrieve the password hashes from the SAM file on the hard disk, from an NT Emergency Repair Disk, or from a backup tape. The NT registry is actually stored in several different files on the system disk in the d:\winnt\system32\config directory. These files cannot be accessed while NT is running since they are opened exlusively by the operating system. If you have physical access you can boot the machine with a DOS floppy and use a program such as NTFSDOS (http://www.ntinternals.com/ntfs20r.zip) to copy the SAM file from d:\winnt\system32\config to a floppy disk. You can then use the L0phtCrack command 'File Import SAM' to extract the password hashes from the SAM file. Another place to find the SAM file that doesn't require rebooting the machine is in the d:\winnt\repair directory or on an Emergency Repair floppy disk. Whenever a repair disk is made the contents of the SAM in the registry is saved and compressed into the file 'sam._'. This file can be uncompressed with the command: expand sam._ sam The expanded SAM file can be imported into L0phtCrack. The SAM file is also backed up onto tape when a full backup is performed. If you have access to a backup tape you can restore the SAM file from d:\winnt\system32\config to another machine and import it into L0phtCrack. If SYSKEY from NT 4.0 SP3 is installed all of the SAM files are encrypted and cannot be read by L0phtCrack. Sniffing on the Network If SYSKEY is installed and you have no network access to the registry or physical access don't fret. There is a 3rd method for obtaining the password hashes, network sniffing. Network sniffing requires that you are on a physical segment of the user or the resource they are accessing. The sniffer, readsmb.exe, included with L0phtCrack 2.0 will only work on Windows NT 4.0. Follow the instructions in the Install section for installing the network driver necessary for using the network sniffer. The network sniffer is a command line program named readsmb.exe. Run it and redirect its output to a file with the command: readsmb > passwd You probably want to let this run for a day or so to collect enough password hashes. You can then open this file into L0phtCrack using the command File Open. Readsmb.exe also has a verbose mode that can be enabled by using the -v command: readsmb -v This output is not formatted properly for opening with L0phtCrack but it may be useful to you. On slow machines the -v option may cause readsmb to miss some packets so it is really just for debugging and exploring. Computing Passwords So now that you have the password hashes loaded into L0phtCrack you want to start computing. You start computing by using the command Tools Run. The default options are set to first run a dictionary computation using the default dictionary, words-english that comes with the L0phtCrack distribution and then run a Brute Force computation using the default character set, A-Z. L0phtCrack will save the state of the computation every 5 minutes to a .LC file. The Tools Options menu command lets you select whether you want to do a dictionary attack and/or brute force attack Performance Dictionary cracking is extremely fast. L0phtCrack running on a Pentium Pro 200 checked a password file with 100 passwords against a 8 Megabyte dictionary file in under one minute. Brute forcing is always an extremely CPU intensive operation. We have worked to optimize this in L0phtCrack 2.0. L0phtCrack running on a Pentium Pro 200 checked a password file with 10 passwords using the alpha character set (A-Z) in 26 hours. L0phtCrack features a percentage done counter and a time remaining estimate so you can gauge when the task will be complete. L0phtCrack allows you to select one of 5 character sets to brute force passwords that use more characters than A-Z. As the character sets increase in size from 26 characters to 68 the time to brute force the password increases exponentially. This chart illustrates the relative time for larger character sets. Char Relative Size Iterations Time 26 8353082582 1.00 36 80603140212 9.65 46 4.45502E+11 53.33 68 6.82333E+12 816.86 So if 26 characters takes 26 hours to complete, 36 characters (A-Z,0-9) would take 250 hours or 10.5 days. Now of course this is the worst case senario of the password being 99999999999999. A password such as take2asp1r1n would probably be computed in about 7 days. Technical Notes - NT Server Challenge Sniffing Here is a description of the challenge that takes place over the network when a client, such as a Windows 95 machine, connects to an NT Server. [assuming initial setup etc...] 8byte "random" challenge Client <---------------------- Server OWF1 = pad Lanman OWF with 5 nulls OWF2 = pad NT OWF with 5 nulls resp = E(OWF1, Chal) E(OWF2, Chal) 48byte response (24byte lanman 24byte nt) Client -----------------------> Server The client takes the OWF ( all 16 bytes of it) and pads with 5 nulls. From this point it des ecb encrypts the, now 21byte, OWF with the 8byte challenge. The resulting 24byte string is sent over to the server who performs the same operations on the OWF stored in it's registry and compares the resulting two 24byte strings. If they match the user used the correct passwd. What's cool about this? Well, now you can take your sniffer logs of NT logons and retrieve the plaintext passwords. This does not require an account on the NT machine nor does it require previous knowledge of the ADMINISTRATOR password. So even if you have installed Service Pack 3 and enabled SAM encryption your passwords are still vulnerable if they go over the network. Acknoledgements Special thanks go out to: - Dmitry Andrianov for providing the SAMDUMP code for inclusion - Eric Young (eay@mincom.oz.au) for much of the cypto lib code - MD4 Algorithm is "RSA Data Security, Inc. MD4 Message-Digest Algorithm" this program is derived from the RSA Data Security, Inc. MD4 Message-Digest Algorithm - Thank you anonymous for some LANMAN sorting code - Hobbit@avian.org for all the cool ideas and bare feet. Especially for his monster paper on CIFS problems. - Jeremey Allison jra@cygnus.com - for the fantastic sleuthing with PWDump. - tuebor@l0pht.com for a some nice little code tips and general coolness. - the people who did SAMBA for being nuts! - the people who did libdes for being nuts! - Tweety FIsh for designing a rad logo for L0phtCrack