Monday, 10 January 2011

Password cracking: Using John The Ripper (JTR) to detect password case (LM to NTLM)

When password-cracking Windows passwords (for password audits or penetration testing) if LM hashing is not disabled, two hashes are stored in the SAM database.

The first is the LM hash (relatively easy to crack because of design flaws, but often stored for backwards-compatibility)

The second is the NTLM hash which can be more difficult to crack (when used with strong passwords).

LM hashes store passwords all uppercase, and split into 2 blocks of 7 bytes (which is part of the reason why they are so weak).

This makes LM hashes easy to crack (complete rainbow tables of all possible hashes can be easily obtained for super-fast cracking).

However, cracking the LM hash does not tell you the full story about the password, i.e. you won't know the case of the alphabetic characters in the password. The passwords could be all uppercase, all lowercase, or a mixture and finding the case of the passwords can be important.

Here I will show how to crack the LM hashes and use these to find the exact password from the NTLM hashes.

Please remember to use these techniques only for legitimate educational and testing purposes and not maliciously.

The hashes

For these tests, I first set up a test Windows XP machine and added six users with various passwords, some of which you may think would be strong, but they are not strong enough!

I extract the passwords from the SAM using fgdump.exe, and get the following:


So in the following example this is the LM hash, and this is the NTLM hash.


I have put these hashes in a file called crackmemixed.txt on a Backtrack 4 system in /pentest/passwords/jtr.

Cracking the LM hashes

We will be using John The Ripper, so first type


To crack the LM hashes it is always worth trying a dictionary attack first, as this is very fast, so I will use the following command:

./john --wordlist=/pentest/passwords/wordlists/bt4-password.txt crackmemixed.txt
Loaded 12 password hashes with no different salts (LM DES [128/128 BS SSE2])
HAPPY            (erik)
OW               (ernie:2)
SHOWMEN          (ernie:1)
GRRRRRE          (jack:1)
WIBBLE           (sam)
guesses: 5  time: 0:00:00:00 100.00% (ETA: Mon Jan 10 10:13:33 2011)  c/s: 26204K  trying: ZZAJ - {LOG}

This used over three million passwords, took less than a second and cracked some of the hashes. (For LM hashes, the passwords longer than 7 characters are crack in two 7 byte pieces)

There are a few more hashes to crack so we will let JTR do a brute-force attack on the rest:

./john --format=lm crackmemixed.txt
Loaded 3 password hashes with no different salts (LM DES [128/128 BS SSE2])
AT!              (jack:2)
FLUFF34          (phil)
4REF5            (bert)
guesses: 3  time: 0:00:00:18 (3)  c/s: 19370K  trying: 4RIIN - 4RO5A

So we are all done with the LM hashes in under 20 seconds (which is pretty good). For stronger passwords, if this method was taking longer than a few minutes, I would probably would move to LM hash rainbow tables next, which would speed things up a lot.

Check our LM hash-cracked passwords

To display what we have so for we can do

./john -show crackmemixed.txt

8 password hashes cracked, 0 left

... but as you can see, this is all all displayed in uppercase, as we can't tell the case of the passwords from cracking the LM hashes.

Preparing for cracking the NTLM hashes

We are going to change the rules that JTR uses, so will will make two backups of the rules file:

cp john.conf john.conf.old
cp john.conf john.conf.ntlm

Then edit the rules file, as follows:

  • In john.conf.ntlm
    • Replace "List.Rules:Wordlist" with "List.Rules:Disabled" to disable the normal ruleset
    • Then replace "List.Rules:NT" with "List.Rules:Wordlist" to enable our specialised attack

Our NTLM hashes

To show the NTLM hashes we are trying to crack use:

./john --show=LEFT --format=NT crackmemixed.txt


Cracking our NTML hashes

First we need to create a dictionary file which will contain just the passwords we have already obtained from LM hash-cracking, with the following command:

./john --show --format=LM crackmemixed.txt | grep -v "password hashes" | cut -d":" -f2 | sort -u > lmcracked.txt

So we now have a list of just the passwords in uppercase in lmcracked.txt. Let's put our special password rules in place:

cp john.conf.ntlm john.conf

Now we can using our specific password dictionary and rules to crack the NTLM password hashes as follows:

./john -rules --wordlist=lmcracked.txt --format=nt crackmemixed.txt
Loaded 6 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
4Ref5            (bert)
HaPpY            (erik)
fluff34          (phil)
wibble           (sam)
GRRRRReat!       (jack)
ShowMeNow        (ernie)
guesses: 6  time: 0:00:00:00 100.00% (ETA: Mon Jan 10 11:24:44 2011)  c/s: 44800  trying: GrrrRREAt! - sHOWMEnow

This took less than a second, and we have cracked the case sensitive NTLM hashes from the case insensitive LM hash-cracked passwords.

Returning JTR rules back to normal

After you are done, don't forget to put the rules back how they were:

cp john.conf.old john.conf


End to end, this exercise could have been done in under a minute. This just goes to show how weak passwords can be, and how easily they can be cracked with the right tools, network access and knowhow.
  • Disable LM hashes
  • Implement a strong password policy
  • Check this is enforced and working correctly with regular audits


  1. can u tell me how can i break a rar file passward.

  2. Unfortunately John's default case-toggling rules only go up to 11 chars, and LM goes up to 14 chars. If you have 12-14 char plaintexts from LM, you'll need to add additional case-toggling rules:
    -c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]
    -c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]T[zD]
    -c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]T[zD]T[zE]
    -c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]T[zD]T[zE]T[zF]

  3. Thanks epixoip,
    Very interesting!


    Thanks for the suggestion, I may do a blog about that at some point.

  5. im in the same boat as shantanu dutta...

  6. "Unknown ciphertext format name requested" :(

  7. Can you tell me how to recover this password:

  8. Nice post pal.

    The best way I have found yet to decrypt my hash is online via . It is the best from my experience.

    It found 6 more passwords that I was unable to crack.

  9. You can do it without edit john.conf.

    ./john -format=LM /tmp/pwd
    ./john -format=LM /tmp/pwd -show | cut -d: -f2 | sed 'N;$!P;$!D;$d' > /tmp/worldlist
    ./john -format=NT /tmp/pwd -w=/tmp/worldlist -rules:NT


    Cauan G.

  10. less than a second my hairy ass.

  11. root@box:/home/user/wifu# john -i lm.txt
    Loaded 2 password hashes with no different salts (LM DES [64/64 BS MMX])
    guesses: 0 time: 0:00:00:32 c/s: 10528K trying: RYTECA3 - RYTECL2
    guesses: 0 time: 0:00:00:34 c/s: 10631K trying: ABDTO6 - ABDD5P
    guesses: 0 time: 0:00:05:57 c/s: 11511K trying: GEOPMS4 - GEOPTC*
    guesses: 0 time: 0:00:06:09 c/s: 11550K trying: FEFP08P - FEFP05B
    guesses: 0 time: 0:00:06:13 c/s: 11587K trying: S97RMC - S97RNT
    guesses: 0 time: 0:00:20:00 c/s: 9508K trying: WOYV8OA - WOYV8I1
    guesses: 0 time: 0:00:20:42 c/s: 9504K trying: BOVHLU2 - BOVHLDI
    guesses: 0 time: 0:01:30:59 c/s: 11116K trying: F3SDLNN - F3SDY1N
    guesses: 0 time: 0:01:48:22 c/s: 11177K trying: 5AY6USP - 5AY6UAA
    guesses: 0 time: 0:01:48:39 c/s: 11184K trying: 9PP908K - 9PP907K
    guesses: 0 time: 0:01:50:56 c/s: 11161K trying: D_B1VKA - D_B1VM*
    guesses: 0 time: 0:05:06:59 c/s: 13416K trying: 12D4FNM - 12D4F85
    guesses: 0 time: 0:05:08:07 c/s: 13425K trying: ES2-OM0 - ES2-OS_
    guesses: 0 time: 0:05:10:04 c/s: 13418K trying: ZMZ-HHS - ZMZ-H !
    guesses: 0 time: 0:05:15:18 c/s: 13373K trying: KRENXQO - KRESTJN
    guesses: 0 time: 0:05:16:24 c/s: 13361K trying: EJJ87 X - EJJ85ZO

    less than a second, yeah right buddy

    1. Your doing it wrong, you need to start with a good wordlist

    2. Start here

  12. It looks liek you need to delete your John.pot file and start again. Usually when it says guesses:0 thats what fixes it.

  13. Please frnds help me
    I have a LM:NTLM hash ACB8B68AD81BAE2FB85EBEA904A749B9:6F12FC6A112C805AD52801F38A6A9EE9
    In fact I know password consist of 11 chars out of which last 5 characters are #2345
    and remaining characters are from [a-z] or [A-Z].
    I dont know about rules.
    I want exact rules for that.

    1. The last characters are $2345, not #2345

  14. Initially it did not work for me, but after tweaking the last command of yours just worked perfectly. I executed john --rules=nt --wordlist=lmcracked.txt --format=nt crackmemixed.txt

    Thanks for this :)


    I have been in financial mess for the past months, I'm a single mum with kids to look after. My name is Renee Joan Rothell, and am from Ridley Park, Pennsylvania. A couple of weeks ago My friend visited me and along our discussion she told me about Mr Martinez Lexie of ( ); that he can help me out of my financial situation, I never believed cause I have spend so much money on different loan lenders who did nothing other than running away with my money. She advised, I gave it a try because she and some of her colleagues were rescued too by this Godsent lender with loans to revive their dying businesses and paying off bills. so I mailed him and explain all about my financial situation and therefore took me through the loan process which was very brief and easy.. After that my loan application worth 78,000.00 USD was granted, all i did was to follow the processing and be cooperative and today I am a proud business owner sharing the testimony of God-sent Lender. You can as well reach him through the Company website: OR text: +18168926958

  16. Are you in need of a loan? Do you want to pay off your bills? Do you want to be financially stable? All you have to do is to contact us for more information on how to get started and get the loan you desire. This offer is open to all that will be able to repay back in due time. Note-that repayment time frame is negotiable and at interest rate of 3% just email us {}