Monday, 10 January 2011

Password cracking: Using John The Ripper (JTR) to detect password case (LM to NTLM)

When password-cracking Windows passwords (for password audits or penetration testing) if LM hashing is not disabled, two hashes are stored in the SAM database.

The first is the LM hash (relatively easy to crack because of design flaws, but often stored for backwards-compatibility)

The second is the NTLM hash which can be more difficult to crack (when used with strong passwords).

LM hashes store passwords all uppercase, and split into 2 blocks of 7 bytes (which is part of the reason why they are so weak).

This makes LM hashes easy to crack (complete rainbow tables of all possible hashes can be easily obtained for super-fast cracking).

However, cracking the LM hash does not tell you the full story about the password, i.e. you won't know the case of the alphabetic characters in the password. The passwords could be all uppercase, all lowercase, or a mixture and finding the case of the passwords can be important.

Here I will show how to crack the LM hashes and use these to find the exact password from the NTLM hashes.

Please remember to use these techniques only for legitimate educational and testing purposes and not maliciously.


The hashes

For these tests, I first set up a test Windows XP machine and added six users with various passwords, some of which you may think would be strong, but they are not strong enough!

I extract the passwords from the SAM using fgdump.exe, and get the following:

bert:1011:5DF12C9F2162249EAAD3B435B51404EE:099C037B843FDCA6489B03635E87EA76:::
erik:1008:4E1FB9BDD16A8F51AAD3B435B51404EE:FDC342B83B8A552C742B013E8A1BCA99:::
ernie:1012:1B638DBD583CF83D64BBD09A598E07AD:01C4EA2C58B2A0326D5EDF613E60DCED:::
jack:1015:F41D0D9F9038C51884672E50BA7FB014:14EAE3724A706F637FFC150A085F6EB3:::
phil:1009:208752DBBBEC625EAAD3B435B51404EE:9762FAD5394D489BFD7F662E9BC13655:::
sam:1010:FA1961430A96F9BEAAD3B435B51404EE:53F0FAE7D53BBE6C90F843ECEB71DCA0:::


So in the following example this is the LM hash, and this is the NTLM hash.

bert:1011:5DF12C9F2162249EAAD3B435B51404EE:099C037B843FDCA6489B03635E87EA76:::

I have put these hashes in a file called crackmemixed.txt on a Backtrack 4 system in /pentest/passwords/jtr.


Cracking the LM hashes


We will be using John The Ripper, so first type

john

To crack the LM hashes it is always worth trying a dictionary attack first, as this is very fast, so I will use the following command:

./john --wordlist=/pentest/passwords/wordlists/bt4-password.txt crackmemixed.txt
Loaded 12 password hashes with no different salts (LM DES [128/128 BS SSE2])
HAPPY            (erik)
OW               (ernie:2)
SHOWMEN          (ernie:1)
GRRRRRE          (jack:1)
WIBBLE           (sam)
guesses: 5  time: 0:00:00:00 100.00% (ETA: Mon Jan 10 10:13:33 2011)  c/s: 26204K  trying: ZZAJ - {LOG}


This used over three million passwords, took less than a second and cracked some of the hashes. (For LM hashes, the passwords longer than 7 characters are crack in two 7 byte pieces)

There are a few more hashes to crack so we will let JTR do a brute-force attack on the rest:

./john --format=lm crackmemixed.txt
Loaded 3 password hashes with no different salts (LM DES [128/128 BS SSE2])
AT!              (jack:2)
FLUFF34          (phil)
4REF5            (bert)
guesses: 3  time: 0:00:00:18 (3)  c/s: 19370K  trying: 4RIIN - 4RO5A


So we are all done with the LM hashes in under 20 seconds (which is pretty good). For stronger passwords, if this method was taking longer than a few minutes, I would probably would move to LM hash rainbow tables next, which would speed things up a lot.


Check our LM hash-cracked passwords


To display what we have so for we can do

./john -show crackmemixed.txt
 
bert:4REF5:1011:::
erik:HAPPY:1008:::
ernie:SHOWMENOW:1012:::
jack:GRRRRREAT!:1015:::
phil:FLUFF34:1009:::
sam:WIBBLE:1010:::

8 password hashes cracked, 0 left


... but as you can see, this is all all displayed in uppercase, as we can't tell the case of the passwords from cracking the LM hashes.


Preparing for cracking the NTLM hashes

We are going to change the rules that JTR uses, so will will make two backups of the rules file:

cp john.conf john.conf.old
cp john.conf john.conf.ntlm

Then edit the rules file, as follows:

  • In john.conf.ntlm
    • Replace "List.Rules:Wordlist" with "List.Rules:Disabled" to disable the normal ruleset
    • Then replace "List.Rules:NT" with "List.Rules:Wordlist" to enable our specialised attack


Our NTLM hashes

To show the NTLM hashes we are trying to crack use:

./john --show=LEFT --format=NT crackmemixed.txt

sam:$NT$53f0fae7d53bbe6c90f843eceb71dca0
phil:$NT$9762fad5394d489bfd7f662e9bc13655
jack:$NT$14eae3724a706f637ffc150a085f6eb3
ernie:$NT$01c4ea2c58b2a0326d5edf613e60dced
erik:$NT$fdc342b83b8a552c742b013e8a1bca99
bert:$NT$099c037b843fdca6489b03635e87ea76



Cracking our NTML hashes

First we need to create a dictionary file which will contain just the passwords we have already obtained from LM hash-cracking, with the following command:

./john --show --format=LM crackmemixed.txt | grep -v "password hashes" | cut -d":" -f2 | sort -u > lmcracked.txt


So we now have a list of just the passwords in uppercase in lmcracked.txt. Let's put our special password rules in place:

cp john.conf.ntlm john.conf

Now we can using our specific password dictionary and rules to crack the NTLM password hashes as follows:

./john -rules --wordlist=lmcracked.txt --format=nt crackmemixed.txt
 
Loaded 6 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
4Ref5            (bert)
HaPpY            (erik)
fluff34          (phil)
wibble           (sam)
GRRRRReat!       (jack)
ShowMeNow        (ernie)
guesses: 6  time: 0:00:00:00 100.00% (ETA: Mon Jan 10 11:24:44 2011)  c/s: 44800  trying: GrrrRREAt! - sHOWMEnow


This took less than a second, and we have cracked the case sensitive NTLM hashes from the case insensitive LM hash-cracked passwords.


Returning JTR rules back to normal

After you are done, don't forget to put the rules back how they were:

cp john.conf.old john.conf



Mitigation

End to end, this exercise could have been done in under a minute. This just goes to show how weak passwords can be, and how easily they can be cracked with the right tools, network access and knowhow.
  • Disable LM hashes
  • Implement a strong password policy
  • Check this is enforced and working correctly with regular audits

18 comments:

  1. can u tell me how can i break a rar file passward.

    ReplyDelete
  2. Unfortunately John's default case-toggling rules only go up to 11 chars, and LM goes up to 14 chars. If you have 12-14 char plaintexts from LM, you'll need to add additional case-toggling rules:
    -c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]
    -c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]T[zD]
    -c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]T[zD]T[zE]
    -c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]T[zD]T[zE]T[zF]

    ReplyDelete
  3. Thanks epixoip,
    Very interesting!
    Ben

    ReplyDelete
  4. SHANTANU DUTTA,

    Thanks for the suggestion, I may do a blog about that at some point.

    ReplyDelete
  5. im in the same boat as shantanu dutta...

    ReplyDelete
  6. "Unknown ciphertext format name requested" :(

    ReplyDelete
  7. Can you tell me how to recover this password:
    7C7BECE22B6AC8E11D71A58EB137820E

    ReplyDelete
  8. Nice post pal.

    The best way I have found yet to decrypt my hash is online via http://recovermypass.com . It is the best from my experience.

    It found 6 more passwords that I was unable to crack.

    ReplyDelete
  9. You can do it without edit john.conf.

    ./john -format=LM /tmp/pwd
    ./john -format=LM /tmp/pwd -show | cut -d: -f2 | sed 'N;$!P;$!D;$d' > /tmp/worldlist
    ./john -format=NT /tmp/pwd -w=/tmp/worldlist -rules:NT

    --

    Cauan G.

    ReplyDelete
  10. less than a second my hairy ass.

    ReplyDelete
  11. root@box:/home/user/wifu# john -i lm.txt
    Loaded 2 password hashes with no different salts (LM DES [64/64 BS MMX])
    guesses: 0 time: 0:00:00:32 c/s: 10528K trying: RYTECA3 - RYTECL2
    guesses: 0 time: 0:00:00:34 c/s: 10631K trying: ABDTO6 - ABDD5P
    guesses: 0 time: 0:00:05:57 c/s: 11511K trying: GEOPMS4 - GEOPTC*
    guesses: 0 time: 0:00:06:09 c/s: 11550K trying: FEFP08P - FEFP05B
    guesses: 0 time: 0:00:06:13 c/s: 11587K trying: S97RMC - S97RNT
    guesses: 0 time: 0:00:20:00 c/s: 9508K trying: WOYV8OA - WOYV8I1
    guesses: 0 time: 0:00:20:42 c/s: 9504K trying: BOVHLU2 - BOVHLDI
    guesses: 0 time: 0:01:30:59 c/s: 11116K trying: F3SDLNN - F3SDY1N
    guesses: 0 time: 0:01:48:22 c/s: 11177K trying: 5AY6USP - 5AY6UAA
    guesses: 0 time: 0:01:48:39 c/s: 11184K trying: 9PP908K - 9PP907K
    guesses: 0 time: 0:01:50:56 c/s: 11161K trying: D_B1VKA - D_B1VM*
    guesses: 0 time: 0:05:06:59 c/s: 13416K trying: 12D4FNM - 12D4F85
    guesses: 0 time: 0:05:08:07 c/s: 13425K trying: ES2-OM0 - ES2-OS_
    guesses: 0 time: 0:05:10:04 c/s: 13418K trying: ZMZ-HHS - ZMZ-H !
    guesses: 0 time: 0:05:15:18 c/s: 13373K trying: KRENXQO - KRESTJN
    guesses: 0 time: 0:05:16:24 c/s: 13361K trying: EJJ87 X - EJJ85ZO

    less than a second, yeah right buddy

    ReplyDelete
    Replies
    1. Your doing it wrong, you need to start with a good wordlist

      Delete
    2. Start here https://wiki.skullsecurity.org/Passwords

      Delete
  12. It looks liek you need to delete your John.pot file and start again. Usually when it says guesses:0 thats what fixes it.

    ReplyDelete
  13. Please frnds help me
    I have a LM:NTLM hash ACB8B68AD81BAE2FB85EBEA904A749B9:6F12FC6A112C805AD52801F38A6A9EE9
    In fact I know password consist of 11 chars out of which last 5 characters are #2345
    and remaining characters are from [a-z] or [A-Z].
    I dont know about rules.
    I want exact rules for that.

    ReplyDelete
    Replies
    1. The last characters are $2345, not #2345

      Delete