Password cracking: Using John The Ripper (JTR) to detect password case (LM to NTLM)

When password-cracking Windows passwords (for password audits or penetration testing) if LM hashing is not disabled, two hashes are stored in the SAM database.

The first is the LM hash (relatively easy to crack because of design flaws, but often stored for backwards-compatibility)

The second is the NTLM hash which can be more difficult to crack (when used with strong passwords).

LM hashes store passwords all uppercase, and split into 2 blocks of 7 bytes (which is part of the reason why they are so weak).

This makes LM hashes easy to crack (complete rainbow tables of all possible hashes can be easily obtained for super-fast cracking).

However, cracking the LM hash does not tell you the full story about the password, i.e. you won't know the case of the alphabetic characters in the password. The passwords could be all uppercase, all lowercase, or a mixture and finding the case of the passwords can be important.

Here I will show how to crack the LM hashes and use these to find the exact password from the NTLM hashes.

Please remember to use these techniques only for legitimate educational and testing purposes and not maliciously.


The hashes

For these tests, I first set up a test Windows XP machine and added six users with various passwords, some of which you may think would be strong, but they are not strong enough!

I extract the passwords from the SAM using fgdump.exe, and get the following:

bert:1011:5DF12C9F2162249EAAD3B435B51404EE:099C037B843FDCA6489B03635E87EA76:::
erik:1008:4E1FB9BDD16A8F51AAD3B435B51404EE:FDC342B83B8A552C742B013E8A1BCA99:::
ernie:1012:1B638DBD583CF83D64BBD09A598E07AD:01C4EA2C58B2A0326D5EDF613E60DCED:::
jack:1015:F41D0D9F9038C51884672E50BA7FB014:14EAE3724A706F637FFC150A085F6EB3:::
phil:1009:208752DBBBEC625EAAD3B435B51404EE:9762FAD5394D489BFD7F662E9BC13655:::
sam:1010:FA1961430A96F9BEAAD3B435B51404EE:53F0FAE7D53BBE6C90F843ECEB71DCA0:::

So in the following example this is the LM hash, and this is the NTLM hash.

bert:1011:5DF12C9F2162249EAAD3B435B51404EE:099C037B843FDCA6489B03635E87EA76:::

I have put these hashes in a file called crackmemixed.txt on a Backtrack 4 system in /pentest/passwords/jtr.


Cracking the LM hashes


We will be using John The Ripper, so first type

john

To crack the LM hashes it is always worth trying a dictionary attack first, as this is very fast, so I will use the following command:

./john --wordlist=/pentest/passwords/wordlists/bt4-password.txt crackmemixed.txt
Loaded 12 password hashes with no different salts (LM DES [128/128 BS SSE2])
HAPPY            (erik)
OW               (ernie:2)
SHOWMEN          (ernie:1)
GRRRRRE          (jack:1)
WIBBLE           (sam)
guesses: 5  time: 0:00:00:00 100.00% (ETA: Mon Jan 10 10:13:33 2011)  c/s: 26204K  trying: ZZAJ - {LOG}

This used over three million passwords, took less than a second and cracked some of the hashes. (For LM hashes, the passwords longer than 7 characters are crack in two 7 byte pieces)

There are a few more hashes to crack so we will let JTR do a brute-force attack on the rest:

./john --format=lm crackmemixed.txt
Loaded 3 password hashes with no different salts (LM DES [128/128 BS SSE2])
AT!              (jack:2)
FLUFF34          (phil)
4REF5            (bert)
guesses: 3  time: 0:00:00:18 (3)  c/s: 19370K  trying: 4RIIN - 4RO5A

So we are all done with the LM hashes in under 20 seconds (which is pretty good). For stronger passwords, if this method was taking longer than a few minutes, I would probably would move to LM hash rainbow tables next, which would speed things up a lot.


Check our LM hash-cracked passwords


To display what we have so for we can do

./john -show crackmemixed.txt
 
bert:4REF5:1011:::
erik:HAPPY:1008:::
ernie:SHOWMENOW:1012:::
jack:GRRRRREAT!:1015:::
phil:FLUFF34:1009:::
sam:WIBBLE:1010:::

8 password hashes cracked, 0 left

... but as you can see, this is all all displayed in uppercase, as we can't tell the case of the passwords from cracking the LM hashes.


Preparing for cracking the NTLM hashes

We are going to change the rules that JTR uses, so will will make two backups of the rules file:

cp john.conf john.conf.old

cp john.conf john.conf.ntlm

Then edit the rules file, as follows:

• In john.conf.ntlm
• Replace "List.Rules:Wordlist" with "List.Rules:Disabled" to disable the normal ruleset
• Then replace "List.Rules:NT" with "List.Rules:Wordlist" to enable our specialised attack

Our NTLM hashes

To show the NTLM hashes we are trying to crack use:

./john --show=LEFT --format=NT crackmemixed.txt

sam:$NT$53f0fae7d53bbe6c90f843eceb71dca0
phil:$NT$9762fad5394d489bfd7f662e9bc13655
jack:$NT$14eae3724a706f637ffc150a085f6eb3
ernie:$NT$01c4ea2c58b2a0326d5edf613e60dced
erik:$NT$fdc342b83b8a552c742b013e8a1bca99
bert:$NT$099c037b843fdca6489b03635e87ea76


Cracking our NTML hashes

First we need to create a dictionary file which will contain just the passwords we have already obtained from LM hash-cracking, with the following command:

./john --show --format=LM crackmemixed.txt | grep -v "password hashes" | cut -d":" -f2 | sort -u > lmcracked.txt


So we now have a list of just the passwords in uppercase in lmcracked.txt. Let's put our special password rules in place:

cp john.conf.ntlm john.conf

Now we can using our specific password dictionary and rules to crack the NTLM password hashes as follows:

./john -rules --wordlist=lmcracked.txt --format=nt crackmemixed.txt
 
Loaded 6 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
4Ref5            (bert)
HaPpY            (erik)
fluff34          (phil)
wibble           (sam)
GRRRRReat!       (jack)
ShowMeNow        (ernie)
guesses: 6  time: 0:00:00:00 100.00% (ETA: Mon Jan 10 11:24:44 2011)  c/s: 44800  trying: GrrrRREAt! - sHOWMEnow

This took less than a second, and we have cracked the case sensitive NTLM hashes from the case insensitive LM hash-cracked passwords.


Returning JTR rules back to normal

After you are done, don't forget to put the rules back how they were:

cp john.conf.old john.conf



Mitigation

End to end, this exercise could have been done in under a minute. This just goes to show how weak passwords can be, and how easily they can be cracked with the right tools, network access and knowhow.

• Disable LM hashes
• Implement a strong password policy
• Check this is enforced and working correctly with regular audits