• Choose a category
• All
• Classic-Fiction

Understanding the LanManager Hash

Windows 2000 uses NT Lan Manager (NTLM) hashing to secure passwords in transit on the network. Depending on the password, NTLM hashing can be weak and easy to break. For example, let's say that the password is 123456abcdef. When this password is encrypted with the NTLM algorithm, it's first converted to all uppercase: 123456ABCDEF. The password is padded with null (blank) characters to make it 14 characters long: 123456ABCDEF_. Before the password is encrypted, the 14-character string is split in half: 123456A and BCDEF_. Each string is individually encrypted, and the results are concatenated:

Passwords are stored in the Security Accounts Manager (SAM) file on a Windows system and in a password shadow file on a Linux system.

The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15

Cracking Windows 2000 Passwords

The SAM file in Windows contains the usernames and hashed passwords. It's located in the Wi ndows\system32\confi g directory. The file is locked when the operating system is running so a hacker can't attempt to copy the file while the machine is booted to Windows.

One option for copying the SAM file is to boot to an alternate operating system such as DOS or Linux with a boot CD. Alternately, the file can be copied from the repai r directory. If a systems administrator uses the RDISK feature of Windows to back up the system, then a compressed copy of the SAM file called SAM. - is created in C: \wi ndows\repai r. To expand this file, use the following command at the command prompt:

After the file is uncompressed, a dictionary, hybrid, or brute-force attack can be run against the SAM file using a tool like LOphtCrack.

Hacking Tools

Win32CreateLocalAdminUser is a program that creates a new user with the username and password X and adds the user to the local administrator's group. This action is part of the Metasploit Project and can be launched with the Metasploit framework on Windows.

Offline NT Password Resetter is a method of resetting the password to the administrator's account when the system isn't booted to Windows. The most common method is to boot to a Linux boot CD and then access the NTFS partition, which is no longer protected, and change the password.

Redirecting the SMB Logon to the Attacker

Another way to discover passwords on a network is to redirect the Server Message Block (SMB) logon to an attacker's computer so that the passwords are sent to the hacker. In order to do this, the hacker must sniff the NTLM responses from the authentication server and trick the victim into attempting Windows authentication with the attacker's computer. A common technique is to send the victim an e-mail message with an embedded hyperlink to a fraudulent SMB server. When the hyperlink is clicked, the user unwittingly sends their credentials over the network.

The first half of the password contains alphanumeric characters; LOphtCrack will take 24 hours to crack this part. The second half contains only letters and symbols and will take 60 seconds to crack. This is because there are many fewer combinations in the second half of the hashed password. If the password is seven characters or fewer the second half of the hash will always be AAD3B435B51404EE.

SMB Redirection

Several automated hacking tools can implement SMB redirection:

Hacking Tools

SMBReIay is an SMB server that captures usernames and password hashes from incoming SMB traffic. SMBReIay can also perform man-in-the-middle attacks.

SMBReIay2 is similar to SMBReIay but uses NetBIOS names instead of IP addresses to capture usernames and passwords.

pwdump2 is a program that extracts the password hashesfrom a SAM file on a Windows system. The extracted password hashes can then be run through LOphtCrack to break the passwords.

Samdump is another program to extract NTLM hashed passwords from a SAM file.

C2MYAZZ is a spyware program that makes Windows clients send their passwords as clear text. It displays usernames and their passwords as users attach to server resources.

SMB Relay