How do I find out the windows password hashing is using? lm, ntlm, ntlmv2?
Results 1 to 6 of 6

Thread: How do I find out the windows password hashing is using? lm, ntlm, ntlmv2?

Hybrid View

  1. #1
    Junior Member
    Join Date
    Mar 2007
    Posts
    4

    How do I find out the windows password hashing is using? lm, ntlm, ntlmv2?

    I am trying to find out the windows login password a computer is using. I do not have administrator privilege. I could boot from a cd. Does Offline NT Password & Registry Editor helps? How to find out?

    This is the hash I dumped out from a boot cd:
    Administrator:500:FC6C1371650726D5963A9B259AE5C80029:2437E445C0E704A73CAC16E219B42588XX:::

    It has 34 digit instead of normally 32. You can see a XX at the end. So I am guessing it's using another type of hashing.

    Any body has any suggestion or comment?

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Yes,

    Please indicate what operating system it is (some sort of NT I know, but which?) and if you are talking stand alone or networked.

    Just do a Google search for "reset Windows password" and you will find hundreds of tutorials and links to tools.

    That is the secret, you don't want to know the current password, you want to reset it Hey, if you can crack it easily you need to change it anyway, and if you can't it will waste a lot of your time.

    As for the hash, lm would normally only be used if you were on a network that had to support legacy operating systems. Ntlm is for NT 4.0 up to SP3.

    ntlmv2 came out with Win NT 4.0 SP4, so even that is pretty old, but does offer much stronger encryption. Please assume that, or go buy yourself a Zimmer frame...............you will need one before you are done
    Last edited by nihil; March 9th, 2007 at 10:15 PM.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Junior Member
    Join Date
    Mar 2007
    Posts
    4
    Yes, I understand I could reset the password without knowing the password using some tools.
    But since this is a security forum, my goal is to research how the crack works in order to prevent it. My goal isn't to crack the password. I actually know the password but assume don't know.

  4. #4
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    Irongeek has at least two tutorials that should get you on your way

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    How it works is very simple:

    1. Extract password hash
    2. Crack password hash

    Problem would be if I am using ntlmv2 or better and have a password like:

    <0987654321 "crack this you pillock" !"$%^&*()_+>

    And that is very easily remembered, because it is a "packed" password

    N.B. The spaces are important.......... a lot of dictionary and brute force tables ignore them, and will fail as a result.

    EDIT: As for "preventing it"........ you cannot.........if I have unrestricted physical access; you are owned. It is as complicated and simple as that
    Last edited by nihil; March 10th, 2007 at 09:41 AM.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Junior Member
    Join Date
    Mar 2007
    Posts
    7
    Quote Originally Posted by cpthk
    I am trying to find out the windows login password a computer is using. I do not have administrator privilege. I could boot from a cd. Does Offline NT Password & Registry Editor helps? How to find out?

    This is the hash I dumped out from a boot cd:
    Administrator:500:FC6C1371650726D5963A9B259AE5C80029:2437E445C0E704A73CAC16E219B42588XX:::

    It has 34 digit instead of normally 32. You can see a XX at the end. So I am guessing it's using another type of hashing.

    Any body has any suggestion or comment?
    You used the newer version of the LoginRecovery program. They tried hard to make it difficult for you to get the hash. I recommend using an earlier version, or using something else like the Ophcrack LiveCD.

    Anyway, what they did is they added a number to every byte in the hashes. This number is prepended to the hashes (FC). So you need to subtract FC from all the remaining bytes. FC is not part of the hash; XX is not part of the hash either. So for example, the first byte should be 6C - FC = 70.

    So your real hashes should be
    701775690B2AD99A3E9F299EE9CC042D:283BE849C4EB08AB40B01AE61DB8298C

    and the password is 4swall!owmor6

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 01:51 PM
  2. Using Vim basics
    By gore in forum Other Tutorials Forum
    Replies: 10
    Last Post: March 28th, 2005, 07:38 AM
  3. Secure Passwords Tutorial
    By NeonWizard in forum The Security Tutorials Forum
    Replies: 5
    Last Post: August 13th, 2004, 06:54 PM
  4. Windows Tweaks II
    By DeadAddict in forum Other Tutorials Forum
    Replies: 3
    Last Post: November 18th, 2003, 12:20 PM
  5. MS 1st critical update of 2003
    By qwerty_smith in forum Microsoft Security Discussions
    Replies: 1
    Last Post: February 5th, 2003, 08:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides