March 9th, 2007, 11:05 AM
How do I find out the windows password hashing is using? lm, ntlm, ntlmv2?
I am trying to find out the windows login password a computer is using. I do not have administrator privilege. I could boot from a cd. Does Offline NT Password & Registry Editor helps? How to find out?
This is the hash I dumped out from a boot cd:
It has 34 digit instead of normally 32. You can see a XX at the end. So I am guessing it's using another type of hashing.
Any body has any suggestion or comment?
March 9th, 2007, 03:17 PM
Please indicate what operating system it is (some sort of NT I know, but which?) and if you are talking stand alone or networked.
Just do a Google search for "reset Windows password" and you will find hundreds of tutorials and links to tools.
That is the secret, you don't want to know the current password, you want to reset it Hey, if you can crack it easily you need to change it anyway, and if you can't it will waste a lot of your time.
As for the hash, lm would normally only be used if you were on a network that had to support legacy operating systems. Ntlm is for NT 4.0 up to SP3.
ntlmv2 came out with Win NT 4.0 SP4, so even that is pretty old, but does offer much stronger encryption. Please assume that, or go buy yourself a Zimmer frame...............you will need one before you are done
Last edited by nihil; March 9th, 2007 at 10:15 PM.
March 9th, 2007, 10:51 PM
Yes, I understand I could reset the password without knowing the password using some tools.
But since this is a security forum, my goal is to research how the crack works in order to prevent it. My goal isn't to crack the password. I actually know the password but assume don't know.
March 9th, 2007, 11:03 PM
Irongeek has at least two tutorials that should get you on your way
March 10th, 2007, 09:26 AM
How it works is very simple:
1. Extract password hash
2. Crack password hash
Problem would be if I am using ntlmv2 or better and have a password like:
<€0987654321 "crack this you pillock" !"£$%^&*()_+>
And that is very easily remembered, because it is a "packed" password
N.B. The spaces are important.......... a lot of dictionary and brute force tables ignore them, and will fail as a result.
EDIT: As for "preventing it"........ you cannot.........if I have unrestricted physical access; you are owned. It is as complicated and simple as that
Last edited by nihil; March 10th, 2007 at 09:41 AM.
March 12th, 2007, 03:18 AM
You used the newer version of the LoginRecovery program. They tried hard to make it difficult for you to get the hash. I recommend using an earlier version, or using something else like the Ophcrack LiveCD.
Originally Posted by cpthk
Anyway, what they did is they added a number to every byte in the hashes. This number is prepended to the hashes (FC). So you need to subtract FC from all the remaining bytes. FC is not part of the hash; XX is not part of the hash either. So for example, the first byte should be 6C - FC = 70.
So your real hashes should be
and the password is 4swall!owmor6
By cheyenne1212 in forum Miscellaneous Security Discussions
Last Post: February 1st, 2012, 01:51 PM
By gore in forum Other Tutorials Forum
Last Post: March 28th, 2005, 07:38 AM
By NeonWizard in forum The Security Tutorials Forum
Last Post: August 13th, 2004, 06:54 PM
By DeadAddict in forum Other Tutorials Forum
Last Post: November 18th, 2003, 12:20 PM
By qwerty_smith in forum Microsoft Security Discussions
Last Post: February 5th, 2003, 08:41 PM