Hey Hey,

When you find a 17 character password... you walk away...

I'm sure that LC5 will do passwords of 17-characters in length without a problem.. The reason the LM has is being reported as empty is because of a 14 character limit in LM... Technically any admin worth their salt would disable the use of LM hash storage, so using LM in a pen test prolly isn't the greatest idea (Then again, most admins that frequent this site prolly don't disable it and I'm sure we'll find some that didn't know you could -- if you want to find out more check out http://support.microsoft.com/default...EN-US;q299656&)... As nihil mentioned, rainbow tables are the way to go...

I've seen rainbow tables for LM (Used in LM Auth), NT (used in Kerberos, NTLM and NTLM2 Auth), MD5, etc.... You can get LM tables from http://rainbowtables.shmoo.com/... nihil's numbers were slightly off, but you'll see a full LM hash table with 32 special characters (about the biggest LM set out here) is 42GB..

LM was left in place for legacy machines, as shops begin to roll out newer machines, they don't require continued support for LM... LM had several limitations... a length limit of 14.. it was really 7-character hashes stored together..

I've always felt that password cracking during a pen test is cheating... Password cracking should always be attempted (to ensure that passwords are reasonable), however it should be part of a Security Audit... A lot of pen testers will find a weak password and use it to hop from machine to machine, and never actually point out real vulns in your system... they identify a single point of entry and the rest goes unnoticed until the next pen test 6 months down the road when they need to find another vector because the last attack vector was removed...

You most likely won't find rainbow tables freely available for the type of password you are attempting to crack.... Your best bet (assuming you have the money) is to buy many PCs and cluster them... and start generating your own rainbow tables.... You won't bruteforce the password... The reason for this is that NT Hashes are also known as Unicode hashes... technically there are over 100,000 Unicode characters... Let's assume a more reasonable number of 256 characters.... 17 characters... each one with 256 combinations... so if I'm remembering correctly that's 256 for the first combination, 256 for the second combination, 256 for the third and so on... that's 256 ^ 17, which according to the trusty Windows Calculator is 8.7112285931760246646623899502533e+40. The number is so "low" only because you know it's 17 characters, it'd be quite a bit larger if you had to account for every number of characters... Now it's late so I'm sure my math is off somewhere... but if you could do 1000 passwords / minute.... it'd still take you 1657387479675803779425873278206.5 centuries... so for arguments sake.... let's call that uncrackable...

What is it that's written over the gates of Hell? "Abandon hope all ye who enter here"... I'd say that'd be like trying to crack a 17 character password knowing that it's using Unicode/NT Hashes.

Peace,
HT