How to crack LM hashes

Researching, Proof of Concepts, Hacking, Console Modding and Hacking and more. No game hacking / modding here.
Post Reply
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

How to crack LM hashes

Post by Sethioz »

How to crack LM hashes?!

NOTE: This tutorial is mainly about HOW TO CRACK LM HASH and may not cover
other parts about LM hashes.



Q: What is LM hash?
-It is used in windows NT.
Its full name is LAN Manager hash also known as lanman, but most commonly used
is LM.

Q: How do i reconize an LM hash?
-Heres an LM hash of text ''LM Hash'' - ''25E068D1457133CA25E068D1457133CA''
-It is 32 characters long containing HEXadecimal characters.
-HEX is a language containing ABCDEF0123456789 characters ONLY.
-MOST IMPORTANT is that hash repeats 2 times. look closely this hash!
- 25E068D1457133CA-25E068D1457133CA see now ? i added a dash to make it easy.

Q: How it is created?
-First the LM system converts password into uppercase characters.
-Then the password is truncated to 14 characters or filled with spaces if its shorter than 14.
-Now the password will be split into 2 7-character pieces and two 16 byte hashes are generated using DES algorithm.
-Last thing is to put those 16 byte hashes back togheter by generating 32-byte hash...the LAN Manager hash!

Q: Where do i get LM hash in windows?
-It is kept inside the SAM file.
-You need special tools to extract the LM password hash.


Ok lets get down to cracking it!

1. You need program that can handle LM hashes.
-there are few of them but we use only the BEST.
-you need Cain (cain & abel). You can download it [/color]HERE
-If in some reason file is corrupted or not included download it from:
http://www.oxid.it/cain.html - YES it is free! 4.9 is newest (24.04.07)

2. Install Cain & Abel. you only need Cain but those 2 programs are in 1 install
package.

3. Open Cain.
4. Click on the ''Cracker'' tab. yes the one with yellow key on it!
5. On left side of Cain there is ''tree'' where you can choose hash type.
6. Find LM & NTLM Hashes - CLICK IT!
7. Right click on right side. (where the empty table is)
8. Choose ''Add to list''
-Now there are few options. I will try to explain them!
-Import hashes from local system - It should extract your windows password hashes. ALL of your user password hashes!
-Import Hashes from a text file - like it says! First you must have list of LM hashes. You simply choose the file where the hashes are.
-Import Hashes from a SAM database - you need SAM file first which to use!
It is used when your friend needs windows password cracked. He/She will send you
the SAM file and you can extract the LM hash directly from that SAM file.

since this tutorial only covers HOW TO CRACK i will pick the :
-Import Hashes from a text file.

9. Insert your LM hash into an empty text file.
25E068D1457133CA

if there are several hashes then insert them one per row ... like this:
25E068D1457133CA25E068D1457133CA
25E068D1457133CA25E068D1457133CA
25E068D1457133CA25E068D1457133CA
25E068D1457133CA25E068D1457133CA
25E068D1457133CA25E068D1457133CA
...etc.

10. Save and Close text file.
11. Use the method ''import hashes from a text file'' and choose your text file
where you just inserted the hash/es.
12. Click next.
13. Now you should see the hashes/users you inserted.
14. Right click on the hash you wish to crack (highlight them all if you want to crack all of them)
15. There are 3 cracking methods. I will explain all of them before moving on!

Ok on the top of the list (when right clicked) you can see 3 cracking methods.

-Dictionary attack - It means the Cain uses dictionarys also known as Wordlists
to crack the passwords. It is really simple! you can even create wordlist by
just inserting random words into an text file. it must be ONE word per row.
Here is an exampl of an wordlist.
videos
extramoney
wordlist
thisismine
idontknow
you can but anything here

You DO NOT need to use uppercase character because Cain will convert every
word into uppercase and/or uses Permcase attack. It means that if your password
is PassWOrd then only word you need to crack it is ''password''
There are several wordlists avalable online. (http://www.openwall.com/wordlists/)
Finally when you choose this method there are few options. READ them carefully
because it will explain the option. 2 number brute-force means that Cain will
add 2 digits after EVERY word in the list! If the password is password94 then
you just need word ''password'' to crack it!

-Brute-Force attack - Just like it says. This method will start trying passwords
in the range you will specify. When you click on it then you must choose your hash type
which is LM ofcourse. Then Brute-Force attack window will pop-up.
First you will need to specify the ''Charset'' you can either enter is manually
under ''Custom'' or choose one from ''Predefined''.
Now you will need to specify the ''Password length''. It is located on right.
THATS IT! click start. If you choosed charset with LOTS of characters and Password
length longer than 9 characters it can take over 300 years!
It means the brute force is NOT an best way to crack them.

-Cryptanalysis attack - This method uses the ''Rainbow tables''
Huh? What? Where? How?
yes yes... it is almost like brute-force but Rainbow table contains ALL the
passwords in ''GIVEN'' password range and can crack the password in that range
in just seconds! For example if your rainbow table is in range:
loweralpha-numeric 1-9 characters then it will crack ANY password in that range.

Q: What is exactly loweralpha-numeric 1-9 ?
-all the following passwords/words are in this range!
lower1034
low2423
rainbow33
rainbow
highbow00
...etc

it means it will contain ONLY loweralpha characters and all the numbers and the
length of the word is 9 characters.


Q: ok which method i should use then? :O
This is actually really up to you, but i can help you little bit.
-Dictionary attack can be VERY powerful with RIGHT and GOOD wordlists!
it is also small and pretty much FAST.
-Brute-Force attack - is the slowest attack but CAN come in handy.
-Cryptanalysis attack - is the FASTEST but it is limited by the rainbow tables.
rainbow tables also takes a LOT of space. tables on range loweralpha-numeric 1-9
takes about 30GB space.

16. Here is detailed explaination of how to use every method.
17 A: Choose the Dictionary attack.
17 B: Now on top right corner choose ''Add''
17 C: Locate your wordlist and choose it by double-clicking on it or highlighting
and then choosing ''open''
17 D: now you will see it in the list! you can add several wordlists there!
17 E: The options:
-As is (password) - will NOT change the input word in list.
-Reverse (PASSWORD - DROWSSAP) - dont need explaination...doesnt it ?!
-Lowercase - will convert EVERY password in list into lowercase if its not.
-Uppercase - will convert EVERY word into UPPERCASE. password to PASSWORD.
-Case Perms - will brute force every word with uppercase characters! PasSwoRD ..etc
-Two Numbers Hybrid Brute - This will add 2 digits after EVERY word in list!
it will add ALL of the 2 digit numbers 00-99.

NOTE: if you have LONG words in the lists then ''case perms'' will take extremly
long time!!! because it will brute-force the word with uppercase characters and
in long words there are millions if not billions of options.

17 F:THATS IT you are done. click start!

18. Choose the Brute-Force attack.
18 A: click on LM hash!
18 B: Specify the ''Charset'' by clicking on the drop down box.
18 C: you can also use the ''Custom'' charset. Simply insert the character you wish
to use in the cracking process. For example if you know that this password contains
numbers and an symbol of ''.'' (dot, point) Then you will simpy instert this line:
0123456789.
Then it will crack the password containing numbers and an dot.
18 D: Specify the ''length'' of the password you wish to crack by choosing
minimum and maximum length of the password on the top right corner. Simply click
on the arrows to increase or decrease values. Brute Forcing LONG passwords will take
YEARS!
18 E: You are DONE! click start to start the attack!

19. Choose the Cryptanalysis attack
19 A: there are 3 options! It depends what kind of tables you have. Most likely you
have the tables made with ''winrtgen'' (the last option) CHOOSE IT!
19 B: Window will pop-up. on the right top corner choose ''add table''
19 C: locate your rainbow tables and choose them by double-clicking on them or simply
highlighting them all and clicking ''open'' button. If it does not add the tables in
the list then its because you choose too many tables. Try selecting 1-5 tables and try again.
IF still doesnt work then simply add them one-by-one by double-clicking on your table!
19 D: Thats all. Click start.


Before rushing to our website asking for help....

TIPS:
-If you are not sure are you doing it right...
Click on ''tools'' and choose ''hash calculator''
generate simple hash like ''password'' ..simply insert the word into the empty box
and press ENTER.
Now look down where it says LM: it looks like THIS
LM E52CAC67419A9A22
It is just one half so you do this:
E52CAC67419A9A22 + E52CAC67419A9A22 = E52CAC67419A9A22E52CAC67419A9A22
and you will have the Hash of ''password''
now try to crack this. its EASY because you will know what it is!

-If you cant add the hashes from text file!
simply go into your Cain&Abel INSTALL directory
Default directory is ''C:\Program Files\Cain''
Locate the LMNT.lst file and open it with notepad.
here is how the hash will look like in the file !

Guest;* empty *;*;* empty *;AAD3B435B51404EEAAD3B435B51404EE;31D6CFE0D16AE931B73C59D7E0C089C0;;LM & NTLM;

you will simply copy THIS line above into YOUR LMNT.lst file and replace the HASH with your own hash!
huh? which one? FIRST one is LM Hash and Second one is NT hash. If you have LM hash
you will replace the first hash. If you have NT hash then you will replace second one.
and in the Cain you will have your hash now!
you can replicate the line and replace hashes like that IF there is error and you
cannot add hashes from text file. I heard that this glitch/error occurs in some
computers/cain.

-Where do i get rainbow tables?
you can generate them with ''winrtgen'' but it will take YEARS on a single pc.
so you can buy them from us or from some place on net. tables can cost about:
from like 100 to 9000 US dollars!!! it all depends what lenght and characters the
rainbow tables cover! Some places in web also offers tables with Harddrive.

by Sethioz
24.april.2007
Post Reply