in the news

& patches


Questions or


L0phtCrack, L0pht, their
likeness, and these pages
Copyright © 1999
L0pht Heavy Industries, Inc.
All Rights Reserved


L0phtCrack 2.5 FAQ
Last updated 10/12/99

1. Can I use a custom character set for brute forcing?

Yes. Just enter the character set you want into the Tools Options dialog box in the Character Set field. It will be saved with the file you are cracking if you decide to stop and start cracking.

2. How do I get the SAM file? It seems locked.

The SAM file in \winnt\system32\config is locked by the OS so that it cannot be read while NT is running. In order to read this file you will need to boot an alternate operating system such as Linux or DOS. Usually this file will be on an NTFS partition. Linux can read NTFS natively but DOS will need a special program to access the partition. Go to www.sysinternals.com and download NTFSDOS. It will allow you to boot off a DOS floppy, run NTFSDOS, and copy files from an NTFS partition. You can now copy the SAM file and bring it to the machine running l0phtcrack to be imported.

2. Cracking sniffer dumps seems to take a long time. Is this right?

Cracking the captured challenge/response hashes from a network capture takes a bit longer for one password than its counterpart gotten from a registry dump. The big slowdown with the network capture cracking is that each hash is encrypted with a unique challenge so that the work done cracking one password cannot be used again to crack another. This means that the time to completion scales linearly as you add password hashes to crack.

10 network challenge/response hashes will take 10 times longer to crack than just one. Ouch, that could take a long time. This type of cracking really needs to be targetted towards particular passwords to be effective. We estimate network challenge/response cracking to take 10 times longer than normal password hash cracking.

3. I get "cannot open network device or do not have sufficient privileges to install packet driver." What's wrong?

You need to have administrator privileges to do network sniffing. Or at least you have to have an administrator run l0phtcrack and choose SMB Network Capture once to have the packet driver installed.

4. I am on a switched network and can't capture anyone elses password hashes. Am I out of luck?

No. You just have to make the hashes come to you. Send out an email to your target, whether it is an individual or a whole company. Include in it a URL in the form of file:////yourcomputer/sharename/message.html. When people click on that URL they will be sending their password hashes to you for authentication.

5. I am using an international version of NT and L0phtCrack crashes, hangs, produces an error, fails to crack my password etc. What am I doing wrong?

This is mentioned in the Read Me file but we still get this question a lot. If you use a non-english language version of NT you will need to modify the registry with regedit so that you can you dump the password hashes from the registry. The registry key to modify is:


The default is "administrators". Change this to your language version for the administrators group.

6. I would like to move my license to a new machine but the unlock code does not work on the new system. What do I do?
I have had to reinstall all of my software and now my unlock code does not work. What do I do?

The serial number/unlock code pair are machine specific and will vary from system to system. To move your license from one machine to another follow these steps.
1. Delete your copy of L0phtCrack from the old system.
2. Download and install a new copy onto the new machine.
3. Email us with the new serial number and your cutomer ID code.
4. We will email you the appropriate unlock code.

7. I tried to use L0phtCrack on my AOL, Hotmail, ISP, MS Word, FileMaker Pro, etc. etc... password but it didn't work. What am I doing wrong?

(You would be surprised how often we get asked this.) L0phtCrack is for auditing Windows NT passwords only. The current version does not work on any other types passwords. Due to the increased demand for this sort of functionality we may ad these features in the future, so keep checking back.

8. Is L0phtCrack Y2K compliant?

L0phtCrack does not use any time or date specific funtions. Therefore, as long as the underlying operating system is compliant so is L0phtCrack.

9. I keep getting NULL Passwords in the cracked password file. I know these accounts have passwords why is L0phtCrack showing them as NULL?

Machine accounts that cannot be used for login have NULL passwords. User accounts that last had their password changed under MacOS, Novell, WinFrame, etc... will have NULL NT passwords.

l0phtcrack lophtcrack loftcrack l0pht crack lopht crack loft crack