L0phtCrack 2.5 Manual
L0phtCrack is an NT password auditting tool. It will compute NT user
passwords from the cryptographic hashes that are stored by the NT
operation system. The operating system does not store the user passwords
in their original clear-text form for security reasons. The actual user
passwords are encrypted into hashes because they are sensitive
information that can be used to impersonate any user, including the
administrator of the operating system. L0phtCrack computes the password
from a variety of sources using a variety of methods. The end result is
a state of the art tool for recovering the passwords users use.
There are many uses for computing user passwords. First and for most
is for a system administrator to audit the strength of the passwords that
their users are using. There are password filters for NT but how do you
know how well you have chosen a filter. Without testing the passwords
generated by users against a real world password cracker you are guessing
at the time it will take an external attacker or malicious insider to
uncover the passwords. Other uses include recovering a forgotten
password, retrieving the password of a user in order to impersonate them,
or migrating NT users to another platform such as Unix.
L0phtCrack 2.5 is distributed in a self-installing executable
distribution file. When you run the installation file it will create a
directory named \Program Files\L0phtCrack, put its and add a L0phtCrack
start menu item. You can then select L0phtCrack from the Start Menu to
run it. That's it.
You must register the product after the 15 day trial period to
continue using it. L0phtCrack is licensed per machine. Each machine
will have a unique L0phtCrack serial number. We offer online, telephone
and fax registration. When you register you will receive the unique
unlock code for your machine. You enter this code in the L0phtCrack
Registration dialog to unlock the product. In the event you need to move
your license to a new machine or OS contact firstname.lastname@example.org
and we will send a new unlock code.
If you are already a registered user of L0phtCrack 2.0 your
registration key will work with 2.5 as long as you install L0phtCrack 2.5
on the same machine that you installed 2.0 on. You shouldn't even see
the registration dialog box or need to enter in the key.
Lightning Fast Instructions for the
Load the sample password hash file that comes with L0phtCrack by using
the File Open Password File command and open the file
pwfile.txt. Then choose the Tools Run Crack command. You
are now off cracking passwords! Let that run as you read on about how to
crack your own password hashes.
Lets Get Cracking
L0phtCrack can recover passwords directly from the registry, from the
file system and backup tapes, from repair disks, or by recovering the
passwords as they traverse the network. L0phtCrack first extracts the
password hashes. This is the way the OS stores the encrypted passwords.
Then it goes to work computing the passwords, which is called
cracking. It uses three different methods.
The fastest method for cracking the passwords is a dictionary
attack. L0phtCrack tests all the words in a dictionary or word file
against the password hashes. When it finds the correct password it
displays the result. L0phtCrack ships with a small but effective word
file. Larger world files can be more effective and can be found by
searching the Internet.
The second method L0phtCrack uses is called a hybrid crack
method. This builds upon the dictionary method by adding numeric and
symbol characters to dictionary words. Many users choose passwords such
as "bogus11" or "Annaliza!!". These passwords are just dictionary words
slightly modified with additional numbers and symbols. The hybrid crack
rapidly computes these passwords. These are the types of passwords that
will pass through many password filters and policies yet still are easily
The final and most powerful cracking method is the brute force
method. This method will always recover the password no matter how
complex. It is just a matter of time. Really complex passwords that use
characters that are not directly available on the keyboard may take so
much time that is not feasible to crack them on a single machine using
today's hardware. But most complex passwords can be cracked in a matter
of days. This is usually much shorter than the time most administrators
set their password policy expiration time to. Using a real-world
cracking tool is the only good way to know what time one should set for
How To Get the Password Hashes
L0phtCrack must first retrieve the password hashes to start the
cracking process. If you have administrator rights you can use the
Tools Dump Passwords from Registry command on the L0phtCrack menu
to retrieve the hashes. You can dump the password hashes from you local
machine or over the network if the remote machine allows network registry
access. Enter the NT machine name or IP address into the Dump Passwords
from Registry dialog box and press OK. The usernames and password hashes
are now loaded into L0phtCrack. If this is the way you have retrieved
the password hashes you may now proceed to crack the password hashes.
NOTE: L0phtCrack 2.5 is limited to dumping and opening 65K users. In
addition, large numbers of users can take a long time. Be prepared to
wait a few minutes for greater than 10,000 users.
The second method is to access the password hashes from the file
system. Since the operating system holds a lock on the SAM file where
the password hashes are stored on the file system it is not possible to
just read them from this file while the operation system is running.
Sometimes a backup of this file is made on tape or on an Emergency Repair
Disk or in the repair directory of the system hard drive. Also, another
operating system such as DOS can be booted from a floppy and the password
hashes can be read directly from the file system. This is especially
useful if you have physical access to the machine and it has a floppy
You load the password hashes from a "SAM" or "SAM._"
file into L0phtCrack by using the File Import SAM File menu
command and specifying the filename. L0phtCrack will automatically
expand compressed "SAM._" files on NT.
NOTE: If you are running on Windows 95/98 you will need to expand the
"SAM._" file to "SAM" using the expand utility on an NT
system. The command is expand sam._ sam.
SMB Packet Capture
The final method L0phtCrack offers is to capture the encrypted hashes
over the network. Your machine must have 1 or more Ethernet devices to
access the network. Use the Tools SMB Packet Capture command to
bring up the SMB Packet Capture window. You will now be capturing any
SMB authentication sessions that you network device can capture. If you
are on switched network you will only see sessions originating from your
machine or connecting to your machine.
As SMB session authentications are captured they are displayed in the
SMB Packet Capture window. The display shows source and destination IP
addresses, the user name, the SMB challenge, the encrypted LANMAN hash
and the encrypted NTLM hash, if any. The capture can be saved at any
time using the Save Capture button. To crack these hashes you must
save the capture and then open the captured file using the File Open
Password command. You can capture and crack other passwords at the same
Todd Sabin has released a free utility that can dump the password
hashes on a local machine if the SAM has been encrypted with the SYSKEY
utility that was introduced in Service Pack 3. This utility is available
at http://www.webspan.net/~tas/pwdump2/. Follow the
instructions on the web page to retrieve the password hashes. You can
then load the hashes into L0phtCrack using the File Open Password File
How To Crack the Password
The first method L0phtCrack uses to crack passwords is called a
dictionary attack. This method tries to encrypt each word in a
dictionary or word file. It then tests each encrypted word against the
password hash. If it gets a match it knows the user's password is that
dictionary word. L0phtCrack comes with a nice 25,000-word file named
words-english that contains many common words. This file or
another word file is loaded into L0phtCrack using the File Open
Wordlist File menu command. The default dictionary file is the
Next select Tools Run Crack on the menu to start the cracking
process. The default options for cracking are to run a dictionary
attack, then a hybrid attack, and then the brute force
attack. L0phtCrack runs these attacks on the password hashes in
succession by default. You can select more details about the cracking
attack in the Tools Options dialog box.
During any crack attack the L0phtCrack window displays status
information to show the progress of the attack. During dictionary
attacks the number of dictionary words tried is displayed along with the
After the dictionary attack is completed the hybrid attack
begins. The hybrid attack uses simple patterns that users use when
creating passwords from common words. By slightly modifying dictionary
words the way users do, L0phtCrack is able to make educated guesses to
decide which passwords to try. An example would be to try 'BOGUS11'.
Many users just append a few numbers or symbols to a dictionary word in
an attempt to make it a non-guessable password. L0phtCrack can guess
these passwords quickly. In much less time than it would take for a brute
force attack. L0phtCrack 2.5 checks to see if any number of number and
symbol characters are appended to each word in the word file you have
selected. The default number of number and symbol characters is 2. This
can be changed using the Tools Options command.
Brute Force Attack
After the dictionary and hybrid attacks have completed the brute
force attack begins. Brute force can take a long time but it usually
takes far less time than most password policies specify for password
changing. This makes passwords found during the brute force attack still
too weak. You may configure the character set that the brute force
attack uses with the Tools Options command. The default character
set is all the alphanumeric characters and the numbers 0 through 9.
You can expect the brute force attack to take of 24-72 hours on
machines with CPUs ranging from Pentium II/450 to Pentium 166.
Open Password File
This command opens the file containing the password hashes. This file
can be in either L0phtCrack format (*.lc) or in the format that programs
such as PWDUMP create.
Open Wordlist File
This command opens the file containing all of the words to be used in
the dictionary attack. This type of file is also referred to as a
dictionary file. The default dictionary file that comes with the
L0phtCrack distribution is a file named words-english. You should
open this file unless you have your own custom dictionary file you want
Import SAM file
This command opens a SAM file and loads the password hashes from it.
If the file is a compressed file named SAM._ then it will be
automatically expanded on NT. If you are running on Windows 95/98 you
will need to expand the sam._ file to sam using the expand
utility on an NT system. The command is expand sam._ sam.
Save and Save As
The Save and Save As commands save the current state of the passwords,
whether they are uncracked, partially cracked or cracked. The file is
saved in the L0phtCrack (*.lc) format. This is an ASCII file that can be
edited or imported into various editors and database programs. This file
can later be reloaded into L0phtCrack and continue to be cracked by
continuing an interrupted cracking session or by restarting a new crack
session with different crack options.
Exit terminates the crack session if any and exits the program.
The Edit menu is not used.
Dump Passwords from Registry
This commands opens a dialog box which accepts an NT computer name or
IP address. The computer specified is queried through remote registry
calls to dump the password hashes contained in the SAM section of the
registry. Administrator privileges and remote registry access is
required to dump the password hashes in this way.
SMB Packet Capture
This command launches the network packet capture window. SMB packet
capture promiscuously monitors your ethernet for SMB network
authentication packets. When it captures an authentication session it
will display the authentication parameters: username, challenge, and
hashes in the window.
The contents of the window can be saved at any time to a *.lc file
using the Save Capture button or they can be cleared using the
Clear Capture button. When you close the window or press
Done the capture session is terminated.
This command starts the cracking engine going to work on the password
hashes you have loaded. A progress display shows the status.
This stops a current cracking session. It can be restarted at any
The options dialog contains all the different settings for modifying
how L0phtCrack tries to crack the password hashes. The default
configuration is a compromise between yielding most complex passwords vs.
taking significantly more time. Most people will not need to modify the
Options util they have tried out the default settings.
Dictionary Attacks are enabled by checking the LANMAN and NTLM
checkboxes. These are checked by default.
Dictionary/Brute Hybrid Enabled is checked by default and will yield
many simple dictionary and number symbol combinations. The default
number of numbers and symbols to try concatenated to each dictionary word
is 2. This number can be increased but it will take significantly longer
The Brute Force Attack is checked Enabled by default. The default
character set is the alphanumeric characters. You can select one of 4
predefined character sets ranging from alpha only to all alphanumeric
plus all symbol characters. The larger character sets take a
significantly longer time when chosen. You can also enter in your own
custom character set in the combo box by typing each character in. This
custom set is saved with the *.lc file.
Minimize to tray
This command minimizes the program to a small icon in the system tray.
The program window is reactivated by clicking on the small icon. This is
useful when you are intending to crack for several days.
If the SMB Packet Capture window is open it is minimized also.
Hide, Ctrl+Alt+L so show
This command hides the program window completely. It does not sow up
as a program in the task manager. You can make the program visible again
using the Ctrl+Alt+L key combination. If the SMB Packet Capture window is
open it is hidden also.
This command shows the program version information, serial number, and
registration code if any.
This command launches your browser and brings you to the L0phtCrack
website where you can find updates an additional program information
when it becomes available.
This command launches your browser and brings you to the L0pht home
page where you can find out about other L0pht Products, search our
archives, and read our security advisories.
Appendix A - Registry Settings
If you use a non-english language version of NT you will need to
modify the registry with regedit so that you can you dump the password
hashes from the registry. The registry key to modify is:
The default is "administrators". Change this to your language version
for the administrators group.
Appendix B - Technical Details About Network
Now, let's rip apart why it is so trivial to go through the LM hash on
the network. And then talk about why the NT hash doesn't matter.
| 16byte LM hash | | 16byte NT hash (md4) |
We already know that you only have to go through 7 characters to
retrieve passwords (up to 14 chars in length) in the LM hash, and that
since thereis no salting being done, constants show up all over the place
giving away too much information and speeding up attacks
| 1st 8bytes of LMhash | second 8bytes of LMhash |
1st 8 bytes are derived from the first seven characters of the
password and the second 8 bytes are derived from the 8th through 14th
characters of the password. If the password is less than 7 characters
then the second half will always be: 0xAAD3B435B51404EE. Let's assume for
this example that the users password has a LM hash of
0xC23413A8A1E7665fAAD3B435B51404EE (which I'll save everyone the
nanosecond it would have taken for them to plug this into L0phtcrack and
have it tell them the password is "WELCOME").
Here's what happens to this hash on the network:
| A | <______________| B |
| | | |
B sends an 8 byte challenge to A. (assume 0x0001020304050607) Machine
A takes the hash of 0xC23413A8A1E7665fAAD3B435B51404EE and adds 5 nulls
to it, thus becoming
0xC23413A8A1E7665fAAD3B435B51404EE0000000000. The string
0xC23413A8A1E7665fAAD3B435B51404EE0000000000 is broken into three groups
of 7:C23413A8A1E766 5fAAD3B435B514 04EE0000000000 The 7 byte strings
are str_to_key'd (if you will) into 8 byte odd parity des keys.Now we
| 8byteDeskey1 | |
8byteDeskey2 | | 8 byteDeskey3 |
8byteDeskey1 is used to encrypt the challenge 0x0001020304050607.
Let's assume the result is 0xAAAAAAAAAAAAAAAA. 8byteDeskey2 is used to
encrypt the challenge 0x0001020304050607. Let's assume the result is
0xBBBBBBBBBBBBBBBB. 8byteDeskey3 is used to encrypt the challenge
0x0001020304050607. Let's assume the result is 0xCCCCCCCCCCCCCCCC. The
three 8byte values are concatenated (dumb!), and the 24 byte response of
0xAAAAAAAABBBBBBBBCCCCCCCC is returned to the server. The server does the
same thing to the hash on it's end and compares the result to the
24 byte response. If they match, it was the correct original hash. Why
this is boneheaded:
7 char or less passwords
| C23413A8A1E766 || 5fAAD3B435B514 || 04EE0000000000
The first thing we check is to see if the users password is less than
8 characters in length. We do this by taking the 7 byte value of
0x04EE0000000000, turning it into an 8 byte odd parity DES key, and
encrypting it against the 8 byte challenge of 0x0001020304050607. If we
get the result of 0xCCCCCCCCCCCCCCCC then we are pretty sure it's < 8
chars in length. In order to be sure we can run through 0x??AAD3B435B514
(ie 256 possible combinations) to see that 5f shows us the result is
0xBBBBBBBBBBBBBBBB, proving that the password is less than 7 characters
and also giving us
the last byte of the first half of the LM hash. From this point, even
assuming we're just joyriding and not worried about optimizing the way
this is done (believe me, there are much more effective ways to do this
that reduce the amount of time needed even further... this whole this is
just showing that even a simplistic
attack works against this implementation), it's no different than how
a tool like L0phtcrack attacks the hashes in the registry.
8 char or greater passwords.
| C23413A8A1E766 || AC435F2DD90417 || CCD60000000000
The first thing to check is whether the password is less than 8
characters in length. Deriving the 8 byte odd parity des key from
0x04EE0000000000 and encrypting against 0x0001020304050607 does not, in
this case, give us 0xCCCCCCCCCCCCCCCC, so we know that the password is 8
characters or greater.
It takes us, in a worst case scenario, 65535 checks to figure out that
the 2bytes that are used in the last third are 0xCCD6. Even approaching
this in a completely brain-dead fashion (hey, turn-about is fair play),
you can go through your 7 digit combinations of characters for the first
third the same way you would the LM hash from the registry. This will
yield not only the first third of the response, but also the
first byte of the second third. Keep in mind that you already have the
last two bytes that made up the third. You could approach the middle
third in the same fashion. (note: this whole method that MS is doing
screams for a precompute table lookup attack - which given the small
enough potential values
is not impossible by any means) Thus, the challenge response is
completely brute-forcable for the LM-hash. MS made the "oversight" of
still sending the LM-hash response along with the NT response even when
SP3 was installed. Thus it was a moot point as to how tough or well done
the NT hash might or might not be. Since installing the LM-fix precludes
continued use of windows 95 machines in regards to talking to NT
machines, it is still a moot point as to how tough or well done the NT
hash might or might not be. The LM hash is incredibly weak and your more
secure NT hash is brought down to the lowest common denominator.
Thus, the challenge response is completely brute-forcable for the
LM-hash. MS made the "oversight" of still sending the LM-hash response
along with the NT response even when SP3 was installed. Thus it was a
moot point as to how tough or well done the NT hash might or might not
be. Since installing the LM-fix precludes continued use of windows 95
machines in regards to talking to NT machines, it is still a moot point
as to how tough or well done the NT hash might or might not be. The LM
hash is incredibly weak and your more secure NT hash is brought down to
the lowest common denominator. It would have been nice if you could type
a password greater than 14 chars into the UserManager app