Decrypt SAM File !
Hello ,
well about the sam file :
what programs do you suggest to decrypt it in "reasonable" time
and there is something else i read about but not actually understood it i hope you can explain it for me :
that if the password is more than 7 characters long > windows divide it into two passwords and encrypt each one with different hash ..
is that NT and LM hashes (are those the divided passwords) ..
how does this work ,,
because i tried decrypting the sam file with lc5 (L0phtCrack) all i can see that the program is testing 7 chars long password .. and i'm pretty sure that the password is more than 7 chars long
and does Vista use NTLM hashes too or did micro$oft invented something new :D
Thanks
All passwords with 0 to 7 scharacters are encrypted with one LM hash and one NT hash.
All passwords with more than 7 characters are encrypted with two LM hashes and one NT hash.
When you decrypt them, you always break the LM ones since they have a quite low upper limit; meaning that they're easy to crack. When you get the password, you only have to bruteforce uppercase and lowercase characters to make it match the NT hash.
From Wikipedia:
The LM hash is computed as follows.
- The user’s password as an OEM string is converted to uppercase.
- This password is either null-padded or truncated to 14 bytes.
- The “fixed-length” password is split into two 7-byte halves.
- These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream, and inserting a zero bit after every seven bits. This generates the 64 bits needed.
- Each of these keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values.
- These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.
i think you can use JTR for it
yeah lc5 didn't work .. i waited 8 hours (draining the CPU) for NOTHING
i will use JTR
btw is this the right fromat in jtr
username:"LM Hash":"NT Hash"
well i'll use JTR anyway
thanks dancuc
All passwords with more than 7 characters are encrypted with two LM hashes and one NT hash
hmm .. how come the sam file have one LM hash and one NT hash for each account
When you decrypt them, you always break the LM ones since they have a quite low upper limit; meaning that they're easy to crack. When you get the password, you only have to bruteforce uppercase and lowercase characters to make it match the NT hash.
Ok ,, i'm really confused now :D..
what do you mean by break the LM hash "" ones "" ..
i'm supposed to get the hashes from the sam file which i managed to do by Cain .. right :right:
it looked like this ..
username:LM Hash:NT Hash
am i supposed to edit something in the hashes to decrypt it right (there is no second lm hash)
or just put it in txt and use JTR on it !
From Wikipedia:
does this mean that the LM Hash is 2 DES hashes which are the divided passwords ?
EDIT : Oh and offcourse JTR take care of those zero bits added after each 7 bits ..
Thanks Uber0n :happy: i'm really lucky that you saw the thread :D
G0G0 wrote: hmm .. how come the sam file have one LM hash and one NT hash for each account
LM hashes remained in use through Windows XP for compatibility's sake; older versions of Windows did not use NTLMv2 hashing, which is a much stronger form of hashing (combined with a salt). Since LM hashes are a compatibility "feature", they're an easy target. Vista doesn't store LM hashes by default (not even sure if it can at all, not that you'd want to). Also, you can disable the storage of LM hashes in Windows XP, too, which is highly recommended.
Ok ,, i'm really confused now :D.. what do you mean by break the LM hash "" ones "" .. am i supposed to edit something in the hashes to decrypt it right (there is no second lm hash)
No, you don't have to edit the hashes… he was probably hinting that, dependent upon which technique (i.e., program) you decide to use, you might need to remove the NT hash from the end in order to crack the LM one.
Apparently, JtR can crack LM hashes. Can't say I've ever used it to do so, though… I'm more familiar with a strictly Linux-based solution. Good luck with yours. :)
If its longer than 7 characters, it is essentially 2 passwords, at least for the sake of cracking. For example, I cracked "net2hand", which is 8 letters; the 'd' on the end I got through dictionary, whereas I had to bruteforce the rest of it for about an hour and a half. They become incredibly time-consuming after about 10 letters :\
Hope I made sense and you understand that a little better, I don't much understand sam's but this is one thing I'm ok with.
Uber0n wrote:
From Wikipedia: The LM hash is computed as follows.
- The user’s password as an OEM string is converted to uppercase.
- This password is either null-padded or truncated to 14 bytes.
- The “fixed-length” password is split into two 7-byte halves.
- These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream, and inserting a zero bit after every seven bits. This generates the 64 bits needed.
- Each of these keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values.
- These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.
I like this explanation better… for people that have a hard time understanding it, switch "byte" with "letter" on lines 1-4.
LM hashes remained in use through Windows XP for compatibility's sake; older versions of Windows did not use NTLMv2 hashing, which is a much stronger form of hashing (combined with a salt).
whats a salt B)
Vista doesn't store LM hashes by default (not even sure if it can at all, not that you'd want to).
so whats in the Vista's sam file ?
Also, you can disable the storage of LM hashes in Windows XP, too, which is highly recommended.
Thanks i didn't know that :happy:
No, you don't have to edit the hashes… he was probably hinting that, dependent upon which technique (i.e., program) you decide to use, you might need to remove the NT hash from the end in order to crack the LM one.
wouldn't that give me the first 7 chars of the password ?
what to do with the rest of the password ?
Apparently, JtR can crack LM hashes. Can't say I've ever used it to do so, though… I'm more familiar with a strictly Linux-based solution. Good luck with yours.
Ok ..Thanks Zephyr for your reply :happy:
If its longer than 7 characters, it is essentially 2 passwords, at least for the sake of cracking. For example, I cracked "net2hand"
you got "net2han" from the LM hash only right ?
which is 8 letters; the 'd' on the end I got through dictionary, whereas I had to bruteforce the rest of it for about an hour and a half. They become incredibly time-consuming after about 10 letters :\
how did you bruteforce the rest ..
Hope I made sense and you understand that a little better, I don't much understand sam's but this is one thing I'm ok with.
Thanks ThorsDecree :happy:
G0G0 wrote: whats a salt B)
Wikipedia says:
In cryptography, a salt consists of random bits used as one of the inputs to a key derivation function. Sometimes the initialization vector, a previously generated (preferably random) value, is used as a salt. The other input is usually a password or passphrase. The output of the key derivation function is often stored as the encrypted version of the password. A salt value can also be used as a key for use in a cipher or other cryptographic algorithm. A salt value is typically used in a hash function.
so whats in the Vista's sam file ?
NTLMv2 hashes only.
wouldn't that give me the first 7 chars of the password ?
what to do with the rest of the password ?
The LM hash is the LanMan hash of the password, which is the primary target. The NT hash, alternatively, is the MD4 hash of the password, and shouldn't be crucial in cracking the LM hashes. It's my understanding that the NT hash is only used as an NTLMv1 authentication response, but it is possible that it is used as an exploitable weakness in retrieving passwords. In other words, only definitive research can say for sure.
That being said, the LM portion should contain both hashes, in the case of a password that is over 7 characters long.
Ok ..Thanks Zephyr for your reply :happy:
You're welcome. As a final note, you shouldn't have to bruteforce any portion of an NTLMv1 hash unless the password is greater than 14 characters; in that case, you should only have to brute the 15th character (IIRC, 15 characters is the limitation on Windows passwords). When you get the SAM file, it should contain both LM hashes. NTLM hashing is actually a very interesting subject and you should read up on it here: