The Unofficial NT Hack FAQ

[ Return to TOC | Return to FAQ Page ]


Section 03

Passwords

03-1. How do I access the password file in NT?
03-2. How do I crack NT passwords?
03-3. What is a "brute force" password cracker?
03-4. What is a "dictionary" password cracker?
03-5. Which method is best for cracking?
03-6. How does a Sys Admin enforce better passwords?
03-7. Can an Sys Admin prevent/stop SAM extraction?

03-1. How do I access the password file in NT?

The location of what you need is in \\WINNT\SYSTEM32\CONFIG\SAM which is the location of the security database. This is usually world readable by default, but locked since it is in use by system compotents. It is possible that there are SAM.SAV files which could be readable. If so, these could be obtained for the purpose of getting password info.

During the installation of NT a copy of the password database is put in \\WINNT\REPAIR. Since it was just installed, only the Administrator and Guest accounts will be there, but maybe Administrator is enough -- especially if the Administrator password is not changed after installation.

If the Sys Admin updates their repair disks, or you get a hold of a copy of the repair disks, you can get password database. The file is SAM._ in the ERD directory.

If you are insane, you can go poking around in the SAM secret keys. First, schedule service to logon as LocalSystem and allow it to interact with the desktop, and then schedule an interactive regedt32 session. The regedt32 session will be running as LocalSystem and you can play around in the secret keys. However, if you change some stuff this might be very bad. You have to be Administrator to do this, though, so for the hacker you need to walk up to the machine while the Administrator is logged in and distract them by telling them they're giving away Microsoft t-shirts in the lobby (this doesn't always work ;-).


03-2. How do I crack NT passwords?

First off, it should be explained that the passwords are technically not located on the server, or in the password database. What IS located there is a one-way hash of the password. Let me explain...

Two one-way hashes are stored on the server -- a Lan Manager password, and a Windows NT password. Lan Manager uses a 14 byte password. If the password is less than 14 bytes, it is concantenated with 0's. It is converted to upper case, and split into 7 byte halves. An 8 byte odd parity DES key is constructed from each 7 byte half. Each 8 byte DES key is encrypted with a "magic number" (0x4B47532140232425 encrypted with a key of all 1's). The results of the magic number encryption are concantenated into a 16 byte one way hash value. This value is the Lan Manager "password".

A regular Windows NT password is derived by converting the user's password to Unicode, and using MD4 to get a 16 byte value. This hash value is the NT "password".

So to crack NT passwords, the username and the corresponding one way hashes (Lan Man and NT) need to be extracted from the password database. Instead of going out and writing some code to do this, simply get a copy of Jeremy Allison's PWDUMP, which goes through SAM and gets the information for you. PWDUMP does require that you are an Administrator to get stuff out of the registry, but if you can get ahold of copies of the security database from another location (see Section 03-1) you can use those.

Obviously from this point you can use one of several cracking utilities to perform either a brute force or dictionary attack on either the Lan Man or NT password. Several freeware products are available on the Internet. They include:

Cracker          Author(s)           Compiles on...  Notes
---------------- ------------------- --------------- ----------------------
c50a-nt-0.20.tgz Bob Tinsley         Unix            Dictionary cracker, a
                                                     port of Alec Muffett's
                                                     Crack 5.0 for Unix.

lc15exe.zip      Mudge and Weld Pond Unix, includes  Best of the bunch, can
                  from the L0pht     GUI NT version  do brute force very
                                     and DOS version quickly, also can use
                                                     a dictionary.

NTCrack.tar.gz   Jonathan Wilkins    Unix, includes  Dictionary cracker, on
                                     NT version      it's second revision.


03-3. What is a "brute force" password cracker?

A brute force cracker simply tries all possible passwords from legal characters until it gets the password. From a cracker perspective, this is usually very time consuming. L0phtcrack 1.5, a brute force cracker, makes certain assumptions and reduces this time down considerably.

As pointed out in section 03-2, the Lan Manager password concantenated to 14 bytes, and split in half. The halves can be worked on individually. If the password was originally only 7 characters or less, that second half is always 0xAAD3B435B51404EE. To further ease brute force cracking, since a substantial reduction in bits occurs during the deriving of the 8 byte DES key from the 7 byte key, less keys have to be tried. Also since the password is converted to upper case before one way encrypting it, Lan Manager password cracking does not have to take into consideration the possibility of lower case letters. L0phtcrack incorporates techniques to exploit all of these possibilities.

By cracking the Lan Manager password first, the NT password can be brute forced to determine the proper case of each alpha character.

Initital tests of L0phtcrack show its brute force capability to be quite admirable. A brute force of Administrator on the NMRC dedicated cracking machine took 7 days (some Unix passwords have been worked on for 3 weeks before being cracked). The NMRC dedicated cracking machine is running Slackware on a 486 DX50, so this is quite quite fast by NMRC standards.

The latest version, L0phtCrack 1.5, is even faster.


03-4. What is a "dictionary" password cracker?

All three of the password crackers listed in section 03-2 can do dictionary attacks. A dictionary attack is simply takes a list of dictionary words, and one at a time encrypts them using the same encryption algorithm NT uses to check and see if they encrypt to the same one way hash. If the hashes are equal, the password is considered cracked. The best of these dictionary crackers is the Crack 5.0 NT port, namely because of the strength of the mutation filters. These filters allow you to change "idiot" to "1d10t" and other advanced variations to get the most from a word list.

Although L0phtcrack doesn't do the permutations like Crack, there are several ways you can "pre-treat" a word list, in particular you can use the DOS-based TPU. This utility does a number of filter operations, so with the right amount of creativity you can create a pretty substantial list.


03-5. Which method is best for cracking?

Actually it depends on your resources and your needs. If you simply need to crack a password and there is no real time limit (just raw CPU to waste) then brute force is the way to go. If you need a password quickly, using a wordlist might shorten your time. In general, a swipe with a couple of decent word lists will get some, permutations can get a few more, and the rest can be simply brute forced. Watch what the cracked passwords are. If you can spot a pattern, such as all lower case with 2 numbers at least six characters long, this may give you some clues for what to feed your brute forcer.


03-6. How does a Sys Admin enforce better passwords?

There are several freeware utilities that allow for password changing with rules enforced. These range from the simple passwd utility by Alex Frink to Microsoft's own utilities. The NT Server 4.0 Resource Kit has a utility called Passprop that enforces random passwords. Also on Service Pack 2 is a DLL called PASSFILT that will does basically the same thing.


03-7. Can an Sys Admin prevent/stop SAM extraction?

As long as you can get in as Administrator, you are basically vulnerable. Microsoft has gradually increased its security for the SAM files and the hashes, but as things like L0phtCrack are quickly improved and Microsoft insists on backward compatibility with LAN Manager-style logins, things will be vulnerable. In fact, the latest L0phtCrack can take input from stored sniffer traces to use as the source for its password cracking. So for you sys admins out there, keep absolutely current of Service Packs and Hot Fixes. For you hackers out there, well, it's a big bright world ;-)


03-8. How is password changing related to "last login time"?

Let's say an admin is checking the last time certain users have logged in by doing a NET USER /DOMAIN. Is the info accurate? Most of the time it will NOT be.

Most users do not login directly to the Primary Domain Controller (PDC), they login to a Backup Domain Controller (BDC). BDCs do NOT contain readonly versions of SAM, they contain read-write versions. To keep the already ungodly amount of network traffic down, BDCs do not tell the PDC that they have an update of the last login time until a password change has been done. And the NET USER /DOMAIN command checks the PDC, so last login time returned from this command could be wildly off (it could even show NEVER).

As a hacker, if you happen to know that password aging is not enforced, then you can bet that last login times will probably not be very accurate.


[ Return to TOC | Return to FAQ Page ]