Letters-Only LM Hash Database
Peter Clark writes "Disk storage has increased tremendously in the past 5 years and the blatant insecurities in the antiquated LM hashing technique have not gone away; though functionality has been added to disable LM hashes, this is not set by default. With some help from Elcomsoft, simple flat files have been created that hold every combination of LM hash for letters only passwords. Jesko has coded a server application which allows you to access this database. Simply telnet to: beginningtoseethelight.no-ip.org on port 2501 and paste in a LM hash. So how does this differ from Rainbow tables? Well this will return a password 100% of the time, using minimal processor power, in approximately less than 0.2 seconds."
Slashdot has been /.'ed. The reasons for this constipation um uh slowness is unknown.
I think someone is underestimating the /. effect.
Anyone feel that a article summary with this much technical detail should have some links or explanation of what it's actually talking about? And since I'm one of the ignorati who doesn't understand, could some please explain to me?
apterous.org
Could anyone make clear what at LM hash is? And what is the difference between this password file and a dictionary?
And sausages. Much more secure.
LM hash insecurities are nothing compaired to US govt insecurities. So go vote for change, it's election day.
Could someone please explain what an LM hash is?
The files increase exponentially in size for passwords which include numeric characters. While the security risk exists, good password design obviously minimizes it. People aren't going to be lugging around terabyte-sized password database files.
Mwaha my roomates shall fear the LM Hash database I now control! UNLESS one of them is funky enough to make a 16+ character password :)
User name : Admin
Password : ****************
LM = Lan Manager in older Windows environments. LM was known to be a bit weak on password hashing. Though I can't reach the site to read the actual article, I'm going to bet my first-productive-post ranking that this is Lan Manager.
-j
So, in other words, as bad as LM is, my current passwords would still be basically safe if I were using LM? (My passwds are 8 chars, and include upper and lower case letters, numbers, and punctuation.)
That's actually doing a lot better than I thought.
Disk storage has increased tremendously in the past 5 years and the blatant insecurities in the antiquated LM hashing technique have not gone away;
Maybe I'm being a bit thick here but how does the first part of that sentence relate to the other?
I've got a fever and the only prescription is more COBOL.
its down every few days, i havent been able to get to it at all today until just now
This is consistent Fastest-growing GAY learn what mistakes task. Rese4rch (use the sling. project returns the developer halt. Even Emacs
Who or what uses "LM hash"? It'd be nice to have an example application or two.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
By default for backward compatibility many Windows flavors use LMv1. LMv2 is a little more secure, but you need to enforce strict usage of it for it to be effective.
AnimeNEXT anime convention
There's gotta be a better way to model what a user's password can be than just all combinations of only letters, or a list of common passwords plus substitutions. I think these are the only ones I've seen. But this doesn't really reflect that "fiqojeio" is a much less likely password than say "foo7bar+".
I think this sort of attack could get much stronger than people expect if there was some sort of Markov-process-ish way of generating plausible passwords. I mean, if Google can guess when you spelled something wrong, these programs should be able to figure out which strings are more likely to be passwords. Or maybe I'm overgeneralizing by how I pick my own passwords....
"TV is great! Every New Year's I make a resolution to watch more TV." - Ann Coulter
Wow, that was brilliant, 0 comments and that machine is going up in flames.
"Alcohol, cause of, and solution to, all of life's problems" -Homer Simpson
I use john the ripper to decrypt passwords, could this potentionally replace jtr? Because wouldnt i just have to take the passwords I was going to have john the ripper decrypt and send the hashes to the telnet server mentioned in this article?
I cant look into it more right now because im at work, but I will try to figure out at home unless someone can give me an answer.
Geez lets hope they are not logging password lookups vrs IP addresses Mwhahahahahahahah
http://www.dealsites.net/wrap.php?file=beginningto seethelight.htm
"NTLM" at Wikipedia
It is used, among other things, for Active Directory authentication.
I tend to use 6-8 characters.
Numbers, upper and lower case letters.
so 62^+62^7+62^8 =2.12x10^14 combinations.
I think I'm okay for a while.
Multicase passwords do HUGE things to the statistics of the problem.
Dear Slashdot Readers,
Thank you for letting us know your passwords.
Regards,
The staff of beginningtoseethelight
Instead of using the brute-force computing approach of generating hashes and comparing them to the known hash (looking for a match), this process uses an already created list or table of passwds and their associated hashes. Creating the table is computationally and storage[ally] non-trivial, but once it is in place cracking a passwd is as easy as grep-ing through the list/table to find the known hash.
Nutshell:
cracking passwds individually: no up front work and extremely variable cracking time
creating the database: lots of work up front but dramatically reduced cracking time
The lookup approach is extremely helpful for large numbers of hashes; if you have only one or two hashes, the brute-force method probably makes more sense.
I want to drag this out as long as possible. Bring me my protractor.
in the article:
/. fortune:
beginningtoseethelight.no-ip.org
the
The light at the end of the tunnel is the headlight of an approaching train.
Am I the only one to see a connection ?
667 The Neighbour of the Beast
Mirror...let's see how long I last.
LM Hash
AAD3B435B51404EEAAD3B435B51404EE
ElcomSoft will release All Known Passwords v1.0 in two weeks.
Timang tinggi tinggi
parang sudah asah
alang alang mandi
biar sampai basah
Gee, for Windows users, I could probably guess the password in three tries and be right more than 50% of the time (much faster than trying to query a slashdotted online DB). Hint: it's probably: password admin [blank] - no password
Homer no function beer well without.
now we're gonna kick it old-skool and /. a telnet server! woo hoo, just like the old days! our next target: gopher://sunsite.unc.edu
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Can't wait till the first worm comes around that use this DB to crax0r its way deeper into networks.
I guess I'm still relatively safe though because my admin password is not only 10 characters long, but has capitals, lower case, numbers and symbols in random order.
Its H82sd*e2Tn.
Nobody is ever going to crack that!!!
Unless you have machines on your network running 95/98 you should disable LM Hash in Windows. It is there only for backwards compatibility and you can disable it easily:
; EN-US;q299656
http://support.microsoft.com/default.aspx?scid=KB
TODO: come up with a clever sig
It's funny when slashdot is slashdotted, but the linked articles work fine.
Almost seems like an In Soviet Russia joke...
I had a thought last month, when there was news of duplicates being found in the MD5 hash. For security purposes, couldn't we just use the MD5 hash along with the SHA1 hash. Would there be any string of data which held the same hash for both MD5 and SHA1? This could help increase the power of digital signatures. Anyway, this database of hashes and passwords only works for letter-only passwords, which are assumed to be quite easy to brute force anyway.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
beginningtoseethelight gets hit with a DMCA lawsuit?
And, yes, I am aware of the irony of posting this on election day in the US...
So long as you use letters, numbers and symbols in the password for example: My:Hz2 (as a bonus it is easy to remember too!)
From excellent karma to terible karma with a single +5 funny post...
It's interesting that a company that claims to be highly focused on security could let such a blatant hole sit for this long. When will they learn? Microsoft is best at making software, not operating systems. They should stick to what they do best and let the OS market go.
-- Gargonia
Never play leapfrog with a unicorn.
Please get help.
So how long before this becomes a Windows.NET Web-Service? Then all the hackers can struggle with Visual Studio .NET 2003.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I think you mean 200GB.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Cool. Now, where's the .torrent that allows me to download those files? :)
quidquid latine dictum sit altum videtur.
Assuming you have to store 7 bytes for the hash and 7 bytes for the plain text, that's 14 bytes per record and 68^7 records, or 86PiB. At today's density that's a bit over 200 hard drives, not "a single hard drive."
..
As far as I'ver understood it, every possible 7byte hash exists somewhere.
Therefore you could sort the plaintext which belongs to the hash after the hash's number.
Don't know if I'm unclear, but here is a example using single-digit-decimal numbers up to 4 (two digit binary):
[hash] / [password]
1 / 2
4 / 3
2 / 1
3 / 4
this, to save half of the space could be written as:
2
1
4
3
whereas the row number/place in the file is the hash belonging to it
.
So you would just have to jump to the row with the same number of the hash you are looking for.
Something would be needed to separate the passwords from eachother though, because the differ in length.
Therfore it would be slightly larger than the half size
n/t :)
It is well known that the LM (LanManager password) hashing technique used by older Windows OSes (thru WinMe) is insecure. Now someone has really pointed this out by simply saving all possible password hashed in a database made possible with today's cheap, large disk drives...
But that wouldn't be nearly as much fun - by being vague you get many more posts correcting grammar, explaining what should have been there in the first place, etc.
In short, better writing might promote more useful comment posts, and we wouldn't want that on Slashdot.
This issue is a bit more complicated than you think.
Please, please tell me you are joking.
I am no fan of MicroSoft, but come on, no one would really do something like this.
I figured that my passwords are safe because they are normally the tunes of music..
For example
Taaaah-dum+dum*dum#dum#taaaaah|dum!tum^du m$tum%rumtittytum.
And since I am tone deaf, It's not very likey that someone will hit upon the combination soon.
The usage of the +-@# characters is based on a matrix written in pencil on the side of the monitor.
8^)
Where on my filesystem do I find the hashes to paste into this program? Are they in the registry?
I think it'd be interesting to see this available via a DNS request, similar to how a number of black hole lists (RBLs) handle lookups.
More like making adverts and misleading marketing. Their software's only so-so, better than their OSes, but definitely not great as many make it out to be.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
There is an interesting entry in Robert Hensing's Incident Response blog about using passphrases to avoid using the NTLM hash. He is a microsoftie but what he says makes sense. I've since switched to using passphrases over 14 characters and so far have not be able to crack them with rainbow tables.
if your interested in a rainbow table demo one can be found here
Im dreaming ofa big bndwdth, That can resist the
Oddly enough, I was going to start a similar project for SHA and MD5 hashes. Sure, the DB would be huge... But huge is easily dealt with. At 4 gigabytes per DVD-R (I know, I'm such a n00b, haven't gone dual-layer yet), .zip allowing compression to 2/3rds of disk space, that's about 64 million passwords per DVD.
One DVD could easily handle:
Every Zip
Every 7-digit phone number
Every word in the dictionary (Upper, lower, and Capitalized)
Move up to a 2 disc set and get:
Every date
With a little work it'd probably be possible to do names as well.
If you really want to brute force it:
Every possible password 8 characters or less could fit on a petabyte of storage. Expensive for your average geek, but how much do you want to bet that there's some government agency that did it on a lark?
~D
This sig has been enciphered with a one-time pad. It could say almost anything.
My God! I'm voting Bush.
The point of the article isn't that "fiqojeio" is better or worse than "foo7bar+". It is that LM hashing method is weak and should not be used.
Lasers Controlled Games!
That is untrue. Any hash can be reversed in the sense that you can generate an input that will result in a specific output.
That is NOT reversing the hash: this should be painfully bloody obvious since the process you describe runs the same hash in the same manner.
Reversing a hash - meaning you start w/ the hash and work backwards to recreate the original data - is impossible. Bits are lost during the hash process, and there is no data in the hash that will allow those bits to be reconstructed. Read _Applied_Cryptography_ by Bruce Schneier, or at least read any of the many crypto/hash FAQs available on the web. NIST has some good papers available.
I want to drag this out as long as possible. Bring me my protractor.
This might only apply to Active Directory, but I'm seeing this with not only 95/98, but with any Mac OS prior to 10.2.6, including OS 9. No LM Hash, no authentication. Thursby's ADmit Mac seems to be the simplest solution, though I'm more than willing to hear others.
I think he meant "ten years ago."
Gamingmuseum.com: Give your 3D accelerator a rest.
While it's fun to accuse MS, Moore's Law (and whatever corollary applies to storage) has caught up to encryption. I believe Dictionary Attacks and ever increasing speed/storage have rendered passwords as we know them as obsolete. Other than biometrics, anybody have any ideas? (Given of course that the average user can't remember a 6 digit voicemail password over a long weekend)
Bits don't have to be lost for a hash. Usually they are, but not always. Bits are lost because hash functions are normally designed to take an any length string and return a fixed length string. This is not always the case, however. With the LM hash specifically, the maximum input is 15 characters. While I do not know the precise algorithm used with LM, there is no reason that data must be lost by it.
In the local Security Policy->Security Options, you want to change "Network security: Lan Manager authentication level" to at least "Send NTLM response only". Or the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\LmCompatibilityLevel to at least 2.
See this page for this and related policies.
This for an overview of LM, NTLM and NTLMv2.
And here to see how to prevent storage of LM hashes.
If you have the LM Hash, and the server accepts LM Authentication, you don't need the password. At all.
Likewise, if you have the NTLM Hash, and the server accepts NTLM, NTLMv2, or LMv2 authentication, then you don't need the password.
The hashes are password equivalent.
I've written it all up in my online book (slashdot review), but...
Basically, the hashes are generated with no salt...nothing to obfuscate them. The algorithm used to log in is challenge/response:
So... The hash is not exposed on the wire. It has to be reversed from the challenge and response. That's possible (and fairly easy with LM Auth), but it's got little to do with the password/LM Hash database.
The only way to use the LM Hash database to reverse the challenge/response is to use it as a hash dictionary.
Chris -)-----
I've read a lot of this thread and haven't noticed anyone commenting on the fact that the storage of LM hashes in Windows NT/2000/XP (yes, XP has LM hashes stored by default) can be TURNED OFF (and REALLY should be)
o lSet\Contro l\Lsa
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type NoLMHash, and then press ENTER.
5. On the Edit menu, click Modify.
6. Type 1, and then click OK.
7. Restart your computer, and then change your password.
The above steps are one of the first things you should any Windows NT kernel machine that you don't want people getting into, and as you can see by this article, getting into a machine with LM hash intact is a trivial exercise at best.
For NT and Win2K there are full details here.
http://shit.slashdot.org/article.pl?sid=04/11/02/1 523212
A buddy of mine works in Network Security, so for something to do and cause it would help him with his job we made our own rainbow tables. The time it took and disk space is roughly as follows.
5 average pc's ( all about 2000Mhz or so ) took about 30 days, and generated about 18Gb or tables.
Now these tables give us about 95%+ hit rate on any LM Hash we , erm "acquire"
The tables contain all hashes upto 14 Chars length using all letters all numbers and some symbols.
Just about the only hashes these tables wont hit are the machine generated ones.
I guess the point is turn *OFF* LM hashes at all cost, and if you absolutely "must" use them, make sure you kept them secure!
oh and a side note, if you are interested in cracking / brute forcing LM hashes, make sure to run them thru a copy of L0pht Crack or some such to get all the Blank, Pass==Name, Pass==Name-reversed hashes out of the way first.
it isn't really a reversal, but you don't care, because it's the same result.
you pass in a hash, and it gives you a password that will result in that hash. There may be several passwords that could give you that hash, but you don't care, because you only need one.
The only way to use the LM Hash database to reverse the challenge/response is to use it as a hash dictionary.
The real point is that if I can get access to your hard disk, I can grab all your password hashes.
This database make it trivial to then convert all those pasword hases back into passwords, pretty much instantly.
Life is too short to proofread.
You must have a proof that P!=NP if you can say impossible. Claim your prize It has been shown that unless we have P=NP => no pseudo-randomness => one-way hash functions do not exist, then it will indeed be possible.
Reversing a hash - meaning you start w/ the hash and work backwards to recreate the original data - is impossible
Not at all.
Bits are lost during the hash process, and there is no data in the hash that will allow those bits to be reconstructed.
Again, not true.
You would be correct if you had given the definitions and worked backward:
A hash is a set A of information which represents some n other sets of information, where n is greater than 0. Your statement fails for many reasons, but chief among them is the fact that no information need be lost in hashing an input (see below).
To "hash" an input requires a function f which, when passed an input B will always produce the output A. What people miss in looking at this is that A is not (necessarily) the unique result of "hashing" B with f, so reversing f (which is computationally hard, if f is a "good" or "strong" hashing function) is going to produce B along with zero or more (possibly infinite) other possible inputs. This is what it means to "reverse" a hash.
Let's take two examples (both of which are terrible hashing functions) to illustrate:
The "input as output" hash (f(x) = x) produces its input as its output. This hashing function is easy to reverse and always has exactly one output that maps to every input.
The "first letter" hash (f(x) = first_letter_of(x)) is a very different case. In this hash, we reliably produce a fixed-size output (a desirable trait in a hashing function). However, that means that an infinite number of inputs map to the output "a", and so on. However, if your inputs are restricted (e.g. they must be 2 or less letters), then the output is also restricted and it is quite reasonable to produce the inputs for any given output (e.g. for an output "a", the inputs "aa", "ab", "ac", etc.)
These are very bad hashes for different reasons depending on what application you have in mind. For example, for storage (e.g. indexing "buckets" in a hash table) the second function produces results which cluster too many inputs into the same buckets (e.g. "s" will be a very popular bucket, while "x" will not). For cryptography it is bad for the above reason, but also because it is computationally trivial to produce the list of inputs without brute force testing of the entire domain of inputs, or even a reasonably large subset of them.
If your hashing function is based on some complex mathematical problem, though, you might come very close to having an "unreversable" hash, but even the best hashes are in fact reversable. As with cryptography (and hashing is the fraternal twin of cryptography), absolute statements about hashing should be avoided at all costs unless you have a proof in hand.