Slashdot Mirror
Letters-Only LM Hash Database
Peter Clark writes "Disk storage has increased tremendously in the past 5 years and the blatant insecurities in the antiquated LM hashing technique have not gone away; though functionality has been added to disable LM hashes, this is not set by default. With some help from Elcomsoft, simple flat files have been created that hold every combination of LM hash for letters only passwords. Jesko has coded a server application which allows you to access this database. Simply telnet to: beginningtoseethelight.no-ip.org on port 2501 and paste in a LM hash. So how does this differ from Rainbow tables? Well this will return a password 100% of the time, using minimal processor power, in approximately less than 0.2 seconds."
I think someone is underestimating the /. effect.
Anyone feel that a article summary with this much technical detail should have some links or explanation of what it's actually talking about? And since I'm one of the ignorati who doesn't understand, could some please explain to me?
apterous.org
The files increase exponentially in size for passwords which include numeric characters. While the security risk exists, good password design obviously minimizes it. People aren't going to be lugging around terabyte-sized password database files.
Disk storage has increased tremendously in the past 5 years and the blatant insecurities in the antiquated LM hashing technique have not gone away;
Maybe I'm being a bit thick here but how does the first part of that sentence relate to the other?
I've got a fever and the only prescription is more COBOL.
Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.
; EN-US;q299656
The LM hash is relatively weak compared to the NT hash, and it is therefore prone to fast brute force attack.
Source: http://support.microsoft.com/default.aspx?scid=KB
RTFA, but quickly, LM hash (Lan Manager hash) is the older MSFT scheme for encrypting passwords. It's been known as insecure for some time, but thought to take an fair amount of time to crack. This saves the problem; take the hashed PW, run it through this site and recover the password.
There's gotta be a better way to model what a user's password can be than just all combinations of only letters, or a list of common passwords plus substitutions. I think these are the only ones I've seen. But this doesn't really reflect that "fiqojeio" is a much less likely password than say "foo7bar+".
I think this sort of attack could get much stronger than people expect if there was some sort of Markov-process-ish way of generating plausible passwords. I mean, if Google can guess when you spelled something wrong, these programs should be able to figure out which strings are more likely to be passwords. Or maybe I'm overgeneralizing by how I pick my own passwords....
"TV is great! Every New Year's I make a resolution to watch more TV." - Ann Coulter
It's what Windows used to use to do authentication (NTLMv1). They improved on it a while ago (NTLMv2) but still transmit the LM hash by default in all authentication - basically rendering the security of NTLMv2 completely useless.
:) Luckily I was high enough in the company to get away with it (I was authorised to know the password anyway... just more fun that way).
t ro l\LSA\LMCompatibilityLevel
I used to piss off the admins where I last worked by runnig L0hptCrack over their tightly secure network and telling them the admin password every time they changed it
You can and should switch this off unless you're using just a home LAN (beats me why it isn't off by default). Even better upgrade all your network to at least Win2k then disable NTLM entirely and use kerberos (samba 3 can be a full kerberos domain member).
(FYI: See:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\con
A value of 0 (the default) means you have no security.
Change it to 3 on your clients, or 5 on your Domain controller)
Dear Slashdot Readers,
Thank you for letting us know your passwords.
Regards,
The staff of beginningtoseethelight
Instead of using the brute-force computing approach of generating hashes and comparing them to the known hash (looking for a match), this process uses an already created list or table of passwds and their associated hashes. Creating the table is computationally and storage[ally] non-trivial, but once it is in place cracking a passwd is as easy as grep-ing through the list/table to find the known hash.
Nutshell:
cracking passwds individually: no up front work and extremely variable cracking time
creating the database: lots of work up front but dramatically reduced cracking time
The lookup approach is extremely helpful for large numbers of hashes; if you have only one or two hashes, the brute-force method probably makes more sense.
I want to drag this out as long as possible. Bring me my protractor.
in the article:
/. fortune:
beginningtoseethelight.no-ip.org
the
The light at the end of the tunnel is the headlight of an approaching train.
Am I the only one to see a connection ?
667 The Neighbour of the Beast
LM = Lan Manager, the Windows 95 way of handling network passwords.
hash = a way of storing passwords without leaving the password on the disk. You encrypt the password into a hash code and store that instead. You can't unencrypt it to derive the password but you can check a password guess by encrypting the guess the same way. If the guess hash == the password hash, you get in.
The best part is, you don't have to keep the hash code a secret, because it's not the hard part. You're not asked to provide the hash value; you're asked to provide something that hashes to the value. So you can store it on the disk and even send it out over the LAN where it can be sniffed.
That's very convenient: you can cache the hash code on every computer without having to trouble the central server to do the work. You don't want to send the password over the network (where it could be sniffed); nor is sending the hash code to the server for verification (because that could be spoofed). You distribute the hash to each computer, then let it decide if the password guess is correct. The password never goes across the network.
That works as long as you can't decrypt the hash. But if you work long enough you can just brute force it: just run all the passwords until you come up with the one that hashes to the same value. And you can do it offline: you take the hash code back to your own computer(s) and do the brute force there. You're not sitting in front of the computer you want to hack.
The old LM hash code was relatively short; ten years ago when it was developed disk drives were much smaller. Now a combination of big disks and big processors (and clever algorithms) make it possible to brute-force it.
The thing is, Windows NT and later use NT hashes instead, which are more secure. But for compatability with Windows 95 and 98, by default they also store the LM hash code. Which means that your password is sitting on a visible place on the disk, encrypted in a way which is readily reversible to modern hackers.
That's been true for a while, but this new hack makes it trivial to decrypt; it used to take hours.
now we're gonna kick it old-skool and /. a telnet server! woo hoo, just like the old days! our next target: gopher://sunsite.unc.edu
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
I guess I'm still relatively safe though because my admin password is not only 10 characters long, but has capitals, lower case, numbers and symbols in random order.
Its H82sd*e2Tn.
Nobody is ever going to crack that!!!
Unless you have machines on your network running 95/98 you should disable LM Hash in Windows. It is there only for backwards compatibility and you can disable it easily:
; EN-US;q299656
http://support.microsoft.com/default.aspx?scid=KB
TODO: come up with a clever sig
I had a thought last month, when there was news of duplicates being found in the MD5 hash. For security purposes, couldn't we just use the MD5 hash along with the SHA1 hash. Would there be any string of data which held the same hash for both MD5 and SHA1? This could help increase the power of digital signatures. Anyway, this database of hashes and passwords only works for letter-only passwords, which are assumed to be quite easy to brute force anyway.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
beginningtoseethelight gets hit with a DMCA lawsuit?
And, yes, I am aware of the irony of posting this on election day in the US...
Even worse, take the hashed PW, run it through the site, and if it DOESN'T return the password, you've already eliminated a large chunk of possibilities from your (next step) brute force attack.
Now, admittedly, it would still take ungodly long time to crack all the next possibilities, but it does save SOME time.
This also makes one wonder if the next generation of password cracking is to distribute the terrabytes of pre-digested passwords across multiple systems so that you have the "numbers only" database, the "upper and lower case letters" database, etc; let multiple crackers/hackers share their efforts in a similar way.
Or... err... maybe I shouldn't have suggested that in a public forum. 8D
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
Normally, yes. But the LM method converts everything to uppercase before hashing. So your 8 character password, that had 10^14 combinations has just been reduced down to (26+10)^8... combinations or 2.9*10^12. Now, you might be saying "That was only a factor of four drop, no big deal, still 10^12 combos left. Realize though, that this DB currently has all possible passwords of a maximum length of 15 characters. This is 2.8*10^13 combos. This is less than the 10^12 possibilities that your password has. Consider that it searches in 0.2 seconds, and your password is not so safe.
If LMv1 hashes are enabled then a *case insensitive* hash of your password is there to be matched against. Even if the server isn't using them having them there at all is a HUGE hint as to what your password is. Find a match for the case insensitive hash then work through the possible case permutations of it till you get a match for the case sensitive hash. It's several orders of magnitude easier than directly going after the case senstive hash.
You're okay for about 2 hours and 34 minutes: that's how long it takes to traverse every possible alphanumeric input on the author's test rig. Additionally, the article suggests that tables including every possible LM hash for [A-Z0-9] would occupy only 1.2 TB of space, meaning that these lookups could be done in a matter of milliseconds instead.
I tend to use uppercase, lowercase, numbers, and punctuation. An example might look like: s1mhm$tM-BIdc! (just off the top of my head, and memorable to me)
Most people do have horrific password security though...
-- Pete.
Monochrome - Probably the UK's largest internet BBS
Assuming you have to store 7 bytes for the hash and 7 bytes for the plain text, that's 14 bytes per record and 68^7 records, or 86PiB. At today's density that's a bit over 200 hard drives, not "a single hard drive."
..
As far as I'ver understood it, every possible 7byte hash exists somewhere.
Therefore you could sort the plaintext which belongs to the hash after the hash's number.
Don't know if I'm unclear, but here is a example using single-digit-decimal numbers up to 4 (two digit binary):
[hash] / [password]
1 / 2
4 / 3
2 / 1
3 / 4
this, to save half of the space could be written as:
2
1
4
3
whereas the row number/place in the file is the hash belonging to it
.
So you would just have to jump to the row with the same number of the hash you are looking for.
Something would be needed to separate the passwords from eachother though, because the differ in length.
Therfore it would be slightly larger than the half size
It is well known that the LM (LanManager password) hashing technique used by older Windows OSes (thru WinMe) is insecure. Now someone has really pointed this out by simply saving all possible password hashed in a database made possible with today's cheap, large disk drives...
But that wouldn't be nearly as much fun - by being vague you get many more posts correcting grammar, explaining what should have been there in the first place, etc.
In short, better writing might promote more useful comment posts, and we wouldn't want that on Slashdot.
This issue is a bit more complicated than you think.
Please, please tell me you are joking.
I am no fan of MicroSoft, but come on, no one would really do something like this.
I figured that my passwords are safe because they are normally the tunes of music..
For example
Taaaah-dum+dum*dum#dum#taaaaah|dum!tum^du m$tum%rumtittytum.
And since I am tone deaf, It's not very likey that someone will hit upon the combination soon.
The usage of the +-@# characters is based on a matrix written in pencil on the side of the monitor.
8^)
That is untrue. Any hash can be reversed in the sense that you can generate an input that will result in a specific output.
That is NOT reversing the hash: this should be painfully bloody obvious since the process you describe runs the same hash in the same manner.
Reversing a hash - meaning you start w/ the hash and work backwards to recreate the original data - is impossible. Bits are lost during the hash process, and there is no data in the hash that will allow those bits to be reconstructed. Read _Applied_Cryptography_ by Bruce Schneier, or at least read any of the many crypto/hash FAQs available on the web. NIST has some good papers available.
I want to drag this out as long as possible. Bring me my protractor.
In the local Security Policy->Security Options, you want to change "Network security: Lan Manager authentication level" to at least "Send NTLM response only". Or the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\LmCompatibilityLevel to at least 2.
See this page for this and related policies.
This for an overview of LM, NTLM and NTLMv2.
And here to see how to prevent storage of LM hashes.
If you have the LM Hash, and the server accepts LM Authentication, you don't need the password. At all.
Likewise, if you have the NTLM Hash, and the server accepts NTLM, NTLMv2, or LMv2 authentication, then you don't need the password.
The hashes are password equivalent.
I've written it all up in my online book (slashdot review), but...
Basically, the hashes are generated with no salt...nothing to obfuscate them. The algorithm used to log in is challenge/response:
So... The hash is not exposed on the wire. It has to be reversed from the challenge and response. That's possible (and fairly easy with LM Auth), but it's got little to do with the password/LM Hash database.
The only way to use the LM Hash database to reverse the challenge/response is to use it as a hash dictionary.
Chris -)-----
I've read a lot of this thread and haven't noticed anyone commenting on the fact that the storage of LM hashes in Windows NT/2000/XP (yes, XP has LM hashes stored by default) can be TURNED OFF (and REALLY should be)
o lSet\Contro l\Lsa
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type NoLMHash, and then press ENTER.
5. On the Edit menu, click Modify.
6. Type 1, and then click OK.
7. Restart your computer, and then change your password.
The above steps are one of the first things you should any Windows NT kernel machine that you don't want people getting into, and as you can see by this article, getting into a machine with LM hash intact is a trivial exercise at best.
For NT and Win2K there are full details here.
A buddy of mine works in Network Security, so for something to do and cause it would help him with his job we made our own rainbow tables. The time it took and disk space is roughly as follows.
5 average pc's ( all about 2000Mhz or so ) took about 30 days, and generated about 18Gb or tables.
Now these tables give us about 95%+ hit rate on any LM Hash we , erm "acquire"
The tables contain all hashes upto 14 Chars length using all letters all numbers and some symbols.
Just about the only hashes these tables wont hit are the machine generated ones.
I guess the point is turn *OFF* LM hashes at all cost, and if you absolutely "must" use them, make sure you kept them secure!
oh and a side note, if you are interested in cracking / brute forcing LM hashes, make sure to run them thru a copy of L0pht Crack or some such to get all the Blank, Pass==Name, Pass==Name-reversed hashes out of the way first.