In this tutorial we will examine the process for discovering the clear text password from an encrypted LM hash that has been extracted from a workstation running Windows. A key concept to remember in learning the process for decryption is to keep the vairables as simple as possible. To facilitate this, two text files have been prepared that will add and subsequently remove a series of 21 users to your local workstation. These files are freely available for download from the links below.
The files are in HTML format and can be copied to and edited in notepad. In order to use the scripts, you will need to save the files as a “.bat” file format. Batch files can be run like executables by just double clicking on them. To convert the files to batch files, follow the following steps.
- Open the text file in notepad
- Go to File and then click on Save As
- In the File Name window at the bottom, remove the .txt extension and replace it with a .bat.
- In the Save As box, change the value so that it reads: All Files.
- Navigate to the location where the file is saved and double click the file and then hit enter and close the file.
- You can repeat these steps for the remove user file and perform the removal in a automated process.
You can navigate to the users and computers manager in the control panel to confirm that the accounts have been created. You can also just type the command “Net User” at a run command prompt. After you have finished the tutorials, the removeusers.txt file can
be used to remove the user accounts by following these steps on the removeusers.txt. and then running the removeusers.bat file.
You can review the files to see that all of the users created are done so in an inactive state and that their accounts expired early 2005. It is still recommended to delete these accounts at the conclusion of each tutorial to maintain network security. The passwords in the file vary in length and complexity, but are relatively simple for demonstration purposes.
To perform this tutorial, you will need to download and install the most current version of Cain and Able from www.oxid.it. Make sure that you install the main application as well as the WinPcap install as directed during the install. You will likely have to reboot after the install. If you experience any difficulty, refer to the Cain user manual located here:
Here are the steps to complete a brute force of NT password hashes. We will assume only the following:
- Cain is installed and configured properly.
- You have created the users with the script as directed.
Step 1.
Extract the hashes from the target machine. If you are performing this step local to the install of Cain then follow these steps:
1. Launch Cain.
2. Navigate to the Cracker tab at the top of the application
3. Then select the LM hashes from the tree at the left.
4. Right click anywhere in the open space at the right and select “Add to list”
5. In the box that pops up, keep the defaults and then select next.
6. Now, in the cracking window, there are multiple hashes with the associated user names. These are the LM and NTLM hashes that we are going to crack.
It should look something like this: (Note: You will see more hashes than just the 21 that are installed by the script. For demonstration purposes, we have removed all users accounts except those used for this demonstration.
Hint: User names and Hashes that have an asterisk in t he “<8” column are password hashes that are less than 8 characters in length.
Step 2:
Now we will configure the brute forcer tool in Cain to attack the LM Hashes that we have extracted.
1. Right click on any of the hashes and click on “Select All.”
This will add all of the hashes to any of the deciphering processes that you chose.
2. Right on any of the hashes and click and select Brute-Force Attack (LM)
3. Now the Brute Forcing selector window appears, and we can select the parameters for which to brute our hashes with.
The Brute-Force Attack panel has two primary options to configure:
Charset: This will determine the values that will be used in the cracking process. the default for LM hashes is A-Z and 0-9. However, you can change the values to any sequence. For LM, only use uppercase values as those are all that are stored in LM hashes.
Password Length: Here you can choose the password length that you are going to solve for.
Step 3:
For this exercise lets configure the Password length to crack all passwords with lengths of 1 through 6 characters.
Begin the attack by pressing Start!
All of the hashes that have passwords that meet the bruiting parameters of this test will be displayed when the bruiting process is finished. If you followed this tutorial correctly, in about 25 minutes, you will have at least 14 out of 26 cracked hashes. But I thought that we only loaded 21 user accounts to be cracked.... how did we end up with 26 hashes.
One of the interesting aspects LM hashing is that calculations are stored in 7 character segments. As you can see in the output is that some of the “Cracked hashes only have some of the characters identified with a valid output and some of the characters are replaced with “?”. (Tip: the total number of “?” in an undefined segment is equal to the number of characters in that segment of the hash. You can use this information to determine further cracking parameters and you become more proficient with the tools.)
Another nice feature of Cain is that when the NT password is bruited, the NTLM value is also calculated and displayed.
your Cain output should look something like this:
If you will refer back to the AddUsers.txt file, you will see that we were able to crack all of the passwords that met the parameters we selected in a few simple steps.
This concludes the Brute Forcing with Cain tutorial. If you are interested in additional information about LM hashing, please review the following links.
http://support.microsoft.com/kb/299656/en-us/
http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
http://www.microsoft.com/security/guidance/default.mspx
http://www.microsoft.com/singapore/sme/english/issues/sgc/articles/select_sec_passwords.mspx
Support this site and the tutorials that are presented herein by purchasing Rainbow Tables here
Thank you,
Ramius Kahn
Copyright (c) 2004, 2005 Ramius Kahn & Rainbowtables.net. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
Cain is a registered trademark of Massimiliano Montoro and is available from www.oxid.it and is not affiliated with RainbowTables.net
|
BRUTE FORCING WITH CAIN 
