HOMEPRODUCTSSERVICESFAQABOUTDISCLAIMERLINKSCONTACT  

 CRYPTANALYSIS ATTACK WITH CAIN

In this tutorial we will examine the process for discovering the clear text password from an encrypted LM hash that has been extracted from a workstation running Windows. A key concept to remember in learning the process for decryption is to keep the vairiables as simple as possible. To facilitate this, two text files have been prepared that will add and subsequently remove a series of 20 users to your local workstation. These files are freely available for download from the links below.

AddUsers.txt

RemoveUsers.txt

The files are in HTML format and can be copied to and edited in notepad. In order to use the scripts, you will need to save the files as a “.bat” file format. Batch files can be run like executables by just double clicking on them. To convert the files to batch files, follow the following steps.

  1. Open the text file in notepad.
  2. Go to File and then click on Save As.
  3. In the File Name window at the bottom, remove the .txt extension and replace it with a .bat.
  4. In the Save As box, change the value so that it reads: All Files.
  5. Navigate to the location where the file is saved and double click the file and then hit enter and close the file.
  6. You can repeat these steps for the remove user file and perform the removal in an automated process.

You can navigate to the users and computers manager in the control panel to confirm that the accounts have been created. You can also just type the command “Net User” at a run command prompt. After you have finished the tutorials, the removeusers.txt file can be used to remove the user accounts by following these steps on the removeusers.txt. and then running the removeusers.bat file.
You can review the files to see that all of the users created are done so in an inactive state and that their accounts expired early 2005. It is still recommended to delete these accounts at the conclusion of each tutorial to maintain network security. The passwords in the file vary in length and complexity, but are relatively simple for demonstration purposes.

To perform this tutorial, you will need to download and install the most current version of Cain and Able from www.oxit.id. Make sure that you install the main application as well as the WinPcap install as directed during the install. You will likely have to reboot after the install. If you experience any difficulty, refer to the Cain user manual located here.

Here are the steps to complete a Cryptanalysis Attack of LM password hashes. We will assume only the following:

  1. Cain is installed and configured properly.
  2. You have created the users with the script as directed

Step 1:

Extract the hashes from the target machine. If you are performing this step local to the install of Cain then follow these steps:

    1. Launch Cain
    2. Navigate to the Cracker tab at the top of the application
    3. Then select the LM hashes from the tree at the left.

    4. Right click anywhere in the open space at the right and select “Add to list”

    5. In the box that pops up, keep the defaults and then select next.

    6. Now, in the cracking window, there are multiple hashes with the associated user names. These are the LM and NTLM hashes that we are going to crack.

    It should look something like this: (Note: You will see more hashes than just the 21 that are installed by
    the script. For demonstration purposes, we have removed all users accounts except those used for this
    demonstration.

Hint: User names and Hashes that have an asterisk in the <8 column are password hashes that are less than 8 characters in length.

Step 2:

    Now we will configure the Dictionary Attack tool in Cain to attack the LM Hashes that we have extracted.

    1. Right click on any of the hashes and click on “Select All.”

    This will add all of the hashes to any of the deciphering processes that you chose.

    2. Right on any of the hashes and click and select Cryptanalysis Attack (LM)


    3. Now the Dictionary Attack selector window appears, and we can select the
    parameters for which to brute our hashes with.


    The LM Hashes Cryptanalysis panel has one primary options to configure:

      Add Table: This window will you to add any Rainbow Table at your disposal to the Rainbow Table list inside Cain. If you have recently purchased the Rainbow Tables from this site,  then you can select multiple Rainbow Tables at the same time and Cain will import them all in a single process.

Step 3:

    The Rainbow Tables selected will need to be appropriate for the hash type that you intent to crack. In this example the sample Rainbow Table available for download is designed to crack any LM hash for passwords that are from 1-4 characters in length and containing characters A-Z and 0-9 only. Rainbow Tables are available here with broader functionality. Tables purchased from this site will have significantly higher success rates than the one freely available for use in this tutorial. Once you have your Rainbow Tables copied from the CDs or DVDs, use the add tables button in Cain to navigate to your table version and load each table into the LM Hashes Cryptanalysis panel and off you go!

    Next, begin the attack by pressing Start!

    Using the largest table available from this site for LM Rainbow Tables will take approximately 28 minutes to crack all of the hashes that were created by the addusers.bat file that you created. (Your cracking time will vary based on the location of the files and the processing and memory resources available on your cracking machine.)

    Your Cain output should look something like this:

              ------------------------------------------
              Msmith FOOTBALL!@#
              Dsmith 3!@#
              Nsmith SOCCER
              Esmith 456!@#
              Osmith CROKET
              Fsmith ABCdef!@#
              Psmith COW123
              Qsmith HOWNOW
              Hsmith ABC123
              Rsmith BROWNCOW
              Jsmith ABCDEF123
              Ssmith GHANDI
              Ksmith ABCDEF123
              Tsmith ABCDEF
              Usmith RTDOTNET
              Bsmith EF456
              Lsmith ABCDEF
              csmith ABC789!@#12

    If you will refer back to the AddUsers.txt file, you will see that we were able to crack all of the passwords that met the parameters we selected in a few simple steps.

    This concludes the Cryptanalysis Attacking with Cain tutorial. If you are interested in additional information about LM hashing, please review the following links.

    http://support.microsoft.com/kb/299656/en-us/
    http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx
    http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
    http://www.microsoft.com/security/guidance/default.mspx
    http://www.microsoft.com/singapore/sme/english/issues/sgc/articles/select_sec_passwords.mspx


    Support this site and the tutorials that are presented herein by purchasing Rainbow Tables here.

    Thank you,

    Ramius Kahn

    Copyright (c) 2004, 2005 Ramius Kahn & Rainbowtables.net. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

    Cain is a registered trademark of Massimiliano Montoro and is available from www.oxid.it and is not affiliated with RainbowTables.net.


HOME    PRODUCTS    SERVICES    TUTORIALS    FAQ    ABOUT    DISCLAIMER    LINKS    CONTACT

Copyright 2005-2006 (c) Ramius Kahn, RamNet Inc.
All rights reserved - RainbowTables.Net

php hit counter