In this tutorial we will examine the process for discovering the clear text password from an encrypted LM hash that has been extracted from a workstation running Windows. A key concept to remember in learning the process for decryption is to keep the vairiables as simple as possible. To facilitate this, two text files have been prepared that will add and subsequently remove a series of 20 users to your local workstation. These files are freely available for download from the links below.
The files are in HTML format and can be copied to and edited in notepad. In order to use the scripts, you will need to save the files as a “.bat” file format. Batch files can be run like executables by just double clicking on them. To convert the files to batch files, follow the following steps.
- Open the text file in notepad.
- Go to File and then click on Save As.
- In the File Name window at the bottom, remove the .txt extension and replace it with a .bat.
- In the Save As box, change the value so that it reads: All Files.
- Navigate to the location where the file is saved and double click the file and then hit enter and close the file.
- You can repeat these steps for the remove user file and perform the removal in an automated process.
You can navigate to the users and computers manager in the control panel to confirm that the accounts have been created. You can also just type the command “Net User” at a run command prompt. After you have finished the tutorials, the removeusers.txt file can
be used to remove the user accounts by following these steps on the removeusers.txt. and then running the removeusers.bat file.
You can review the files to see that all of the users created are done so in an inactive state and that their accounts expired early 2005. It is still recommended to delete these accounts at the conclusion of each tutorial to maintain network security. The passwords in the file vary in length and complexity, but are relatively simple for demonstration purposes.
To perform this tutorial, you will need to download and install the most current version of Cain and Able from www.oxit.id. Make sure that you install the main application as well as the WinPcap install as directed during the install. You will likely have to reboot after the install. If you experience any difficulty, refer to the Cain user manual located here.
Here are the steps to complete a Cryptanalysis Attack of LM password hashes. We will assume only the following:
- Cain is installed and configured properly.
- You have created the users with the script as directed
Extract the hashes from the target machine. If you are performing this step local to the install of Cain then follow these steps:
Hint: User names and Hashes that have an asterisk in the <8 column are password hashes that are less than 8 characters in length.
Now we will configure the Dictionary Attack tool in Cain to attack the LM Hashes that we have extracted.
1. Right click on any of the hashes and click on “Select All.”
This will add all of the hashes to any of the deciphering processes that you chose.
2. Right on any of the hashes and click and select Cryptanalysis Attack (LM)
3. Now the Dictionary Attack selector window appears, and we can select the
parameters for which to brute our hashes with.
The LM Hashes Cryptanalysis panel has one primary options to configure:
Add Table: This window will you to add any Rainbow Table at your disposal to the Rainbow Table list inside Cain. If you have recently purchased the Rainbow Tables from this site, then you can select multiple Rainbow Tables at the same time and Cain will import them all in a single process.
The Rainbow Tables selected will need to be appropriate for the hash type that you intent to crack. In this example the sample Rainbow Table available for download is designed to crack any LM hash for passwords that are from 1-4 characters in length and containing characters A-Z and 0-9 only. Rainbow Tables are available here with broader functionality. Tables purchased from this site will have significantly higher success rates than the one freely available for use in this tutorial. Once you have your Rainbow Tables copied from the CDs or DVDs, use the add tables button in Cain to navigate to your table version and load each table into the LM Hashes Cryptanalysis panel and off you go!
Next, begin the attack by pressing Start!
Using the largest table available from this site for LM Rainbow Tables will take approximately 28 minutes to crack all of the hashes that were created by the addusers.bat file that you created. (Your cracking time will vary based on the location of the files and the processing and memory resources available on your cracking machine.)
Your Cain output should look something like this:
If you will refer back to the AddUsers.txt file, you will see that we were able to crack all of the passwords that met the parameters we selected in a few simple steps.
This concludes the Cryptanalysis Attacking with Cain tutorial. If you are interested in additional information about LM hashing, please review the following links.
Support this site and the tutorials that are presented herein by purchasing Rainbow Tables here.
Copyright (c) 2004, 2005 Ramius Kahn & Rainbowtables.net. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
Cain is a registered trademark of Massimiliano Montoro and is available from www.oxid.it and is not affiliated with RainbowTables.net.