In this tutorial we will examine the process for discovering the clear text password from an encrypted LM hash that has been extracted from a workstation running Windows. A key concept to remember in learning the process for decryption is to keep the vairables as simple as possible. To facilitate this, two text files have been prepared that will add and subsequently remove a series of 20 users to your local workstation. These files are freely available for download from the links below.
The files are in HTML format and can be copied to and edited in notepad. In order to use the scripts, you will need to save the files as a “.bat” file format. Batch files can be run like executables by just double clicking on them. To convert the files to batch files, follow the following steps.
1. Open the text file in notepad
2. Go to File and then click on Save As
3. In the File Name window at the bottom, remove the .txt extension and replace it with a .bat.
4. In the Save As box, change the value so that it reads: All Files
5. Navigate to the location where the file is saved and double click the file and then hit enter and close the file.
6. You can repeat these steps for the remove user file and perform the removal in a automated process.
You can navigate to the users and computers manager in the control panel to confirm that the accounts have been created. You can also just type the command “Net User” at a run command prompt. After you have finished the tutorials, the removeusers.txt file can
be used to remove the user accounts by following these steps on the removeusers.txt. and then running the removeusers.bat file.
You can review the files to see that all of the users created are done so in an inactive state and that their accounts expired early 2005. It is still recommended to delete these accounts at the conclusion of each tutorial to maintain network security. The passwords in the file vary in length and complexity, but are relatively simple for demonstration purposes.
To perform this tutorial, you will need to download and install the most recent version of Cain and Abel from www.oxid.it. Make sure that you install the main application as well as the WinPcap install as directed during the install. You will likely have to reboot after the install. If you experience any difficulty, refer to the Cain user manual located here:
Here are the steps to complete a Dictionary Attack of LM password hashes. We will assume only the following:
1. Cain is installed and configured properly.
2. You have created the users with the script as directed
Extract the hashes from the target machine. If you are performing this step local to the install of Cain then follow these steps:
1. Launch Cain
2. Navigate to the Cracker tab at the top of the application
3. Then select the LM hashes from the tree at the left.
4. Right click anywhere in the open space at the right and select “Add to list”
5. In the box that pops up, keep the defaults and then select next.
6. Now, in the cracking window, there are multiple hashes with the associated user names. These are the LM and NTLM hashes that we are going to crack.
It should look something like this: (Note: You will see more hashes than just the 21 that are installed by
the script. For demonstration purposes, we have removed all users accounts except those used for this
Hint: User names and Hashes that have an asterisk in the <8 column are password hashes that are less than 8 characters in length.
Now we will configure the Dictionary Attack tool in Cain to attack the LM Hashes that we have extracted.
1. Right click on any of the hashes and click on “Select All.”
This will add all of the hashes to any of the deciphering processes that you chose.
2. Right on any of the hashes and click and select Dictionary Attack (LM)
3. Now the Dictionary Attack selector window appears, and we can select the
parameters for which to brute our hashes with.
The Dictionary Attack panel has one primary options to configure:
Add dictionary: This window will you to add any dictionary file at your disposal to the dictionary list inside Cain. If you have recently purchased the Ramius Cracking Dictionary then you can select multiple files at the same time and Cain will import them all in a single process.
Other options may be selected to meet your attacking needs.
Dictionary Attacks are not relative to password length. All that is needed is to load the dictionary file and launch the attack. To load a dictionary, simply click on the add button and browse to the location of your dictionary file and then click open. For this tutorial, load the Sample_Dictionary.txt file available at the top of this page and should be saved as a .txt file on your computer.
Next, begin the attack by pressing Start!
One of the interesting aspects LM hashing is that calculations are stored in 7 character segments. As you can see in the output is that some of the “Cracked” hashes only have some of the characters identified with a valid output and some of the characters are replaced with “?”. (Tip: the total number of “?” in an undefined segment is equal to the number of characters in that segment of the hash. You can use this information to determine further cracking parameters and you become more proficient with the tools.)
Another nice feature of Cain is that when the LM password is bruited, the NTLM value is also calculated and displayed.
Your Cain output should look something like this:
|Plain text of 1153C3961EE58C3B is CROKET
Plain text of 13D855FC4841C7B1 is ABCDEF
Plain text of 385A83A746BFA8F2 is GHGHGH
Plain text of D71808BF36F81510 is FOOTBAL
Plain text of E165F0192EF85EBB is ABCD
Plain text of 59E2DB85E9D49595 is ABCDEF1
Plain text of 6842A19CC4C509E0 is HOWNOW
Plain text of 78BCCAEE08C90E29 is ABC123
Plain text of 9E2204E2058AC9E9 is RTDOTNE
Plain text of 213D466DB5B288F0 is ABCDEF!
Plain text of 9C92FA4960AC2536 is SOCCER
Plain text of BB26C063532826AA is ABC789!
Plain text of 136A8418CF76C4F7 is EF456
Plain text of BC472F3BF9A0A5F6 is BROWNCO
Plain text of A8EED815A197BD87 is 3!@#
Plain text of 5A9DB9F8BB5DF0CB is 456!@#
Plain text of 4A01C0E45FCA767A is COW123
Plain text of AAD3B435B51404EE is
19 of 26 hashes cracked
If you will refer back to the AddUsers.txt file, you will see that we were able to crack all of the passwords that met the parameters we selected in a few simple steps.
This concludes the Brute Forcing with Cain tutorial. If you are interested in additional information about LM hashing, please review the following links.
Support this site and the tutorials that are presented herein by purchasing Rainbow Tables here.
Copyright (c) 2004, 2005 Ramius Kahn & Rainbowtables.net. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
Cain is a registered trademark of Massimiliano Montoro and is available from www.oxid.it and is not affiliated with Rainbowtables.net