LM Hashes
#1
I have an old Windows server that I dumped the hashes from and noticed that it was using LM to store the hashes.  Of course, it didn't take long at all to brute force all of the passwords, which brings me to my question.

How do I log in with a LM deciphered password?  This is probably just something I am not understanding correctly.  For example, one of the passwords was TATORTOT123, but that doesn't work when I try to log in with it.
Reply
#2
What's the Windows version?
LM can be stored, but NTLM can be stored and used as well.
Your LM password is uppercase (LM works like this) but NTLM is case sensitive.
So if NTLM is used, your password could be Tatortot123 or TAtorTot123 or TATOrtot123 etc.
If you have the NTLM hash, it's pretty simple to find the good case.
Reply
#3
There's toggle rules in rules folder which help you find correct case
Reply
#4
Sorry I've been away for a few days. The Server version is 2008 r2. The LM hashes were migrated from an older server, probably 2003.

If NTLM is enabled (which it is), does that mean that I cannot login with the LM version of the password?
Reply
#5
The LM hashes are only used by old versions of AD servers, which is why they are sometimes kept iirc.
Reply
#6
I would like to take my cracked LM hashes and use that as leverage to crack the full NTLM hash. For example let's say my LM password is PASSWOR and the NTLM has 10 characters.

Please correct me if I am wrong, but I believe I could use the following:

hashcat64 -m 1000 -a 3 hashfile.txt PASSWOR?a?a?a

Assuming I can run the command above, my question is this: How can I toggle the case for the PASSWOR part of the password while I am brute forcing? Or is it possible?
Reply
#7
I think you could do 2 things:
- the best one is https://hashcat.net/wiki/doku.php?id=hybrid_attack where you make a wordlist with all the variants of PASSWOR (such as Passwor, PAsswor, PaSswor, etc)
- or and inefficient one 'hashcat64 -m 1000 -1 pPaA -2 sSwW -3 oO -4 rR -a 3 hashfile.txt ?1?1?2?2?3?4?a?a?a', where you would be testing unnecessary variants (ppssor?a?a?a?a) but don't need to generate a file
Reply
#8
each NTLM hash should have two corresponding LM hashes, so you do not need to BF the second part of the password.
Reply
#9
Oh, I see now. I was just looking at one part of the LM hash that was cracked. After I viewed the --show results, it all came together.

So, my next step would be to add those LM cracked passwords to a dictionary file and then run a dictionary attack with the toggle rule on it, correct?
Reply
#10
exactly

It might be useful to convert the LM results to lower-case for that attack. You are likely to get hits a litte bit faster because passwords tend to mainly consist of lower case characters.
Reply