Posts: 101
Threads: 34
Joined: Oct 2014
I have an old Windows server that I dumped the hashes from and noticed that it was using LM to store the hashes. Of course, it didn't take long at all to brute force all of the passwords, which brings me to my question.
How do I log in with a LM deciphered password? This is probably just something I am not understanding correctly. For example, one of the passwords was TATORTOT123, but that doesn't work when I try to log in with it.
Posts: 803
Threads: 135
Joined: Feb 2011
What's the Windows version?
LM can be stored, but NTLM can be stored and used as well.
Your LM password is uppercase (LM works like this) but NTLM is case sensitive.
So if NTLM is used, your password could be Tatortot123 or TAtorTot123 or TATOrtot123 etc.
If you have the NTLM hash, it's pretty simple to find the good case.
Posts: 5,185
Threads: 230
Joined: Apr 2010
There's toggle rules in rules folder which help you find correct case
Posts: 101
Threads: 34
Joined: Oct 2014
Sorry I've been away for a few days. The Server version is 2008 r2. The LM hashes were migrated from an older server, probably 2003.
If NTLM is enabled (which it is), does that mean that I cannot login with the LM version of the password?
Posts: 2,301
Threads: 11
Joined: Jul 2010
The LM hashes are only used by old versions of AD servers, which is why they are sometimes kept iirc.
Posts: 101
Threads: 34
Joined: Oct 2014
I would like to take my cracked LM hashes and use that as leverage to crack the full NTLM hash. For example let's say my LM password is PASSWOR and the NTLM has 10 characters.
Please correct me if I am wrong, but I believe I could use the following:
hashcat64 -m 1000 -a 3 hashfile.txt PASSWOR?a?a?a
Assuming I can run the command above, my question is this: How can I toggle the case for the PASSWOR part of the password while I am brute forcing? Or is it possible?
Posts: 200
Threads: 0
Joined: Nov 2017
I think you could do 2 things:
- the best one is
https://hashcat.net/wiki/doku.php?id=hybrid_attack where you make a wordlist with all the variants of PASSWOR (such as Passwor, PAsswor, PaSswor, etc)
- or and inefficient one 'hashcat64 -m 1000 -1 pPaA -2 sSwW -3 oO -4 rR -a 3 hashfile.txt ?1?1?2?2?3?4?a?a?a', where you would be testing unnecessary variants (ppssor?a?a?a?a) but don't need to generate a file
Posts: 2,301
Threads: 11
Joined: Jul 2010
each NTLM hash should have two corresponding LM hashes, so you do not need to BF the second part of the password.
Posts: 101
Threads: 34
Joined: Oct 2014
Oh, I see now. I was just looking at one part of the LM hash that was cracked. After I viewed the --show results, it all came together.
So, my next step would be to add those LM cracked passwords to a dictionary file and then run a dictionary attack with the toggle rule on it, correct?
Posts: 2,301
Threads: 11
Joined: Jul 2010
08-27-2019, 04:23 PM
(This post was last modified: 08-27-2019, 04:25 PM by undeath.)
exactly
It might be useful to convert the LM results to lower-case for that attack. You are likely to get hits a litte bit faster because passwords tend to mainly consist of lower case characters.