Jump to content

How I Cracked your Windows Password

Recommended Posts






Passwords tend to be our main and sometimes only line of defense against intruders. Even if attackers do not have physical access to a machine they can often access a server through the remote desktop protocol or authenticate to a service via an outward facing web application.


The purpose of this article is to educate you on how Windows creates and stores password hashes, and how those hashes are cracked. After demonstrating how to crack Windows passwords I will provide some tips for ensuring you are not vulnerable to these types of attacks.


How Windows Stores Passwords


Windows-based computers utilize two methods for the hashing of user passwords, both having drastically different security implications. These are LAN Manager (LM) and NT LAN Manager version 2 (NTLMv2). A hash is the result of a cryptographic function that takes an arbitrarily sized string of data, performs a mathematical encryption function on it, and returns a fixed-size string.


LM Password Hashes


The LAN Manager hash was one of the first password hashing algorithms to be used by Windows operating systems, and the only version to be supported up until the advent of NTLMv2 used in Windows 2000, XP, Vista, and 7. These newer operating systems still support the use of LM hashes for backwards compatibility purposes. However, it is disabled by default for Windows Vista and Windows 7.


The LM hash of a password is computed using a six step process:


1.The user’s password is converted into all uppercase letters

2.The password has null characters added to it until it equals 14 characters

3.The new password is split into two 7 character halves

4.These values are used to create two DES encryption keys, one from each half with a parity bit added to each to create 64 bit keys.

5.Each DES key is used to encrypt a preset ASCII string ([email protected]#$%), resulting in two 8-byte ciphertext values

6.The two 8-byte ciphertext values are combined to form a 16-byte value, which is the completed LM hash


In practice, the password “PassWord123” would be converted as follows:




3.PASSWOR and D123000

4.PASSWOR1 and D1230001

5.E52CAC67419A9A22 and 664345140A852F61



Hidden Content

    Give reaction to this post to see the hidden content.


MD4 is considered to be significantly stronger than DES as it allows for longer password lengths, it allows for distinction between uppercase and lowercase letters and it does not split the password into smaller, easier to crack chunks.


Perhaps the biggest complaint with NTLMv2 created hashes is that Windows does not utilize a technique called salting. Salting is a technique in which a random number is generated in order to compute the hash for the password. This means that the same password could have two completely different hash values, which would be ideal.


With this being the case, it is possible for a user to generate what are called rainbow tables. Rainbow tables are not just coffee tables painted with bright colors; they are actually tables containing every single hash value for every possible password possibility up to a certain number of characters. Using a rainbow table, you can simply take the hash value you have extracted from the target computer and search for it. Once it is found in the table, you will have the password. As you can imagine, a rainbow table for even a small number of characters can grow to be very large, meaning that their generation, storage, and indexing can be quite a task.

  • Like 7

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...