Cracking User Passwords in Windows 2000
For years, Windows NT administrators have used L0phtCrack 2.5 to obtain users' passwords in their domain. But, if you’ve tried to use this tool on your Windows 2000 domain controller, you know that it doesn’t work.
July 5, 2000
For years, Windows NT administrators have used L0phtCrack 2.5 to obtain users' passwords in their domain. But, if you’ve tried to use this tool on your Windows 2000 domain controller, you know that it doesn’t work. However, you can use L0phtCrack to crack the passwords for user accounts in your Win2K Active Directory (AD) domain.
Although you might be familiar with using L0phtCrack on NT, note that the process has changed in Win2K. Because passwords are the fundamental lock on your systems, it is a good practice, provided your management approves, to regularly assess the quality of your users’ passwords and provide feedback to users who select easy-to-guess passwords. Without such a program, it is a foregone conclusion that users will pick simple passwords such as repeating characters, simple words, and spouse names. Win2K provides the same minimum password length and password complexity rules as in NT. To view these settings, go to the Account Policies section of your Default Domain Policy Group Policy object in Active Directory Users and Computers.
Password Cracking in NT
Before you learn how to use L0phtCrack with Win2K, it helps to understand how password cracking works in NT, and then extend that process to Win2K. (If you are already an expert NT password cracker, feel free to skip ahead.) NT stores a hash, but not the clear text password, of each user's password in the domain controller’s SAM database. If you're not familiar with the SAM, it is a Registry hive file found in %systemroot%system32config. Using your administrator authority, L0phtCrack pulls the hashes from the SAM and cracks the hashes by exploiting weaknesses in NT’s hashing algorithm.
To crack a password hash, L0phtCrack first performs a dictionary attack by iterating through a list of common words. L0phtCrack hashes each word in the list and compares that hash to the hash from the SAM. If the hashes match, L0phtCrack has the password. Once L0phtCrack exhausts the dictionary, it iterates through the word list again using a hybrid attack that adds combinations of a few characters to the beginning and end of each word prior to hashing. This attempt gleans any passwords that a user has created by simply appending random characters to a common word. Finally, L0phtcrack resorts to brute force to crack any remaining hashes, trying every possible combination of characters.
For compatibility's sake, NT borrows LAN Manager’s password hashing algorithm. Because this algorithm is weak, it takes surprisingly little time to crack NT passwords. For instance, LAN Manager converts passwords to uppercase before hashing, which relieves a cracking program from testing case variations. LAN Manager divides a password into seven-character pieces before hashing, so even if you pick a long password, L0phtCrack can work on each seven-character portion simultaneously, which speeds up the process considerably. For more information on NT password hashing weaknesses, see my articles in Windows 2000 Magazine, "Protect Your Passwords," October 1998 and "Inside SP4 NTLMv2 Security Enhancements," September 1999.
To combat malicious use of L0phtCrack, many administrators have enabled the Syskey utitility that comes with NT 4.0 Service Pack 3 (SP3). Syskey encrypts the hashes that NT stores in the SAM, which defeats L0phtCrack. However, Todd Sabin released a program called Pwdump2 that uses sophisticated techniques to get the unencrypted password hashes from the OS memory. Pwdump2 requires administrator authority to run successfully. To use Pwdump2, you first need to determine the LSASS process ID, which you can find by clicking the Processes tab in Task Manager. Next, from the command prompt, execute a command similar to the following (not that the LSASS process ID may vary):
pwdump2 240 > hashes.txt
Pwdump2 will write the username and password hashes for each account in the local system’s SAM to hashes.txt. You can then use L0phtCrack to open hashes.txt and crack the passwords. With Pwdump2, NT administrators can benefit from Syskey’s protection, but still be able to check the strength of user passwords.
Password Cracking in Win2K
When you upgrade your domain controller to Win2K, you might notice that the system automatically enables Syskey, even if you hadn’t done so earlier. With Syskey enabled, you might conclude that to crack your users' passwords, you simply follow the process I just described using Pwdump2 on your Win2K domain controller. However, you'll be in for a surprise when you use L0phtCrack to open the hashes.txt file.
Instead of seeing a list of all your domain user accounts and their hashes, you’ll only see two accounts—Administrator and Guest. The reason for this short list is AD. With Win2K, the OS doesn't store domain user accounts, including passwords, in the domain controller’s SAM; instead, the OS stores these accounts in AD. In fact, the OS doesn't use the SAM on a Win2K domain controller. The Administrator and Guest accounts you see in hashes.txt are just the built-in accounts present in any SAM.
To crack your AD domain’s user passwords, you need the new version of Pwdump2. (I wish Todd Sabin had named this new version Pwdump3.) If you get confused as to which version of Pwdump2 you have, check the file size. The original version of Pwdump2 is dated 8/23/98 with a file size of 46,080 bytes. The new version is dated 3/28/2000 with a file size of 32,768 bytes. Note that both versions have a required DLL called samdump.dll. The original samdump.dll is also dated 8/23/98 with a file size of 49,644 bytes, and the new version is dated 3/28/2000 with a file size of 36,864 bytes.
The new version of Pwdump2 has two enhancements. First, you no longer need to specify the LSASS process ID—the new version of Pwdump2 figures out the ID for itself. More important, this new version of Pwdump2 recognizes when you are running it on a Win2K domain controller and dumps the password hashes from AD. To use the new version of Pwdump2, simply go to the command prompt and run the following command:
pwdump2 > hashes.txt
and then open that file in L0phtCrack and run your crack. Voila! You’ll soon be assessing your users’ password strength just like in the good old days of NT.
About the Author
You May Also Like