How Windows 2000 Differs

It used to be that any lamer (second-rate hacker) could just run L0phtCrack against an NT4 domain server and get the entire username and password hash list and start cracking away. With Windows 2000, however, it's quite a bit more difficult. No longer can they just install L0phtCrack and get the hashes from the registry of any local or networked Windows 2000 machine. Although Windows 2000 returns values that L0phtCrack will accept, the hashes are not true NTLM or LM hashes and thus are worthless, at least to L0phtCrack 2.5.

The way most crackers will try to get in is by making the pwdump2 program run on the domain controller. (It must run locally on the controller, as there is no way to run it on a workstation to attack another computer). Speculatively, the only way to get the correct hashes remotely is to copy the file to the domain controller, get an administrator (or be an administrator and use telnet) to run pwdump2 on the domain controller, and then get the results in some form that can then be used by L0phtCrack.

Windows 2000 also differs from NT by using Kerberos password authentication. Kerberos works by considering the password a private key and then gets a bit of information from the server, which is encrypted with the key and returned to the server. The server then checks the encyrpted information, and if it can decrypt it with the password, the user is authenticated. Thus, there is no way to get login information by sniffing for passwords and hashes over the network. Unfortunately, this works only with other Windows 2000 systems and within a Windows 2000-only environment. Unix has had Kerberos authentication capabilities for years, but some sections of the protocol that Microsoft used weren't in the specifications, which made their implementation incompatible with all other Kerberos-capable systems.

Windows 2000 is almost the same as NT4 simply because it still stores the same hashes. It merely makes it hard to get to them. This is especially important in the next section, since both operating systems treat hashes in the same way, making a password that is uncrackable on one uncrackable on the other.

Uncrackable NT4/Windows 2000 Passwords: They Exist

Most passwords are built on the notion of time. Users don't deny that a password is uncrackable; they merely say that it would take so long to crack them that it isn't even worth trying. Through a bit of ingenuity, curiosity, and a stroke of luck, Scott Crawford managed to come across passwords that couldn't be cracked, at least not by today's tools.

The method is so simple, it's beautiful. It's based on the fact that L0phtCrack only offers to crack up to 68 of the 256 possible characters in the ASCII character set. So he wondered, what about the other characters? His research discovered that there are 187 characters of 308 (some extra Windows characters are also allowed in passwords) that could not be cracked by L0phtCrack 2.5. All of these characters are ones that are only accessed only by pressing ALT plus a three or four digit number on the numeric keypad.

The way to test the crackability of these passwords is simple. Create 308 users, one for each character, each with the character both as the user name and as the password. Then, use a custom character set of all possible characters or run the list of characters through a dictionary file, creating the identical characters in the file. In effect, every password exists both in the user name and in the dictionary file. L0phtCrack actually checks both for the password (if you have a user name that is also the password, L0phtCrack will determine that instantly). After running the dictionary file through, we discovered there were many that weren't cracked by L0phtCrack.

After several runs on multiple machines, both Windows NT4 and 2000, we determined that these 187 characters were, in effect, uncrackable.