Uncrackable Win2k/NT4 Passwords- Page 1/3
January 3, 2001
By
Joel Kleppinger
On the first Christmas when the angels proclaimed "Peace on earth, good will to all," they must not have included the NT family in that proclamation. You are likely already familiar with the password (in)security in Windows NT 4.0. However, you might be less familiar with the changes Microsoft did and didn't make in Windows 2000. This article is an overview of those items, how Windows 2000 passwords can be cracked, and how to make it impossible for current password crackers to crack NT4 or 2000 passwords. Yes, it really can be done.
Before launching into the topic, however, there are a few bits of information that are pertinent to understanding the subject matter, as well as my own perspective, interests, and understandings. First, the information in the uncrackable password section was discovered by Scott Crawford, a Network Administrator for Evangel University. The zip file, which is available for download, is entirely his work and effort. Second, as for myself, I have always had an ear to the ground regarding OS security as it has interested me since my mid high school years. Since I am not much of a programmer, there is much I do not understand when it comes to the exact algorithms of the way things work, so I can only offer some semi-educated speculation in those respects. Still, I do understand quite well the user and wannabe hacker or lame hacker perspectives and can offer interesting analysis from those points of view. This isn't the be-all/end-all of Windows 2000 security, but is a simple tip of the way things are as I see them.
Windows 2000 and NT4 Passwords
It has long been known that the algorithm used in the LAN Manager password scheme is particularly weak. Considering that LAN Manager is Windows for Workgroups era technology, in the Windows 2000 era, we wonder why we need to care. Unfortunately, this is an issue of backward compatibility and since all Windows are designed for out-of-the-box intuitiveness and compatibility (for the "Just work, [expletive]!" crowd), Windows 2000 and NT4 both enable LAN Manager compatibility by default.
The problem with LAN Manager compatibility is that Microsoft chose to store passwords on an NT/2000 machine in both NTLM and LM hash forms. Because of this, anyone who has access to one has access to the other. Obviously, crackers are going to take the easier route, so they'll just grab the LM hash and try to crack it. It is, after all, the same password.
The vulnerability of the LM hash is that it can be broken into seven character password halves. So instead of having a 14 character password that might take a full 100 years of current computer time to crack, you end up with two seven-character passwords, which each take about a month to crack (and L0phtCrack would check them both simultaneously, making the crack time a month total). The cracker can also significantly cut down on the number of keys that have to be checked if it can be determined that only letters and numbers, or just letters were used in the password. For the weakest non-dictionary-word passwords, it could take as little as three hours to exhaust the keyspace for even a 14 character LAN Manager password.
Events
On the first Christmas when the angels proclaimed "Peace on earth, good will to all," they must not have included the NT family in that proclamation. You are likely already familiar with the password (in)security in Windows NT 4.0. However, you might be less familiar with the changes Microsoft did and didn't make in Windows 2000. This article is an overview of those items, how Windows 2000 passwords can be cracked, and how to make it impossible for current password crackers to crack NT4 or 2000 passwords. Yes, it really can be done. 
IE 7
Firefox 2.0
