LC4 Command Reference
The following sections explore the commands available from the toolbar. Toolbar icons are shown in cases where the same functions can be invoked from the Toolbar.
File ...
- File New Session
This creates a new LC4 audit session. The session metaphor allows you to keep multiple audits which may or may not yet have been completed. - File Open Session
This command opens a previously stored LC4 session from a *.lcs file. - Close Session
This stops and closes the current audit session. You are prompted about whether to save the session so it can be continued at a later time. - File Save and Save As
You may save the currently opened session to preserve the current state of your audit. This lets you stop and continue your audit at a later time, or move it to another machine without losing your progress. Save and Save As commands save the current state of the passwords, whether they are uncracked, partially cracked or cracked in the LC4 (*.lcs) format. This file can later be used for continued cracking or to restart a new session using the same target password hashes, but different audit options. - Save Distributed
This allows you to break a session into parts that can be audited simultaneously on different machines to speed up an audit. - Export
There are two types of export, session and password file. Session export provides the ability to export all visible columns into a tab-delimited file. This is helpful in cases where you want to sort and modify the results, reformat them for presentation, or print them out. Password file export saves the list of cracked passwords in order to be used in a later audit. When exporting in either mode, be sure to keep any exposed passwords in a secure location. - LC4 Wizard
This launches the Wizard which walks the user through the configuration of some common settings for an LC4 audit. - Preferences
This command opens a dialog that looks similar to the Session Options dialog. The difference is that this one lets you configure the default settings for future auditing sessions. - Exit
Exit terminates the crack session if any and exits the program.
View ...
- Toolbar
Show or hide the LC4 Toolbar. - Password Domains
This feature displays the NT domain where the password was obtained from, if available.This can be helpful when working with large lists of user accounts. - Audited Passwords
The administrator can turn the display of audited passwords on or off. Use View ... Audit Times to know whether a password has been cracked when password display is turned off. - Password Hashes
Viewing the password hashes is interesting and useful to some people, and merely clutter to others. Use this option to toggle their display on or off. - Audit Times
This feature displays the amount of time LC4 took to crack each password. This provides an approximate quantitative measure of how robust a user's password is. - Audit Method
The audit method can be displayed to help determine which users have weak passwords at a glance.Sort by the Audit Method column heading to see which passwords were cracked by the User Information, Dictionary, Hybrid, or Brute force attacks; or hopefully, not at all. - Visible Notification
Selecting this option causes an alert dialog to be displayed when the audit completes, even if you're working in another application. - Minimize to Tray
This command minimizes the program to a small icon in the system tray. The program window is reactivated by clicking on the small icon. This is useful when you are intending to crack for several days. If the SMB Packet Capture window is open it is minimized also. - Hide
This command hides the program window completely. It does not show up as an application in the task manager, although LC4 will continue to appear as a process. You can make the program visible again using the Ctrl+Alt+L key combination. If the Sniffer window had been open it is also hidden.If you forget the command to re-display LC4, just remember to open this documentation from the Start ... Programs ... LC4 group!
Import ...
- Import From Local Machine
This command imports password hashes used by the currently running operating system. - Import From Remote Registry
This command opens a dialog box which accepts a computer name or IP address. The computer specified is queried through remote registry calls to dump the password hashes contained in the SAM section of the registry. Administrator privileges and remote registry access are required to dump the password hashes in this way. The password hashes retrieved using this approach will fail to be cracked if the remote machine is using SYSKEY as is the default on Windows 2000 machines. - Import From SAM file
Use this command to import password hashes stored in a SAM file. Note that a SAM file is locked and inaccessible while the operating system that uses it is in use. You may copy a SAM file by booting another operating system such as DOS (running NTFSDOS), or Linux (with NTFS file system support) and retrieving it from the target system, or you may retrieve it from a backup tape, from a Windows NT Emergency Repair Disk, or from a repair directory on the system hard drive. - Import From Sniffer
This command launches the network packet capture window. SMB packet capture promiscuously monitors your ethernet for SMB network authentication packets. When it captures an authentication session it will display the authentication parameters: username, challenge, and hashes in the window.The contents of the window can be saved at any time to a *.lcs file using the Save Capture button or they can be cleared using the Clear Capture button. When you close the window or press Done the capture session is terminated.
- Import From .LCS file
This command imports password hashes from a saved session. The imported password hashes become part of the currently open session and do not affect the currently configured Session Options. - Import From PWDUMP file
This imports the output of a pwdump session into LC4.
Session
- Begin Audit
This command starts the audit engine on the password hashes you have loaded, based on your configuration of the Session Options. A progress display shows the status. - Pause Audit
This feature halts the current audit, saving any progress that has been made so far. You may continue the audit from where you left off at a later time by choosing to 'Begin Audit' again. - Restart Audit
After a warning dialog, this command stops the current session and restarts it from the beginning, discarding any progress already made. - Brute LM
This and the other three brute force configuration options below determine what gets brute-forced since the approach varies with each method. When possible, LC4 tries to determine the best choice to make. So, for example, if you have obtained both LM and NTLM hashes for each password you want to audit, LC4 will brute-force the LM hash since this is the fastest way to crack the passwords. If you have some passwords that have only LM hashes and others that have only NTLM hashes, neither approach will give you all the passwords. In this case, LC4 defaults to brute forcing the LM hash, but you can choose to switch it to brute forcing the NTLM hash by clicking the appropriate Toolbar or Session.. command. - Brute NTLM
- Brute LM Challenge/Response
- Brute NTLM Challenge/Response
- Session Options
This opens the 'Auditing Options For This Session' dialog box, which contains all the different settings for modifying how LC4 tries to crack the password hashes. The options in this dialog are discussed in greater detail under the the section of this documentation entitled, Using LC4.
Help
- Documentation
This opens the help file you're currently reading. - LC4 Website
This command launches your browser and takes you to the LC4 website where you can find updates and additional program information when it becomes available. - Online FAQ
This command launches your browser and takes you to an online FAQ about LC4. - About LC4
This command shows the program version information, Serial Number, and Unlock Code (for a registered copy of LC4).