Using LC4

The operating system does not store users' passwords in their original clear-text form for security reasons. The actual user passwords are encrypted into a hashed form because they are sensitive information that can be used to impersonate users, including the operating system administrator. The original password cannot be derived directly from a hashed password, so LC4 does what any hacker does: it guesses. By automating the 'guessing' process, LC4 reveals for administrators how difficult a password is to crack.

LC4 works by first obtaining password hashes from the operating system, and then hashing possible password values. When there's a match between a target hash and a computed hash, a password is found. Therefore, to do its thing, LC4 must first obtain password hashes from the target system, and then use various cracking methods to retrieve the passwords.

Obtaining the Password Hashes

There are several different approaches to obtaining password hashes, depending on where they reside, and your ability to access them. LC4 can obtain password hashes directly from the registry, from the file system, from backup tapes and repair disks, from Active Directory, or by recovering them as they traverse the network. This process is not always straightforward, so read carefully, below.
  • Import From Local Machine
    If you have administrator rights to the machine whose passwords you intend to audit, this is the easiest way to obtain the password hashes. Use Import ... Import From Local Machine on the LC4 menu to retrieve the hashes. This approach works regardless of whether passwords are stored in a SAM file or in Active Directory.

    NOTE: LC4 is limited to dumping and opening 65K users. Large numbers of users can take a long time, so be prepared to wait a many minutes for more than 10,000 users.

  • Import from Remote Registry
    In some cases, you can dump the password hashes from a remote machine over the network if the remote machine allows network registry access. Enter the machine name or IP address into the Import from Remote Registry dialog box and press OK. The usernames and password hashes will be loaded into LC4 if the current user has access to them.

    Note that password hashes retrieved using this method will not be cracked if the target systems uses Microsoft's SYSKEY protection, as is the default with Windows 2000. SYSKEY adds an additional layer of encryption for stored passwords, and was introduced with the Windows NT Service Pack 3. However, installing the SP3 does not turn on SYSKEY, so very few Windows NT systems actually use SYSKEY. To obtain passwords from a remote system that uses SYSKEY, you may use the pwdump3 utility mentioned below.

  • SAM File
    On systems that do not use Active Directory, or SYSKEY, you may obtain password hashes directly from a password database file stored on the system -- the SAM file.
    Note: this approach will not allow you to obtain password hashes from most Windows 2000 systems, as Windows 2000 uses SYSKEY by default. SYSKEY was introduced in Windows NT Service Pack 3, but was not turned on by default, so SAM access works on Windows NT systems unless SYSKEY was explicitly turned on. SYSKEY provides an additional layer of encryption to stored password hashes. Interestingly, you can't tell by looking at the SAM or at password hashes it contains whether they've been encrypted with SYSKEY or not. LC4 cannot crack SYSKEY-encrypted password hashes. This implies that if you do not have access to at least one administrator account on a Windows 2000 machine, you cannot obtain the password hashes required to run LC4. In such cases, you may benefit from a password reset utility.
    Since the operating system holds a lock on the SAM file where the password hashes are stored on the file system it is not possible to just read them from this file while the operating system is running. You may copy a SAM file by booting another operating system such as DOS (running NTFSDOS), or Linux (with NTFS file system support) and retrieving it from the target system, where it is typically stored in C:\WinNT\system32\config. This is especially useful if you have physical access to the machine and it has a floppy drive.

    You may also retrieve a SAM from a Windows NT Emergency Repair Disk. However, Windows 2000 does not normally store a SAM file on repair disks it generates. You may also retrieve a SAM file from a repair directory on the system hard drive, or from a backup tape.

    You load the password hashes from a "SAM" or "SAM._" file into LC4 by using the File Import SAM File menu command and specifying the filename. LC4 will automatically expand compressed "SAM._" files on NT.

  • Packet Capture via Sniffing
    Packet capture, or "Sniffing," is an advanced approach to obtaining password hashes that benefits from a good understanding of Ethernet networks. LC4 supports sniffing via WinPcap packet capture software built by the Microsoft-sponsored Politecnico di Torino.

    LC4 can capture the encrypted hashes from the challenge/response exchanged when one machine authenticates to another over the network. Your machine must have one or more Ethernet devices to access the network. Use the Import ... Import From Sniffer command. If more than one network interface is detected, you'll see the Select Network Interface dialog where you can choose the interface to sniff on. After choosing your interface you'll see the SMB Packet Capture Output dialog which captures any SMB authentication sessions that your network device can capture. If you are on switched network you will only see sessions originating from your machine or connecting to your machine.

    NOTE: If you have a previous version of LC4 installed you must remove the NDIS packet driver from the Protocols tab in the Network Control Panel. Other low level packet drivers that are known to cause problems are the Asmodeus and ISS packet drivers. You will want to remove them also.

    As SMB session authentications are captured they are displayed in the SMB Packet Capture Output window. The display shows source and destination IP addresses, the user name, the challenge, the encrypted LANMAN hash and the encrypted NTLM hash, if any. The capture can be imported at any time using the Import button. You can capture and crack other passwords at the same time, however password hashes captured after initiating an audit are not attempted in the running audit.

    Note that LC4's packet capture works on Ethernet adapters only, and may fail if a firewall is running on the same machine as LC4. It will not function reliably on a PPP connection.

  • Import .LC (LC2.5) or .LCS (LC3) File
    LC4 can import previously saved sessions from L0phtCrack 2.5 or LC3. This allows for a smooth upgrade to LC4, as all of your old session files will still be available. It also allows you to open old, completed sessions if you want to take advantage of LC4's improved reporting capabilities or the ability to save password files for future audits.

  • PWDUMP3
    LC4 dumps password hashes from the SAM database (and from Active Directory) of a system on which you have Administrator privileges, whether or not SYSKEY is enabled on the system. However, if SYSKEY is being used (it is by default on Windows 2000 systems) LC4 can only do this on the local machine on which it is running. pwdump3 is a utility that allows remote access to the password database on SYSKEY protected systems. It requires administrator access so it doesn't compromise network security, and generates a file containing password hashes that can be imported into LC4 for auditing.

Cracking the Password Hashes

The cracking processes that generate password values provide several options that balance audit rigor against the time required to crack. Effective auditing, therefore, requires an understanding the underlying business goals, and the security thresholds necessary to meet them.

To configure the cracking methods applied in your session, choose Session ... Session Options or simply click the toolbar's Session Options button to open the 'Auditing Options For This Session' dialog. From there you can configure the auditing options for the password hashes you have retrieved.

The UserName Crack

The first cracking method LC4 employs checks to see if any accounts have used the username as the password. You'll want to know about these weak passwords right away, and since this crack is nearly instantaneous, it is performed first in every audit.

Dictionary Crack

The fastest method for retrieving simple passwords is a dictionary crack. In a dictionary crack, LC4 tests all the words in a dictionary or word file against the password hashes. When it finds a correct password, it displays the result. The dictionary crack will try words of any length, up to the 14 character limit (which Windows NT imposes, but Windows 2000 does not).

LC4 defaults to using a 25,000-word dictionary file named words-english.dic that contains the most common English words. LC4 also ships with a 250,000 dictionary called words-english-big.dic, which can be used for more comprehensive dictionary audits. This file or any other word file you select is loaded into LC4 based on the settings in the Session Options dialog.

If a password of any length is located in the dictionary, LC4 will display the result. The cracking process for non-dictionary words analyzes the first and last seven characters of a possible password independently. So if the first seven characters match those of a word found in the dictionary, LC4 will report these, even if subsequent characters do not match those in the dictionary word. Likewise if eighth character through the end of the word match the corresponding characters in any dictionary word, LC4 will identify those. When one half of a password is cracked, but the other is not, question marks ('???????') fill the un-cracked half. When neither half is cracked, the results in LC4 are left blank.

This approach explains partial results LC4 returns when one part of a password matches a dictionary word and the other does not. For example, consider the following passwords and their results in a Dictionary attack:
 
Password DictionaryAttack Result Comments
biochemistry biochemistry Standard word, found in LC4's words-english dictionary, and cracked in full.
biochemist7y biochem??????? the first 7 characters match those in 'biochemistry.'
b#^chemistry ???????istry The 8th character, through the end of the password match the corresponding characters in 'biochemistry,' but the first seven do not.
accomplistry accomplistry The password is not a dictionary word. Because both the first seven characters and characters 8-12 happen to match dictionary words, LC4's Dictionary crack finds the whole password, even though different dictionary words matched each part.
severecrimp [LC4's Dictionary crack will not recover this password] Although the password is formed from two dictionary words, neither the first 7 characters nor the 8-11th characters match words in the dictionary, thus the dictionary crack does not find this password. You must use the brute force crack to recover a password such as this.
 

Hybrid Crack

Another method LC4 can use is called a hybrid crack. This builds upon the dictionary method (and its results display in the 'Dictionary Status' area) by modifying existing dictionary words to generate additional password attempts. Many users choose passwords such as "bogus1!", or "1!bogus" in an attempt to create a memorable, yet harder to crack password, based on dictionary words slightly modified with additional numbers and symbols. It is also increasingly common to substitute numbers and symbols for letters, such as 3 for E, or $ for S. These are the types of passwords that will pass through many password filters and policies yet still pose organizational vulnerability because they are so easily cracked.

LC4 can crack these passwords in much less time than it would take for a brute force attack. LC4's Hybrid mode checks to see if any number or symbol characters are prepended/appended to each word in the dictionary file you have selected. The default setting is 0 prepend and 2 append, but can be changed according to your preference. Character substitutions are also turned off by default.

Note: Selecting 3 or more characters to vary makes the Hybrid attack take much longer than with just 2 or less. If you use a dictionary that's much bigger than the one LC4 uses by default, or if too many characters are varied, the audit may take a prohibitively long time to finish. Keep in mind, that while turning on some of these features may significantly increase the audit time, it still may be faster than a full brute force audit. If audit time is a priority, it may be useful to run the hybrid mode twice: once with append/prepend characters turned on and character substitutions turned off, and again with append/prepend turned off and character substitutions turned on. This will not check as many possibilities, but will run much faster.

Brute Force Crack

The most comprehensive cracking method is the brute force method. This method will recover any password up to 14 characters (which is Windows NT's password length limit).

Because the brute force crack tries every combination of characters it's configured to use, your choice of character sets determines how long the brute force crack will take. Common passwords, based on letters and numbers can typically be recovered in about a day using the default character set A-Z and 0-9. Complex passwords, on the other hand, that use characters such as #_}* may take up to hundreds of days to crack on the same machine, using a comprehensive character set.

This difference between the strengths of weak versus strong passwords demonstrates the value of strong passwords in protecting your organization or machine. Using a real-world password auditing tool is the only real way to discover the strength of passwords in your organization, and gauge policy decisions such as:

  • the password policies users are expected to follow
  • the compliance rate or non-compliance instances with such policies
  • the effectiveness of a password filter, or
  • what length time one should set for password expirations.

Audit Method and Performance

LC4 can audit four different types of password hash in its attempt to recover a password:
  1. the LM hash,
  2. the NTLM hash,
  3. the LM challenge response, or
  4. the NTLM challenge response.
Depending on the hashes a user imports, dictates the available auditing options. Performance varies between these different approaches.

If you retrieve user account passwords from a registry, SAM, or Active Directory, you can audit either the LM or the NTLM password hashes. Audit performance in these cases degrades only slightly as the number of hashes increases.

Because of its structural weaknesses, the LM hash is the easiest and fastest to audit. LC4 defaults to auditing the LM hash, unless the user accounts you import lack LM hashes or have LM hashes that correspond to an empty password. Since the LM audit only retrieves passwords in case-insensitive form, a very brief NTLM analysis is performed on any password found with the LM audit in order to determine the proper upper or lower case status of its characters. However this is much less time consuming than the full NTLM audit described below.

The NTLM audit is much more time consuming because the NTLM hash is based on a stronger algorithm, and is case sensitive which expands the possibilities that must be attempted to recover a password. Use it only if you need to recover a password from an account for which you lack the LM hash.

Where do accounts with empty passwords come from? Machine accounts that cannot be used for login have dollar signs in their user names. User accounts that last had their password changed under MacOS, Novell, or WinFrame, which do not support NTLM hashes will have empty NTLM passwords. Others are simply accounts that were created, but never assigned a password. Note that Windows 2000 passwords longer than 14 characters will have "*empty*" LM passwords, because the LM hash does not support passwords of this length.

Auditing the challenge/response pairs captured from network sniffing can take a bit longer because each password hash is encrypted with a unique challenge. As a result, some of the work done cracking one password cannot be used again to crack another. This means that in addition to the considerations mentioned above, the time to completion scales linearly as you add sniffed password hashes to crack. Ten network challenge/response hashes will take 10 times longer to crack than just one. Therefore, this type of cracking should be targeted toward particular passwords to be effective.

The appropriate toolbar buttons allow you to choose from among the different auditing options. The options you have are exposed either under Session drop-down menu, or on the Toolbar:

  1. Audit LM hashes 
  2. Audit NTLM hashes 
  3. Audit LM challenge/response pairs 
  4. Audit NTLM challenge/response pairs 
The DES operations that LC4 uses are CPU-intensive, not memory-intensive. Increasing the quantity and processor speed has the greatest impact on improving LC4's performance. Extra memory has very little impact.

If you're not planning to do other work on a machine that's performing an LC4 audit, you may boost its performance by raising the priority of its process. To do so, launch LC4 and open the Windows Task Manager (Ctrl-Shift-Esc, or Ctrl-Alt-Del then choose 'Task Manager'). Go to the Process tab, right click the process labeled 'LC4.exe', then choose 'Set Priority'. Raising the priority will boost LC4's performance, at the expense of other running applications. Choosing the highest priority ('Realtime') is not advised with LC4, as this can effectively lock up the operating system.

Beginning Your Audit

Once you've configured your audit in Session Options, you're ready to perform the audit. Click the toolbar's 'Begin Audit' button  to start your audit. During the audit, status information shows the progress of the audit. During dictionary and hybrid audits, the number of dictionary words tried is displayed along with the percentage complete. During the brute force attack, you can see the number of passwords attempted each second under 'keyrate.'

 

Distributed Password Audits

Because brute force audits can be time-consuming when they involve comprehensive character sets, LC4 lets you break an audit into parts which can be run simultaneously by LC4 installed on different machines.
  1. Retrieve the password hashes you intend to audit and configure your audit session options.
  2. Go to File ... Save Distributed
  3. Choose the directory, filename, and number of parts you'd like to divide your audit into. When you click OK, LC4 creates a number of session files, named "dist#.lcs", where # is a number corresponding to one of a series of parts.
  4. You may now take any of these files to another machine on which you'd like that part to be audited.
  5. Use File ... Open Session to open one of the session files you have created.
By auditing each of the saved session files, you achieve the complete audit.

You can achieve the same result by saving the session immediately after step one, and taking the resulting .lcs file to different machines running LC4. Just open the .lcs file using File .. Open Session. Then go to the Session Options, enable the distributed Brute Force Crack as in the accompanying screenshot, above, and select the part of the overall job you'd like each machine to perform.

Note that LC4 does not distribute the Dictionary and Hybrid cracks, so if your session options are set to perform these, they will be performed in full on each 'Part' that you distribute to other machines.