Monday, September 7, 2009

LM2NTLM, the Unicode corrector

So in my very first blog posting I mentioned I would write about:

* A tool for doing not only case correction with a cracked LM hash and the accompanying NTLM hash, but also do something I call unicode correction. I still need to release this tool, but I already implemented the code in rcracki_mt.

I kind of forgot about this tool. It was actually my first attempt at making something like a brute forcer. I'm not releasing source code (yet), I need to clean it sometime.

You can use this tool when you cracked an LM hash and want to know the correctly cased password that results in the accompanying NTLM hash. Usually you'll be done with trying all different uppercase/lowercase variations, but sometimes there is a strange character in the password. For example, this could be a character with an accent that maps to a regular uppercase password in the LM hash.

Some time ago I've been working out a lot of these mappings, per 'Windows language version' (or actually per OEM codepage). LM2NTLM tries all the known mappings per character. If it doesn't find the correct password it will start again, replacing 2 characters with 'strange' ones. Again, if it doesn't find the password, more characters are tried. At this time you might start doubting the validity of the hashes and/or the password you are providing.

How to actually use this tool? Just run it without arguments and you'll be provided with the information you need. If the corrected password is found, the tool shows 'some' unicode output, you might actually want to inspect the "Password in hex" and spot the 'odd' unicode character (2 bytes). You can use this site for finding out which character it really is.

Download: lm2ntlm.zip (Windows 32bit .exe)

p.s. You can use LM2NTLM for regular case correction as well ;)

7 comments:

  1. I need a LM bruteforcer so I can crack the LM hash first.

    ReplyDelete
  2. try john the ripper, cain, rainbow tables, whatever you like ?

    ReplyDelete
  3. WOW! Those are awesome. Can you create one for cracking LM hashes? The character set needed would only be:

    alpha
    aplha-numberic
    alpha-numeric-symbol14
    alpha-numeric-all

    LM hashes do not contain any loweralpha charaters and every hash in split into 2 parts, making them very easy to crack

    CharSet: alpha-numeric-symbol14
    Length: 7
    Cracking Power: Crack password up to 14 chars

    Once you have the LM hash, you can figure out the NTLM by changing the characters to upper and lower alpha. My idea is to make my 24GB LM Rainbow Tables obsolette with this. Maybe also include cracking password dump files from "pwdump6.exe".

    ReplyDelete
  4. you'd think i would already know how LM hashes work ;)

    i'm not sure if i'll ever make an LM cracker, it is on my wish list though.

    ReplyDelete
  5. Thank you for this great tool!

    I noted that passwords in uppercase (NTLM) are failed.
    Test with AA password (NTLM 5B0D886C49E8686C1A9955D114F67892):

    lm2ntlm 5B0D886C49E8686C1A9955D114F67892 -p AA
    Searching for unicode password.
    Uppercase password: AA
    NTLM hash: 5b0d886c49e8686c1a9955d114f67892

    Trying full unicode map for 0/2 characters...
    Trying full unicode map for 1/2 characters...
    Trying full unicode map for 2/2 characters...

    case correction for password AA fail!

    Tried 1085 passwords in 0.05 s (0.02 Mhashes/s)

    ReplyDelete
  6. HI,

    Can you share the source code of your LM2NTLM program ?

    Thank you.

    ReplyDelete
  7. you can find the code in the source of rcracki_mt, in the file lm2ntlm.cpp

    ReplyDelete