LM / LanMan

Intro
LM hash or LAN Manager hash is one of the formats that Microsoft LAN Manager and Microsoft Windows versions previous to Windows Vista use to store user passwords that are fewer than 15 characters long. This type of hash is the only type of encryption used in Microsoft LAN Manager, hence the name, and versions of Windows up to Windows Me. It is also supported in more recent Windows versions for backward compatibility, although in Windows Vista it must be manually enabled for use.

Algorithm
The LM hash is computed as follows.

1. The user’s password as an OEM string is converted to uppercase.
2. This password is either null-padded or truncated to 14 bytes.
3. The “fixed-length” password is split into two 7-byte halves.
4. These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream, and inserting a zero bit after every seven bits. This generates the 56 bits needed.
5. Each of these keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values.
6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.

Security Weaknesses
1. Passwords longer than 7 characters are divided into two pieces and each piece is hashed separately.
2. All lower case letters in the password are changed to upper case before the password is hashed.
3. Because LM hash does not include salt, a time-memory trade-off cryptanalysis attack, such as rainbow tables, is also feasible.

How to Disable Windows from Storing LM Hashes

Method 1: Implement the NoLMHash Policy by Using Group Policy
To disable the storage of LM hashes of a user's passwords in the local computer's SAM database by using Local Group Policy (Windows XP or Windows Server 2003) or in a Windows Server 2003 Active Directory environment by using Group Policy in Active Directory (Windows Server 2003), follow these steps:
1. In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
2. In the list of available policies, double-click Network security: Do not store LAN Manager hash value on next password change.
3. Click Enabled, and then click OK.

Method 2: Implement the NoLMHash Policy by Editing the Registry
In Windows 2000 Service Pack 2 (SP2) and later, use one of the following procedures to prevent Windows from storing an LM hash value on your next password change.

Windows 2000 SP2 and Later
To add this key by using Registry Editor, follow these steps:
1. Start Registry Editor (Regedt32.exe).
2. Locate and then click the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3. On the Edit menu, click Add Key, type NoLMHash, and then press ENTER.
4. Quit Registry Editor.
5. Restart the computer, and then change your password to make the setting active.
Notes
• This registry key change must be made on all Windows 2000 domain controllers to disable the storage of LM hashes of users' passwords in a Windows 2000 Active Directory environment.
• This registry key prevents new LM hashes from being created on Windows 2000-based computers, but it does not clear the history of previous LM hashes that are stored. Existing LM hashes that are stored will be removed as you change passwords.

Windows XP and Windows Server 2003
To add this DWORD value by using Registry Editor, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3. On the Edit menu, point to New, and then click DWORD Value.
4. Type NoLMHash, and then press ENTER.
5. On the Edit menu, click Modify.
6. Type 1, and then click OK.
7. Restart your computer, and then change your password.

Tools
FGDump
http://www.foofus.net/fizzgig/fgdump/
FGDump pulls the hashes from the SAM file.

John the Ripper
http://www.openwall.com/john/

Cain and Abel
http://www.oxid.it/cain.html

Rainbow Tables

Shmoo Rainbow Tables

  • Alpha lanman
  • Alpha-numeric lanman
  • Alpha-numeric-symbol32-space

http://rainbowtables.shmoo.com/


References
LM Hash
http://en.wikipedia.org/wiki/LM_hash

How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
http://support.microsoft.com/kb/299656

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.