Wednesday, December 19, 2012

Refresher Series - Capturing and cracking SMB hashes with Cain and Half-LM rainbow tables.

First things first, what is an LM Hash or Lan Manager Hash? A LM Hash is an outdated hashing function, however still widely in use in corporate environments today. The most important features of a LM hash is as follows:

·         Passwords are a Maximum of 14 characters or 14 bytes.
·         Passwords are converted to uppercase
·         Passwords are padded to 14 bytes
·         The 14 byte password is split into two 7 byte halves. (This is the weakness exploited by the Half LM attack)
·         Read more about LM hashes at

Simply put, if a user chooses a password of ‘Password’ the LM hashing function changes it into “PASSWOR” and “D”, or if they choose “PaSSwOrD12345!” it is changed to
“PASSWOR” and “D12345!”.  Obviously cracking two short passwords will take less time than 1 long password.

Before you can use the Half-LM rainbow tables you either need to download them or generate them yourself like I did using Winrtgen which is included with Cain.  When using Winrtgen it is important to note the disk space and Success probability. This is directly influenced by the Charset and the Number of tables.  In the image below you see that the tables will only recover 97% of passwords using the alpha-numeric-symbol14 charset. You will also want to run the Benchmark to see how long it will take you to generate the tables. On a side note you can divide the tables.lst file to distribute load, even among cores as Winrtgen is not written for multicore support. Then we wait…..

On to the fun stuff, to capture a hash we want to use the Metasploit capture SMB auxiliary module, which is located in auxiliary/server/capture/smb. Leave the default settings with the exception of the CAINPWFILE. Set this to output the file where ever you like.

Now you wait, you can do various things to coerce the victims to come to you such as NetBIOS spoofing or embedding UNC paths, but that’s a topic for another day. When a user attempts to connect to the capture server you will see output similar to this. The important thing to note is that the capture contains an LM Hash.

When you’re ready you can load the hashes into Cain, by selecting the Cracker tab then the plus symbol to add your hashes from a list.

The select the hashes you want to crack and right click, selecting Cryptanalysis attack, Half-LM hashes + challenge, via Rainbow tables. 

Load your tables and let it run. The amount of running time depends on the amount of hashes.

When it is done you have a result similar to the image below. As you can see we have not recovered the actual password yet, but we’re close. Let’s finish them off.

Follow the similar procedure as above by right clicking the hashes, but this time you’re going to select brute-force attack and LM Hashes + Challenge. As you can see I set the Max length to 3, that’s because I assume that nobody picked a password over 10 characters, which is probably a pretty good assumption in this case. ;)
Remember we already cracked 7 of the characters.  As you can see the 2nd half of the passwords are cracked extremely fast.

Cain then does a quick case brute force against the cracked password to determine its proper case, as you can see the passwords were recovered.

That’s it! It is actually simpler in practice then it appears here. Good luck and have fun.