| Revision as of 10:48, 11 July 2011 editSocrates2008 (talk | contribs)Extended confirmed users, IP block exemptions, Pending changes reviewers20,592 edits →Security weaknesses: ce← Previous edit |
Latest revision as of 04:47, 7 June 2021 edit undoPascal666 (talk | contribs)Extended confirmed users17,486 edits Password hashing algorithmTag: Redirect target changed |
| (80 intermediate revisions by 41 users not shown) |
| Line 1: |
Line 1: |
|
|
#REDIRECT ] |
|
{{redirect|Lanman}} |
|
|
'''LM hash''', '''LanMan''', or '''LAN Manager hash''' is the primary ] that ] and ] versions prior to ] used to store user ]s. Support for the legacy protocol continued in later versions of Windows for ], but was recommended by Microsoft to be turned off by administrators; as of Windows Vista, the protocol is disabled by default, but continues to be used by some non-Microsoft ] implementations. |
|
|
|
|
|
|
|
{{Redirect category shell|1= |
|
== Algorithm == |
|
|
|
{{R from merge}} |
|
The LM hash is computed as follows:<ref>{{cite web|url=http://technet.microsoft.com/en-us/library/dd277300.aspx|title=Chapter 3 - Operating System Installation: The LMHash|accessdate=2009-06-21|publisher=]}}</ref><ref name="davenport">{{cite web |
|
|
|
{{R to section}} |
|
| url=http://davenport.sourceforge.net/ntlm.html#theLmResponse |
|
|
|
}} |
|
| title=The NTLM Authentication Protocol |
|
|
| accessdate=2006-06-05 |
|
|
| last=Glass |
|
|
| first=Eric |
|
|
| year=2003 |
|
|
| curly=yes}}</ref> |
|
|
# The user’s ] password is converted to ]. |
|
|
# This password is null-padded to 14 bytes.<ref group="Notes">If the password is more than 14 characters long, the LM hash cannot be computed.</ref><ref name="KB828861">{{cite web|url=http://support.microsoft.com/kb/828861|title=Cluster service account password must be set to 15 or more characters if the NoLMHash policy is enabled|publisher=]|date=2006-10-30|accessdate=2009-06-21}}</ref> |
|
|
# The “fixed-length” password is split into two 7-byte halves. |
|
|
# These values are used to create two ] keys, one from each 7-byte half, by converting the seven bytes into a bit stream, and inserting a null bit after every seven bits (so 1010100 becomes 01010100). This generates the 64 bits needed for a DES key. (A DES key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. The null bits added in this step are later discarded.) |
|
|
# Each of the two keys is used to DES-encrypt the constant ] string “<code>KGS!@#$%</code>”, resulting in two 8-byte ciphertext values. The DES CipherMode should be set to ECB, and PaddingMode should be set to NONE. |
|
|
# These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash. |
|
|
|
|
|
== Security weaknesses == |
|
|
Although it is based on ], a well-studied ], the LM hash is not a true ] as the password can be determined from the hash because of several weaknesses in its implementation: Firstly, passwords longer than 7 characters are divided into two pieces and each piece is hashed separately. This weakness allows each half of the password to be attacked separately, at exponentially lower cost than the full password. While there are <math>95^{14} \approx 2^{92}</math> different 14-character passwords using ] characters, there would be only <math>95^{7} \approx 2^{46}</math> different 7-character password pieces using the same character set. By mounting a ] on each half separately, modern desktop machines can crack ] LM hashes in a few hours. In addition, all lower case letters in the password are changed to upper case before the password is hashed. Converting lowercase character to uppercase further reduces the ] for each half to <math>69^{7} \approx 2^{43}</math>. |
|
|
|
|
|
The LM hash also does not use ], a standard technique to prevent ]s. A ] ] attack, such as a ], is therefore feasible. In 2003, ], an implementation of the rainbow table technique, was published. It specifically targets the weaknesses of LM encryption, and includes pre-computed data sufficient to crack virtually all alphanumeric LM hashes in a few seconds. Many cracking tools, e.g. ], ] and ], now incorporate similar attacks and make cracking of LM hashes fast and trivial. |
|
|
|
|
|
== Workarounds == |
|
|
To address the security weaknesses inherent in LM encryption, Microsoft introduced the ] algorithm with ]. NTLM added ] support, the ] cipher (which does not require any padding or truncating that would simplify the key). On the negative side, the same DES algorithm is used with only 56-bit encryption. Furthermore, many Windows clients were configured by default to send both the LM hash and the NTLM hash, so the use of the NTLM hash provided no additional security while the weaker hash was still present. |
|
|
|
|
|
While LAN Manager is considered obsolete and current Windows operating systems use the stronger NTLMv2 or ] hashing methods, Windows systems before ]/] still compute and store the LAN Manager hash by default for compatibility with LAN Manager and ] or earlier clients, as well as some 16-bit applications that are still in use on the most current versions of Windows. It is considered good security practice to disable this feature where it isn't needed.<ref name="mskb">{{cite web |
|
|
| url=http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656& |
|
|
| title=How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases |
|
|
| work=Microsoft Knowledge Base |
|
|
| accessdate=2006-06-05 |
|
|
| curly=yes}}</ref> |
|
|
Microsoft claimed that support for LM would be completely eliminated in the ] operating system.<ref name="vista">{{cite journal |
|
|
| url=http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/ |
|
|
| title=The Most Misunderstood Windows Security Setting of All Time |
|
|
| journal=TechNet Magazine |
|
|
| year=2006 |
|
|
| month=August |
|
|
| first=Jesper |
|
|
| last=Johansson |
|
|
| accessdate=2007-01-08}}</ref> However Windows Vista and Windows Server 2008 still include support for the LM hash, although it is now disabled by default; the feature can be enabled for local accounts via a security policy setting, and for ] accounts by applying the same setting to ]s. The same method can be used to turn the feature off in Windows 2000, Windows XP and NT.<ref></ref> Users can also prevent a LM hash from being generated for their password by using a password at least 15 characters in length.<ref name="KB828861"/> |
|
|
|
|
|
==Reasons for continued use== |
|
|
Many legacy third party ] implementations have taken considerable time to add support for the stronger protocols that Microsoft has created to replace LM Hashing because the ] communities supporting these libraries first had to ] the newer protocols—] took 5 years to add NTLMv2 support, while JCIFS took 10 years. |
|
|
|
|
|
{| class="wikitable" |
|
|
|- |
|
|
|+ Availability of NTLM protocols to replace LM |
|
|
! Product |
|
|
! NTLMv1 support |
|
|
! NTLMv2 support |
|
|
|- |
|
|
| ] |
|
|
| RTM (1993) |
|
|
| Not supported |
|
|
|- |
|
|
| ] |
|
|
| RTM (1994) |
|
|
| Not supported |
|
|
|- |
|
|
|- |
|
|
| ] |
|
|
| RTM (1995) |
|
|
| Not supported |
|
|
|- |
|
|
| ] |
|
|
| RTM (1996) |
|
|
| Service Pack 4<ref>{{cite web|url=http://support.microsoft.com/kb/194507|title=Windows NT 4.0 Service Pack 4 Readme.txt File (40-bit)|date=1998-10-25|accessdate=2010-05-27|publisher=]}}</ref> (25 October 1998) |
|
|
|- |
|
|
| ] |
|
|
| Not supported |
|
|
| Directory services client (released with ] Server, 17 February 2000) |
|
|
|- |
|
|
| ] |
|
|
| RTM |
|
|
| Directory services client (released with ] Server, 17 February 2000) |
|
|
|- |
|
|
| ] |
|
|
| RTM (17 February 2000) |
|
|
| RTM (17 February 2000) |
|
|
|- |
|
|
| ] |
|
|
| RTM (14 September 2000) |
|
|
| Directory services client (released with ] Server, 17 February 2000) |
|
|
|- |
|
|
| ] |
|
|
| ? |
|
|
| Version 3.0<ref>{{cite web|url=http://www.samba.org/samba/history/samba-3.0.0.html|title=The Samba Team announces the first official release of Samba 3.0|date=2003-09-24|accessdate=2010-05-27|publisher=samba.org}}</ref> (24 September 2003) |
|
|
|- |
|
|
| JCIFS |
|
|
| Not supported |
|
|
| Version 1.3.0 (25 October 2008)<ref>{{cite web|url=http://jcifs.samba.org/|title=The JCIFS library: News|accessdate=2010-05-27}}</ref> |
|
|
|} |
|
|
|
|
|
Poor patching regimes subsequent to software releases supporting the feature becoming available have contributed to some organisations continuing to use LM Hashing in their environments, even though the protocol is easily disabled in ] itself. |
|
|
|
|
|
Lastly, prior to the release of Windows Vista, many unattended build processes still used a ] boot disk (instead of ]) to start the installation of Windows using WINNT.EXE, something that requires LM hashing to be enabled for the legacy ] networking stack to work. |
|
|
|
|
|
== See also == |
|
|
* ] |
|
|
* ] |
|
|
* ] |
|
|
* ] |
|
|
|
|
|
==Notes== |
|
|
{{reflist|group=Notes}} |
|
|
|
|
|
== References == |
|
|
{{reflist}} |
|
|
|
|
|
== External links == |
|
|
{{Wikibooks|Reverse Engineering/Cracking Windows XP Passwords}} |
|
|
* |
|
|
* |
|
|
* offers pre-computed ]s which are downloadable via ] |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
|
|
|
] |
|
|
] |
|
|
] |
|
|
] |
|
|
|
|
|
{{Crypto navbox | hash}} |
|
|
|
|
|
] |
|
|
] |
|
|
] |
|
|
] |
|
|
] |
|