|This article needs additional citations for verification. (December 2009)|
LAN Manager was a Network Operating System (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.
LAN Manager was based on the OS/2 operating system co-developed by IBM and Microsoft. It originally used the Server Message Block protocol atop either the NetBIOS Frames protocol (NBF) or a specialized version of the Xerox Network Systems (XNS) protocol. These legacy protocols had been inherited from previous products such as MS-Net for MS-DOS, Xenix-NET for MS-Xenix, and the afore-mentioned 3+Share. A version of LAN Manager for Unix-based systems called LAN Manager/X was also available.
In 1990, Microsoft announced LAN Manager 2.0 with a host of improvements, including support for TCP/IP as a transport protocol. The last version LAN Manager, 2.2, which included an MS-OS/2 1.31 base operating system, remained Microsoft's strategic server system until the release of Windows NT Advanced Server in 1993.
Many vendors shipped licensed versions, including:
LAN Manager authentication uses a particularly weak method of hashing a user's password known as the LM hash algorithm. This makes the supposed one-way function crackable in a matter of seconds using rainbow tables, or in few hours using brute force. Its use in Windows NT was replaced by NTLM, which is still vulnerable to rainbow tables, but less vulnerable to brute force attacks. A Microsoft TechNet article updated May 2012 indicated NTLM hashes were applicable to Windows 7, Server 2003, Server 2008, Server 2008 R2, and Vista. Another TechNet article updated November 2012 stated NTLM applied to Windows 8, 8.1, Server 2012, and Server 2012 R2 and that it "must be used for . . . systems configured as a member of a workgroup." It also said that NTLM is used for local logon except domain controllers, but Kerberos is preferred in Active Directory Environments.
The major weaknesses of LAN Manager authentication protocol are:
- Passwords are not case sensitive. All passwords are converted into uppercase before generating the hash value. Hence it takes password, PassWord, PaSsWoRd, PASSword and other similar combinations same as PASSWORD converting all characters to uppercase. Password characters are also limited to a subset of the ASCII character set.
- Password length is limited to maximum of 14 characters
- A 14-character password is broken into 7+7 characters and the hash is calculated for the two halves separately. This way of calculating the hash makes it exponentially easier to crack, as the attacker need to brute force 7 characters twice instead of 14 characters. This makes the effective strength of a 14-characters password equal to twice that of a 7-character password, which is significantly less complex than the strength of a 14 character password.
- If the password is 7 characters or less, then the second half of hash will always produce same constant value (0xAAD3B435B51404EE). Therefore if the length of password is less than or equal to 7 characters, then a password length of 7 characters or less can be identified visibly without using tools.
- The hash value is sent to the server on network without salting, making it susceptible to man in the middle attacks such as replay the hash.