LM hash: Difference between revisions

"Lanman" redirects here. For other uses, see Lanman (disambiguation).

LM hash, LanMan, or LAN Manager hash is one of the formats that Microsoft LAN Manager and Microsoft Windows versions previous to Windows Vista use to store user passwords that are fewer than 15 characters long. This type of hash is the only type of encryption used in Microsoft LAN Manager, hence the name, and versions of Windows up to Windows Me. It is also supported in more recent Windows versions for backward compatibility, although in Windows Vista and later it must explicitly be enabled for use as it is turned off by default.

Algorithm

The LM hash is computed as follows:^[1][2]

1. The user’s ASCII password is converted to uppercase.
2. This password is null-padded to 14 bytes.^{[Notes 1][3]}
3. The “fixed-length” password is split into two 7-byte halves.
4. These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream, and inserting a parity bit after every seven bits. This generates the 64 bits needed for the DES key.
5. Each of these keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values. The DES CipherMode should Set to ECB, and PaddingMode should set to NONE.
6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.

Security weaknesses

Although it is based on DES, a well-studied block cipher, the LM hash is not a true one-way function as the password can easily be determined from the hash because of several weaknesses in its implementation. First, the password characters are restricted to the ANSI character set. Second, passwords longer than 7 characters are divided into two pieces and each piece is hashed separately. Third, all lower case letters in the password are changed to upper case before the password is hashed. The second weakness allows each half of the password to be attacked separately. While there are ${\displaystyle 95^{14}\approx 2^{92}}$ different passwords made of up to 14 printable ASCII characters, there would be only ${\displaystyle 95^{7}\approx 2^{46}}$ different 7 character password pieces using the same character set. Lowercase characters are converted to uppercase to further reduce the key space for each half to ${\displaystyle 69^{7}\approx 2^{43}}$. By mounting a brute force attack on each half separately, modern desktop machines can crack alphanumeric LM hashes in a few hours.

LM hash does not include salt, therefore a time-memory trade-off cryptanalysis attack, such as rainbow tables, is also feasible. In 2003, Ophcrack, an implementation of the rainbow table technique, was published. It specifically targets the weaknesses of LM encryption, and includes pre-computed data sufficient to crack virtually all alphanumeric LM hashes in a few seconds. Many cracking tools, e.g. RainbowCrack, L0phtCrack and Cain, now incorporate similar attacks and make cracking of LM hashes trivial. However, because LM hashing is not used for passwords of 15 characters or longer, these are relatively strong.

Workarounds

To address the security weaknesses inherent in LM encryption, Microsoft introduced the NTLM algorithm with Windows NT 3.1. NTLM added unicode support, the RC4 cipher (which does not require any padding or truncating that would simplify the key). On the negative side, the same DES algorithm is used with only 56-bit encryption. Furthermore, many Windows clients were configured by default to send both the LMHash and the NTLM hash, so the use of the NTLM hash provided no additional security while the weaker hash was still present.

While LAN Manager is considered obsolete and current Windows operating systems use the stronger NTLM, NTLMv2 or Kerberos hashing methods, Windows systems before Windows Vista/Windows Server 2008 still compute and store the LAN Manager hash by default for compatibility with LAN Manager and Windows Me or earlier clients, as well as some 16-bit applications that are still in use on the most current versions of Windows. It is considered good security practice to disable this feature where it isn't needed.^[4] Microsoft claimed that support for LM would be completely eliminated in the Windows Vista operating system.^[5] However Windows Vista and Windows Server 2008 still include support for the LM hash, although it is now disabled by default; the feature can be enabled for local accounts via a security policy setting, and for Active Directory accounts by applying the same setting to domain controllers. The same method can be used to turn the feature off in Windows 2000, Windows XP and NT.^[6] Users can also prevent a LM hash from being generated for their password by using a password at least 15 characters in length.^[3]

Reasons for continued use

Many legacy CIFS implementations support LM Hashing, and can be a reason in organisations for LM Hashing still being required on clients for backward compatibility, even where it is disabled in Active Directory itself. Furthermore, prior to Windows Vista, many unattended build processes still used a DOS boot disk (instead of Windows PE) to start the installation of Windows using WINNT.EXE, something that requires LM hashing to be enabled for the legacy LAN Manager networking stack to work. Lastly, some legacy applications that need to perform authentication, such as the 16-bit Microsoft SNA Server client, still use the protocol even under Windows Vista.

See also

• LAN Manager
• NTLM
• Password cracking
• Dictionary attack

Notes

1. If the password is more than 14 characters long, the LMHash cannot be computed.

References

1. "Chapter 3 - Operating System Installation: The LMHash". Microsoft. Retrieved 2009-06-21.
2. Glass, Eric (2003). "The NTLM Authentication Protocol". Retrieved 2006-06-05. {{cite web}}: Unknown parameter |curly= ignored (help)
3. "Cluster service account password must be set to 15 or more characters if the NoLMHash policy is enabled". Microsoft. 2006-10-30. Retrieved 2009-06-21.
4. "How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases". Microsoft Knowledge Base. Retrieved 2006-06-05. {{cite web}}: Unknown parameter |curly= ignored (help)
5. Johansson, Jesper (2006). "The Most Misunderstood Windows Security Setting of All Time". TechNet Magazine. Retrieved 2007-01-08. {{cite journal}}: Unknown parameter |month= ignored (help)
6. How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases

External links

• Making a Faster Cryptanalytic Time-Memory Trade-Off, Philippe Oechslin, Advances in Cryptology - CRYPTO 2003
• Ophcrack, the time-memory-trade-off-cracker
• The Shmoo Group offers pre-computed rainbow tables which are downloadable via BitTorrent
• Cain and Abel
• Online LM crack using Rainbow tables
• Plain-Text organization is available for cracking LM hashes
• A Java applet for computing the LM Hash and NT Hash
• Java code for LM Hash
• Mastering Windows Network Forensics